https://www.theregister.com/2025/11/21/magician_password_hand_rfid
Storing credentials safely and securely is the real trick
It's important to have your login in hand, literally. Zi Teng Wang, a magician who implanted an RFID chip in his appendage, has admitted losing access to it because he forgot the password.
It seemed like such a neat idea – get an RFID chip implanted in your hand and then do magical stuff with it. Except it didn't work out that way. "It turns out," said Zi, "that pressing someone else's phone to my hand repeatedly, trying to figure out where their phone's RFID reader is, really doesn't come off super mysterious and magical and amazing."
Then there are the people who don't even have their phone's RFID reader enabled. Using his own phone would, in Zi's words, lack a certain "oomph."
Oh well, how about making the chip spit out a Bitcoin address? "That literally never came up either."
In the end, Zi rewrote the chip to link to a meme, "and if you ever meet me in person you can scan my chip and see the meme."
It was all suitably amusing until the Imgur link Zi was using went down. Not everything on the World Wide Web is forever, and there is no guarantee that a given link will work indefinitely. Indeed, access to Imgur from the United Kingdom was abruptly cut off on September 30 in response to the country's age verification rules.
Still, the link not working isn't the end of the world. Zi could just reprogram the chip again, right?
Wrong. "When I went to rewrite the chip, I was horrified to realize I forgot the password that I had locked it with."
The link eventually started working again, but if and when it stops, Zi's party piece will be a little less entertaining.
He said: "Techie friends I've consulted with have determined that it's too dumb and simple to hack, the only way to crack it is to strap on an RFID reader for days to weeks, brute forcing every possible combination."
Or perhaps some surgery to remove the offending hardware.
Zi's idea is not innovative – individuals such as Professor Kevin Warwick and his cyborg ambitions spring to mind – but forgetting the password certainly highlights one of the risks of inserting hardware under the skin.
Zi goes by the stage name "Zi the Mentalist" and, in addition to performing close-up magic, also refers to himself as "an accomplished scientist with a focus in biology."
"I'm living my own cyberpunk dystopia life right now, locked out of technology inside my body, and it's my own damn fault," said Zi. "And I can honestly say that I forgot the password to my own hand."
(Score: 2) by krishnoid on Monday November 24, @01:57PM (1 child)
Creative, small idea, cross-disciplinary technology repurposing, breadth of interests [theregister.com], mildly bad planning, relying on your memory and having it fail you ... it calls to mind something else [youtu.be] though.
(Score: 2) by krishnoid on Monday November 24, @02:08PM
Sorry, "breadth of interests" should have jumped to the following:
Either he does have a breadth of interests, or is pretty deluded. Probably both.
(Score: 1) by shrewdsheep on Monday November 24, @03:10PM (1 child)
Seems like the opposite is true, when the only solution seems to be
I recommend doing just that, only put the device on when otherwise killing time (like surfing SN).
(Score: 3, Touché) by krishnoid on Monday November 24, @03:31PM
Or while sleeping [apple.com].
(Score: 4, Interesting) by JoeMerchant on Monday November 24, @04:58PM (2 children)
25ish years ago, the illustrious Dick Cheney had a pacemaker. Being a "hot target" they analyzed the security of his (and most contemporary) pacemakers and determined it to be insufficient to protect against threats such as: an attacker surreptitiously placing a programming device somewhere that the then Vice President was going to be and reprogramming his pacemaker without anyone knowing it was happening. Of course all kinds of wild and wacky hijinx are possible if you reprogram pacemaker settings maliciously.
At the time, I believe the published solution to this problem was to fit our hot target with a specially programmed device that required special programmer software to access and just carefully guarding those access secrets for the remainder of his, recently ended, life. The general public, it was determined, was not enough of a target to make the extra security placed on the Vice President's device a good trade for the negative effects of being unable to access their devices due to lost passwords and other complexities that might make them more secure against malicious attack.
I have been out of the implantable devices space for 20-ish years, I'm sure the new ones are at least a little more secure than the ones I was working with; such as: the one I worked with back then used an 8 bit checksum for "data integrity assurance" - which I called out on my first day on the job as inadequate, and 14 months later it was demonstrated as being worryingly problematic in actual use - which we mitigated the worst effects of by revising the programming sequences that were causing frequent problems - as I was resigning they had plans to make the next device "more secure" with a (still inadequate) 16 bit checksum. At least they can point to how they're better than they used to be... Anyway, current FDA cybersecurity guidance calls for unique per device passwords "where appropriate" - I wonder if they are still considered not appropriate for implantables like pacemakers due to the risk of extra surgeries when passwords get lost?
🌻🌻🌻 [google.com]
(Score: 4, Interesting) by VLM on Monday November 24, @10:32PM (1 child)
I read a discussion, maybe on RISKS maybe elsewhere, pacemakers have the ultimate biometric password, they can compare external measurements of the patient's heart with their own measurements as a two factor ID. Supposedly this exists and is shipping COTS for some pacemakers. Important because pacemaker users tend to cluster IRL so they need to make sure they connect to the correct one rather than some rando in the waiting room.
Another discussion point skipped over was stuff like status reports thumbs up / thumbs down was not unusually secured and you'd want something like any random ER to be able to determine its read-only OK, but "fancy access" like write access to upload new firmware requires (supposedly) the full suite of fancy SSL certs from the mothership.
"For home use" like MCUBoot on STM32 chips most folks use 256 bit AES signatures for images. I find it... annoying ... that a mere microcontroller family from many years ago has a nicer easier to use "bios" than a desktop PC WRT flashing and upgrading firmware. Anyone who's done microcontroller development recently is going to be pretty spoiled if they have to upgrade a PC bios in 2025.
Wolfboot is pretty cool too although not as cool as mcuboot. Wolfboot works on a Raspi RP2350 and I might try that over the holidays assuming its quiet and I have infinite spare time. I can't get a straight answer about current USB host ability on the 2350; like, yeah, in the "old days" half a year ago it didn't work at all but does it work now for flash storage? Theoretically I could submit a new firmware candidate for wolfboot using a flash drive plugged into the USB assuming host mode storage works (which it did not, IIRC, about half a year ago). I'm also very fuzzy about the "dual architecture" stuff do I have to "cross a bridge". The 2350 is a headache board great for code golf type stuff trying to get from here to there. I don't have a full picture in my head of what connects to the ARM vs the RISC-V core. As I understand it, the pico2 flash controller has only been working in Zephyr for two months now. Nordic got MCUboot to work on the 2350 using their T-FM thingie or whatever its called so I assume it's possible on Zephyr if the Norwegians got it to work on their system... Or I could chill out and sip hot cocoa and watch the snow fall this holiday season.... hmm. I have a waveshare board sitting here, the nifty three-sided $5 one, and a desire to do something dumb but cool with it.
So yeah in summary even the amateurs have better boot security than 16 bit checksums now a days.
(Score: 2) by JoeMerchant on Monday November 24, @11:34PM
> even the amateurs have better boot security than 16 bit checksums
They did back then, too.
Medical device software development has even more inertia than desktop PC BIOS stuff, it's mind bending and also true.
🌻🌻🌻 [google.com]
(Score: 3, Interesting) by VLM on Monday November 24, @09:44PM (1 child)
He should have written down the password on his hand using a tattoo.
Hilariously, I messed around with a ST NFC product for awhile, until I bought a phone that doesn't even have NFC LOL, and its password is only 64 bits. It shouldn't be THAT hard to remember 8 bytes especially if its some kind of UTF-8 encoding in an asian language, that could be as little as 2 or 3 glyphs. So maybe his name. Which I googled for, and his name is 3 glyphs (assuming thats him?), so the password field might not be long enough to hold his name. It can't be a very strong password. I tried to translate "forgetful dumbass" to Japanese and got seven glyphs that can't fit in ST NFC chips (well, 64 bit max password as of some years ago, I don't recall if it was restricted by protocol or by the chip)
One interesting point to make is my ST dev boards were not exactly long range despite antennas the size of a postage stamp. There are of course many different chips out there but range must be a serious issue for implantables.
My use case for NFC was to implement something probably even less popular than QR codes. So instead of scanning a QR you'd wave a phone over it, if typical average phones still had NFC, which they don't anymore. As a bonus the ST chips I was using were fully dynamically and quickly reconfigurable using I2C, not possible with QR codes embedded into plastic or printed on a product name tag. It was a fun idea for awhile. Lets say your managed ethernet switch got a DHCP address well isn't that nice now wave your phone over it to get the full URL to manage it, that sort of use case. But like I wrote, if you think QR codes are unpopular, try NFC, most people don't know it even exists and few have "flagship phones" that include NFC. You'd have better luck implementing the dwarf door to Moria from LoTR than trying to use NFC in a product, at least in 2025.
(Score: 4, Touché) by aafcac on Monday November 24, @11:51PM
Phones don't have NFC? How does tap to pay work then? My cheapo Nokia phone has NFC support, which it mostly uses for the purposes of tap to pay.
(Score: 3, Insightful) by bzipitidoo on Tuesday November 25, @02:37AM (1 child)
Too many times, I've seen security measures shut out the legit user.
I particularly dislike these systems and services that for political purposes take the security too far. They're using-- or more like abusing-- security to fool customers into thinking their services are very valuable, when they aren't. Gosh, thinks the non-technical user, they wouldn't do all this security if it wasn't Important! Or, there's fearmongering. You Need More Security!
(Score: 3, Interesting) by aafcac on Wednesday November 26, @06:15PM
That's particularly the case with requiring a phone number as part of the security process. Even worse is that oftentimes people haven't set their VM PIN, which allows people to get the second factor like that. Personally, I like FIDO keys, but it's vitally important to keep a copy of those backup codes in an encrypted volume just in case. I personally record the type of second factor I'm using in my password DB so that I know what needs to be updated if something impacts it.