West Virginia CISO Danielle Cox has embedded RFID chips in her fingernails. She finds ease-of-use advantages and minimal downsides. Here’s her story, including why and how it’s done.
Over the past few years, there has been a growing interest and heated discussions surrounding the topic of implanting chips in human bodies for a wide variety of reasons ranging from medical necessity to personal convenience. And in just the past few months, Elon Musk’s brain chip firm, Neuralink, received approval from the U.S. Food and Drug Administration to conduct its first tests on humans.
Closer to home for many government employees, Danielle Cox, the chief information security officer for West Virginia, was showing off her colorful fingernail chip embeds to peers at the recent NASCIO Midyear conference in Maryland. I was fascinated by a conversation we had on the topic.
I have known Danielle for several years, and she does great cybersecurity work for her state. She has delivered excellent presentations around the country on various cyber topics, and she gave this notable online keynote presentation in late 2020 on the state of cybersecurity in West Virginia:
I asked Danielle if she would be willing to participate in an interview on this chip embed topic for my blog, and she agreed. So here we go:
Dan Lohrmann (DL): Tell us about your role as CISO in West Virginia.
Danielle Cox (DC): The cybersecurity office in West Virginia covers a wide range of areas: incident response, cyber operations, threat hunting, risk management, vulnerability assessments, etc. It’s a lot of work that needs to be prioritized. So my main job as CISO is to help remove obstacles for the technical experts; help local entities recover from ransomware; help protect citizen data; and help grow the team capabilities and cyber protections in place. I’m rarely in a position to put hands on a keyboard for threat hunting or playing around in all the new technologies. My amazing team does that. Which is probably why putting RFID/NFC chips in my nails amused me so much. I rarely get to play!
DL: Why did you start to experiment with chip embeds?
DC: Originally, I didn’t even start thinking about embedding chips in my acrylic nails. I had friends that had gotten RFID chips inserted into their actual hand at Black Hat [the security conference]. That seemed fun, but way too permanent for me. It wasn’t until I started planning for interns this summer that I went down this path.
DL: When did you start, and how?
DC: I think West Virginia has some struggles when it comes to hiring and retaining qualified cyber professionals in government positions. One of the ways we can combat that is with the Governor’s Internship Program. I was going through some of the projects we needed to have our incoming interns complete, and was trying to brainstorm some “fun” projects for the students to participate in as well. We have some security tools we wanted to let them experiment with for some wireless and access audits. But I needed some different tags that they could test scenarios on … and not risk breaking anything import. So, down a shopping rabbit hole I went. Found what I needed for the interns, then when I got home, I ended up buying myself some of the smallest NFC/RFID tag stickers I could find.
DL: What are the advantages and how do you use the chip implants?
DC: First, it’s not permanent and it’s waterproof. Second, I can’t misplace it!
Third, the tag/chip is embedded into the acrylic that lays over my nails. Mimi, my brilliant nail tech and co-owner of Rainbow Nails, tested the chip’s functionality at each step in the process. We weren’t sure if the acrylic application or gel drying processes would melt the components. Temperatures can get over 100 degrees Fahrenheit. We used NFC chips with lights as our gauge to see if they were still working. I’d run them over my phone’s NFC scanner during each phase so we could visually ensure everything was OK.
DL: How many chips do you have implanted now?
DC: I get my nails done about every four weeks, so it changes depending on what I’m doing. If I know I’m going to have a hotel stay or be on the road, I’ll make sure I have a few nails available to be programmed. One or two is more than sufficient for simple access to hotels or work, gas payments, etc.
DL: What can they do or not do?
DC: Depending on the access system in use and the type of chips embedded, they can be used in place of access cards. I’m very excited to duplicate my hotel card onto a nail during my next vacation. I won’t have to keep track of a card or phone while swimming at the pool. Men have pockets in all their clothes. Women unfortunately do not.
DL: Do you have any security or privacy concerns with chip implants?
DC: Not really, but duplicating cards in some situations may be against policy. After my recent trip to the NASCIO conference, I think a couple people were planning on making a policy about it after seeing the nails in person. The control over access still resides with the system owner, not the access card owner. When the nails are removed or replaced, the chip is completely destroyed in the filing process. They’re fused to my nail, so there’s no misplacing anything. If I somehow did lose a nail, I’m not sure someone’s first reaction would be to pick up a torn-off fingernail and start scanning doors.
DL: How could this practice be improved?
DC: Preplanning. You need to have an idea of what you’re wanting to duplicate and ensure the tag/chip is compatible.
DL: What’s next for you regarding chip implants?
DC: I’ll continue to use them, especially while traveling. I suspect this specific use case is really only practical for those of us that get our nails done regularly — very niche.
DL: Anything else you want to add?
DC: I know that post-pandemic, a lot of people in IT are dealing with burnout. Embrace the silly project ideas you have.
DL: Thank you, Danielle, for your willingness to answer my chip implant questions. Also, thanks for your leadership in cybersecurity for the state of West Virginia and our nation.
FINAL THOUGHTS
This blog has covered the topic of chip implants on multiple occasions going back to 2017. Here are a few other related blogs you may be interested in reading to learn more: