Skip to content
Naked Security Naked Security

Chips with everything – are you ready to be bio-hacked?

News that a US company is 'bio-hacking' its employees with RFID chips is a publicity stunt - but it does raise issues of security and ethics

The news that a US shopping self-service vendor plans to implant or “bio-hack” dozens of its employees with tiny chips was always going to grab people’s attention.

The Wisconsin company involved, Three Square Market, is far from the first organisation to do this –Swedish startup hub Epicentre experimented with the idea earlier this year, as have plenty of adventurous individuals – but it is still be an early example of how human microchipping could be used in mainstream business.

The idea is for 53 of the company’s workers to have a tiny $300 NFC (Near Field Communication) RFID chip inserted under the skin between their thumb and index finger, on a voluntary basis. This device can then carry credit card data, allowing wearers to buy goods from the company shop without having to carry plastic.

This application serves as an advert for the company’s self-service vending systems, which doubtless explains why it has come up with the idea as a clever news advertisement for itself.

It will also be used by employees to enter the workplace and authenticate to desktop PCs, which means they won’t need to log in using conventional credentials.

“It takes about two seconds to put it in and to take it out,” Three Square Market’s Patrick McMullan told the BBC.

It would be easy to throw the word “Orwellian” at bio-hacking but, arguably, that is to misapply the term.

The chip does not track the individual’s location, nor does it allow surveillance beyond the fact they have entered a building, logged on to a PC or bought something, which any digital technology can also do. Three Square Market is not watching its workers.

The high-frequency 13.56 MHz NXP NTAG216 NFC chip (888 bytes of writable data) used has been around since 2012, finding a niche in a range of product and smartphone tags. The underlying NFC technology is also used in a wide variety of technology nobody thinks twice about, including contactless credit and debit chip cards as well as inside smartphones themselves.

All the same, putting a chip inside a human being does feel as if it’s crossing a line. Normally people authenticate themselves by carrying a token of sorts, for instance a credit card or two-factor security token. In this concept, the employee becomes the token.

Asking people to turn themselves into a walking authentication system sounds novel today but raises legal and ethical issues that might one day cause problems.

It’s unlikely employees could be compelled to have a chip inserted but would there be a hidden price for anyone unwilling to agree to what might be pitched as an important security boost? It’s also the case that NFC chips are developing rapidly, acquiring more memory as they add functions. That, or their limited lifespan, could inevitably demand upgrades.

Perhaps the biggest unknown is security. The data stored on these NFC chips is encrypted and can’t be read remotely, but it’s impossible to rule that out should some kind of vulnerability be uncovered.

The possibility of hacking chips sitting inside humans, whether to steal data or compromise capabilities, sounds far-fetched. The question is how much hard work tightening security needs to be done before people can take this on trust.


Can the chip tell whether the hand is alive? Just thinking of the obvious exploits here and they’re grim.


You would need different tech to do that test. The chip/reader cannot by themselves. You could build a reader with built in temperature, pulse and skin conductivity testers, for example, and that would give you pretty good reliability for detecting life. Until, of course, someone figures out how to beat the detectors.


I don’t think it would be too hard to build a range extender and the guy at the next vending machine could sponge off your chip.


“The chip does not track the individual’s location, nor does it allow surveillance beyond the fact they have entered a building, logged on to a PC or bought something, which any digital technology can also do.”

Well, then, A) it very much is tracking their location, since the front door, the users PC, and the vending machines are in specific places, and B) other digital technologies aren’t implanted into your body. I can set my cell phone down.


What a bunch of clowns. Another camel has his nose under the tent, and 53 people are too stupid to recognize it.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!