You may recall that several weeks ago, I had an RFID-equipped microchip implanted in my hand with an eye towards duplicating the functionality of a MagicBand without actually needing to wear one around. If you haven’t read that article and have no idea what I’m talking about, check it out here and then circle back with me. Everyone ready? OK, let’s talk about what I’ve learned and how my attempts to get it to actually work are going.
First of all, suffice it to say that reaction to this idea has been, umm, mixed. Some people shared my view that this was a cool, fun thing to try. Others thought I was crazy and that I was a complete idiot for even considering it. And then there were others that suggested that this was something akin to the Mark of the Beast as referenced in the Book of Revelations. With that in mind, let me just lay one lingering rumor to rest: I wasn’t a demon before I got this chip implanted, and that remains the case as far as I can tell. Having planted that non-demon flag, let’s move on to talking about the substance of how this is going.
When I first wrote on this topic, I had just had the chip implanted. At this point, it’s been in for a while and you can’t see any evidence of it, it left no scar, and I can only feel it if I make an effort to do so. From a danger, pain, or other impact standpoint, it was a second or two that felt like a shot, a couple of days of mild discomfort if my hand got bumped, and that was about it. I completely forget it’s there 95% of the time. The arrow in the pic below directs you to where it is, but even knowing exactly where it is, it’s invisible.
Anyway, shortly before the parks closed, I had occasion to visit Walt Disney World to give this a go. I’ll cut to the chase: so far, I’ve been unable to get it to work so far, at least as a MagicBand substitute. More specifically:
- Because the MagicBands use chips that use a very high level of encryption, they cannot be cloned through ordinary means. While some RFID/NFC tags can be copied by simply using an app on your phone to read one tag and then write it to another, the chips in a MagicBand do not permit that and cannot be read for cloning purposes, even using more specialized equipment.
- That led me to see if they could just encode my credentials directly to the chip in my hand. I was able to find a Cast Member, and a supervisor at that, who was very intrigued by the idea and was eager to help me try, but despite numerous attempts, we could not get it to encode. Because both the chip in my hand and the chip in a MagicBand have a unique 16 digit identifying number, we also explored directly entering the ID for my chip into the Disney system, but that wasn’t successful, either — the only number front-line Cast Members can enter to link a MagicBand to the system is the 12 digit number on the MagicBand itself.
I will preface the discussion that follows by noting that while I’ve done a significant amount of research into this topic for the purposes of this little experiment, this is not what I do for a living, and I do not hold myself out as an expert on RFID/NFC. Moreover, Disney does not, for obvious reasons, make the details of how to get devices to play nicely with their system, so there is necessarily a fair amount of speculation in play. With that caveat in place, it would appear that there are a few things that could be at work here:
- Disney’s system is looking for a particular type of chip before it will allow credentials to be written to a tag. The chip that is used in a MagicBand appears to be a MiFare DESFire EV1. The chip in my hand is a MiFare Ultralight C. The chart below is a comparison of what you get when you read them; I’ve also included an AP Card for comparison. While they have the same core functionality, the DESFire chip has some security benefits that the Ultralight does not, and it could be that the system first checks to confirm that the tag it will be writing to is a DESFire chip as a gatekeeping function before it will allow the write process to occur.
- It could be that there is no writing taking place at all. Disney distributes all of the media that is used for park access, whether it’s a MagicBand or an RFID card, and it could be that all of the identifying information for all of that media and their associated tags are already loaded into Disney’s system. Accordingly, what I think of as encoding is actually the reader getting the ID of the MagicBand and identifying it from the universe of media it has in its database, and then associating it with your account. I actually think this is the most likely way it’s handled, because then Disney can use read-only media and not have to worry about someone inadvertently overwriting their credentials. They also don’t have to worry about people with less pure intentions easily glomming onto their access system.
So, what now? It’s pretty clear to me that making Disney view this as its own tag is a critical part of this process. As I see it, there are basically three paths to making this work:
- Option one would be to find someone within Disney who is willing to add my chip ID to its database. I have confirmed through a number of different cast members that the folks that are in contact with guests, including supervisors, do not have this capability. It would need to be someone with a higher level of access to add to the database by chip ID rather than by MagicBand ID. Are you one of these people? Want to help me out with this fun and unusual project? Let me know and let’s get it going!
- I might be able to clone my AP Card, which has a lot of the same functionality as a MagicBand, and have that profile placed on the chip instead. As you can see on the chart above, the AP Cards use MiFare Ultralight C chips, which is essentially the same as the one in my hand. While they cannot be copied using ordinary means, my understanding is that they ARE crackable, so the hope would be that I can do just that. Do you have this skill set? If so, hit me up, I’m trying to work my way through this, but I could frankly use the assistance of someone with better hacking skills than me.
- Finally, another option would be to take an existing MagicBand, carefully disassemble it, use it to make a custom chip and have THAT implanted. This is the solution that was recommended to me by Amal Graafstra of Dangerous Things, one of the primary sellers of these implantable chips. In fact, I am apparently not the only person that had this idea, and Amal has already created a custom chip using a MagicBand, which is pictured below. It has not been implanted or tested, however. The good thing about this approach is that it’s a Disney tag, so there won’t be any issue with trying to make something outside of the Disney sandbox play nice with its system. The downside is that the custom chips (on the left) are quite a bit larger, as you can see from the pic of the chips he’s made, and the process for implanting them is a lot more invasive. It requires stitches, and is frankly a more involved process than I probably want to undertake.
One thing worth mentioning: this chip has lots of fun and useful applications that have nothing to do with Disney. Some of the reactions to this little project were of a mocking nature, along the lines of “aren’t you going to feel stupid if this doesn’t work?” Well, no I won’t, because duplicating the MagicBand was one of several things I wanted to do with the chip! It’ll be awesome if I can get it to work, just because how cool would that be, but if not, que sera, sera. I’ll still be the only guy on the block that can enter his house without a physical key and enter my office parking garage even when I’ve left my access card at home.
Along those lines, however, I wanted to give a shout out to Amal again here. In addition to Dangerous Things, Amal is working on Vivokey, which hopes to make it easier to for consumers to have their implants interact with the world around them. They’ve already converted a Tesla Model 3 keycard into an implant and then used that to create an app to allow others with compatible chips to do the same. The ultimate goal is to create a sort of app store to allow users to easily add functionality to their chips the same way we add apps to our smartphones to make them more useful for us. It’s very cool, bleeding edge stuff! Definitely check it out if you find this interesting at Vivokey.com.
So, in closing, thank you for joining me on this little journey, and as you can tell, I’m completely serious — if you know how to crack these chips or maybe you work for Disney and have the ability to assist with this fun little experiment, let me know! I’d love to have this locked and ready to go when the parks reopen!