NFC Hacking: Part 3 – My Left Arm Runs Java

Check out the project on GitHub and DangerousThings .

In my previous posts about NFC security models and custom hardware tokens, I explained why I want a hardware token which can perform computations and is freely programmable, and how I built a development prototype based on the NXP P71 chip. As I explained, I always wanted to use the VivoKey subdermal chip implants in the future – which has now happened, after about two years of research and development.

VivoKey / DangerousThings have since released a P71-based implant in two variants: A commercial one with appstore support by Fidesmo (Apex Flex), and an open-source one you can and have to program yourself (flexSecure). Both have their pros and cons, the Fidesmo-enabled Apex comes with an easy method to deploy applets and a payment applet (currently inactive), the flexSecure comes with administrative keys.

Transparency Disclaimer: I do freelance open-source development for VivoKey / DangerousThings and had an influential role in the development of the flexSecure product.

From Prototype To Product

After getting in touch with the CEO of VivoKey / DangerousThings, Amal Graafstra, he expressed interest in offering an open-source alternative to the already planned Apex Flex implant. A product more targeted towards developers and hackers who would not shy away from using the Linux command line or compiling applets by themselves, without having to depend on a third party like Fidesmo.

Eventually, I sourced a few hundred chips and had them sent to Amal’s facility for assembly and distribution. In parallel, I took up his offer and continued my open-source development work, but now under the official brand of DangerousThings. A whole load of documentation was published on GitHub , which now serves as developer and usage documentation for the flexSecure.

The applets written and tested on the flexSecure are also released via the VivoKey Fidesmo appstore, for the Apex Flex customers to enjoy.

There Will Be Blood

Naturally, implanting something under your skin comes with an inherent challenge – getting it inside your body. I opted to pay a professional, and found an experienced piercing studio where the artist performed the surgical procedure fast and accurately. I expected the procedure to hurt a lot more, but in my opinion a wasp or bee sting hurts worse. Then again, the Adrenalin probably acted as a moderate painkiller.

The healing went well, I had no issues and only a minimal scar after a few weeks. I decided on the wrist position because the skin flexes not that much there, and I want to keep fragile stuff from my fingers since I still go rock climbing.


Although the applets keep being developed further, I already use my implant for:

  • Authenticating on websites using FIDO U2F
  • Signing and encrypting E-mails using PGP
  • Securing my KeePassXC password database using HMAC-SHA1
  • Accessing an Ethereum non-custodial wallet using BIP32
  • Storing plain data records using NDEF

Other people also use different available applets to e.g. unlock their Tesla car . In the future, VivoKey and I plan to release applets supporting additional protocols, such as FIDO2, PIV, GIDS and maybe SEOS .


Essentially I managed to fully replace my YubiKey, which is what I set out to do two years ago. Great success! And I can’t loose this token anymore. Obviously I need an USB NFC reader for my PC, but on mobile phones the integrated NFC antenna works fine.

I agree that this technology is not for everyone, but I think the applications and possibilities are fascinating. Technology progresses whether you like it or not, and I believe you gotta make the most out of it. Keep it open-source, keep it accessible. Hack on.

Image source: DangerousThings at

Leave a Reply

Your email address will not be published. Required fields are marked *