Biohackers chase Johnny Mnemonic with ‘Pegleg’ implanted hard drive
9 min read

Biohackers chase Johnny Mnemonic with ‘Pegleg’ implanted hard drive

Biohackers chase Johnny Mnemonic with ‘Pegleg’ implanted hard drive

TEHACHAPI, Calif.—In a small house nestled among the oak trees here, a four-hour drive west of the Black Hat and DefCon cybersecurity and hacker conferences taking place in Las Vegas and high enough into the hills above town that Google Maps can’t accurately find it, biohackers took one small but important step toward the science fiction dystopia depicted in William Gibson’s Johnny Mnemonic.

In that 1981 short story (and in a critically panned 1995 Keanu Reeves blockbuster of the same name), Gibson imagines a near future in which technology has developed to the point where humans can erase their memories and replace them with data and files that they can’t access themselves. In a futuristic, dirty, cluttered world plagued by Yakuza mobsters, people are paid to use their bodies to courier information.

The Four Thieves Vinegar biohacking collective has not figured out how to precisely mimic the memory data transfer scenario Gibson conjured, but it has built a device to enable people to store and transfer data wirelessly in their bodies.


How hackers are approaching medical cybersecurity
Parallax special report: Medical security
Biohacker’s latest answer to health care hurdles: Homebrew meds
WannaCry vs. the ER doc: On the front lines of a ransomware outbreak
Yes, your life-saving medical devices can be hacked
Living on the edge of heartbreak: Researcher hacks her own pacemaker

Using off-the-shelf parts and focused efforts, the biohacking group has designed and built a networked hard drive, coated in a biosafe resin, to be subcutaneously implanted in the human body. It’s powered by an external battery that connects to the device via an induction coil, and its storage capacity is limited only by the size of the microSD card it contains. Michael Laufer, who founded Four Thieves Vinegar, calls it the Pegleg.

In the small hours of August 8, in an operating room within the small house, two patients received the second version of the Pegleg implant, which Laufer says is the world’s first subcutaneous networked drive.

What’s a Pegleg?

Laufer calls it the Pegleg because “it’s what remains of the Pirate.”

The original version of the Pegleg was a result of an unplanned three-day hardware-hacking sprint that Laufer and his teammates, 19-year-old Nick Titus and 29-year-old Zack Shannon, participated in earlier this year at the annual implant-focused biohacking confab Grindfest. Laufer had accidentally left a portable networked drive known as a PirateBox at last year’s Grindfest, hosted at the home of registered nurse Jeffrey Tibbetts, and had just found it.

Laufer’s PirateBox was a former TP-Link portable Wi-Fi router that he had loaded with the custom, open-source software that powers PirateBoxes. Although the PirateBox software is no longer maintained, it’s still available for download. Its features include direct messaging, chatting, and file sharing among users who connect to it. It can’t connect wirelessly to the Internet, but other devices can connect to it, creating a mesh network. It’s not password-protected, either—anybody can connect to it, if their phone or laptop is within signal range.

During a phone conversation in May, Laufer told me he sees the mesh network as the real draw of the Pegleg to biohackers and grinders, people who modify their bodies with cybernetic implants.

“If you imagine everybody with a laptop, computer, or cell phone becomes a node of a mesh network, we can do away with the Internet,” Laufer says. “All of our communication can happen in an organic way.”

This slideshow requires JavaScript.

Moments after a Grindfest participant asked Laufer if his PirateBox could be turned into an implant, the Laufer-Titus-Shannon trio furiously started removing many of its components (such as the Ethernet connector, USB ports, power connector, battery, and case) in an attempt to make a functioning version of it small enough to be implanted in a human arm or leg.

Pegleg Patient Zero

The participant who launched the query, who goes by the handle Lepht, is one of the first (if not the very first) persons to embrace the radically self-expressionist hallmarks of the grinder community: implants that include RFID chips, electromagnets, and other small-scale computer-control devices.

On May 6, following the three days of intense hardware and software hacking at Grindfest, Lepht settled into the operating-room chair in the surgical cleanroom in Tibbets’ garage. Tibbets made an incision, created a pocket between the skin and the muscle, slipped the Pegleg in, and sewed up Lepht’s arm, making her the first person to receive the Pegleg implant. Lepht then drove to LAX and flew back to her home in Birmingham, England, via Heathrow Airport. According to Laufer, Lepht’s implant did not set off metal detectors in either airport.

Pegleg v2 is built on a Raspberry Pi Zero W, and as portable computers small enough to be inserted under your skin go, it’s relatively large. It’s 2.56 inches long, 1.18 inches wide, and 0.196 inches thick—about the size of a Hershey’s mini chocolate bar.

Lepht did not respond to multiple interview requests in the months following the Pegleg implant surgery, though she did write in a blog post that she is being treated for depression, and is not responding to emails or text messages.

Pegleg, the next generation

Three months after Lepht’s Pegleg implant, at 12:10 a.m. on August 8, Tibbets prepared his surgical room, laying out scalpels, spreaders, needles, and medications. He then made an incision into the skin of his own right leg, as Laufer, Titus, Shannon, and I observed.

Tibbets has had 20 to 30 implants, almost all of them self-insertions. He’s taken most of them out after testing; this one was going to be the largest, with no immediate plan for removal. As with Lepht, he created a pocket in the skin. He inserted the second version of the Pegleg, and he sewed up the incision at 1:02 a.m. He then pulled on a pair of pants and tapped a wireless battery against the spot on his leg where his implant is now located.

The Pegleg turned on, and Titus connected directly with it via his phone. Over the devices’ mesh network, he then transferred to the Pegleg a (very meta) photo I’d texted him of Tibbets looking at a photo of his own surgery. This prompted a nearby laptop connected to the Pegleg’s network to load the photo on its screen. The Pegleg worked.

Jeff Tibbetts watches as the new Pegleg implant in his right thigh streams a photo from the surgery to a laptop over the Pegleg’s mesh network. Photo by Seth Rosenblatt/The Parallax

After a celebratory glass of champagne, Tibbets went to bed a bit more cyborg (or, perhaps, tryborg) than he was before.

Pegleg v2 is built on a Raspberry Pi Zero W, and as portable computers small enough to be inserted under your skin go, it’s relatively large. It’s 2.56 inches long, 1.18 inches wide, and 0.196 inches thick—about the size of a Hershey’s mini chocolate bar.

To make Pegleg v2, Laufer and his team removed from the Raspberry Pi both Micro USB connectors (one for power, one for data), the Mini HDMI connector, and the camera connector. They then soldered on a second Wi-Fi chip to enable it to transfer data to another Pegleg and allow other devices to connect to it, as well as an induction coil to enable it to be powered by a wireless battery resting in a contiguous sports armband or pants pocket. They enabled Bluetooth for future functionality, inserted a 512GB microSD card for storage, and updated the firmware. Finally, they coated the hacked device in a biocompatible acrylic resin to prevent it from interacting with the recipient’s body and to diffuse the heat it emanates.

At 11:44 a.m. on the same day, Laufer—an implant newbie who has three small tattoos but no piercings—took a seat in the surgical room. An Alexa stereo was streaming a free Pandora station, with occasional loud ads interrupting the hushed tones in which everyone was speaking. Tibbets prepared the section of Laufer’s upper-right thigh where the implant would go, and got to work in the same methodical manner in which he operated on himself at midnight. During the procedure, Laufer passed out for a few seconds and vomited a little bit. But 32 minutes later, he had a functional Pegleg implant.

Pegleg and consequences

Laufer says that prior to last year’s Grindfest, he’d “had that PirateBox unit, and carried it around in my pocket, for years. If somebody searched me, they could take it away. But if it’s implanted in your body, nobody can ever take it away.”

Laufer has lofty hopes for the Pegleg. He feels that the Internet has failed to serve people in the way that they need most: to connect them without interlocutors, interception, or surveillance. He wants the Pegleg to become a device that whistleblowers and activists can use to extract information more securely than relying on cloud storage services that are owned and controlled by corporate entities, though the Pegleg itself has no security features other than lacking the ability to connect directly to the Internet.

And in a Johnny Mnemonic twist, Laufer says a Pegleg owner won’t necessarily have access to the files on the device. He argues that somebody could pay a Pegleg carrier to courier an encrypted file to a recipient who has the encryption key. If the Pegleg carrier doesn’t have the key, there’s no way for him to know what’s in the file.

The Pegleg v2 is about the size of a mini Hershey’s candy bar, much smaller than a smartphone or wireless battery. Photo by Seth Rosenblatt/The Parallax.

The Pegleg does not appear to present any immediate health risks, besides being a DIY computer hardware project placed between skin and muscle. The Food and Drug Administration, which regulates implantable medical devices, declined to directly address any potential issues it might have with the Pegleg and insinuated in a statement that the device would fall outside of its sphere of regulation.

“The FDA does not usually comment on specific products without a thorough review,” an agency representative said. “We define medical devices as products that claim to treat, prevent, cure, mitigate, or diagnose a disease or condition. The FDA regulates products that fall into our medical-device definition.”

Esha Bhandari, a staff attorney with the ACLU Speech, Privacy, and Technology Project, says a device like the Pegleg raises concerns similar to those surrounding implanted Internet-connected devices, such as a “smart” pacemaker.

“This, to me, seems like a variant of that. How much privacy are you entitled to? Will the government be able to demand that you reveal devices every time [you travel]?” she says. “People who’ve had surgery will often declare when they travel that they have metal in their body. But the data is the same whether it’s embedded in your skin or carried in a device or transmitted over the Internet.”

Bhandari says it’s also not clear whether activists or whistleblowers would even consider getting an implanted networked hard drive. “Something involving surgery is not necessarily going to be easier to get to than people who need tools like encryption,” she says. And it’s even less clear whether a customs agent at an international border would be allowed to compel someone to turn on an implanted device the way it could compel the unlocking of a laptop or phone—or, moreover, whether a government agency could subpoena data from (or demand the surgical removal of) an implanted device.

“If any organization, say Apple or Google, wants to do an implant—and we’re going to get there—those organizations need to be very specific about how they’re organizing that data, who owns it, and what they’re doing with it.”—Alex Pearlman, bioethicist.

“None of the existing regulations address this. The current legal framework isn’t dealing with these kinds of things,” she says.

Bioethicist and researcher Alex Pearlman says her concerns don’t surround what Four Thieves Vinegar has done with the Pegleg but rather what comes next.

“The ethical questions don’t come from whether or not we should be implanting ourselves with hardware; it’s how we use them,” she says. “If any organization, say Apple or Google, wants to do an implant—and we’re going to get there—those organizations need to be very specific about how they’re organizing that data, who owns it, and what they’re doing with it.”

She foresees, sooner rather than later, smaller and more innovative implants in which the FDA might take real interest. “They will follow the trends we’ve seen generally in technology. I’m more interested in seeing the next step—you get an implant, it has a bunch of your data, and then can you synthesize provision medicine,” Pearlman says. “The larger ethical implication is, what comes next?”

This may all sound insane to people who view their bodies as sacrosanct and separate from technology, but the world of technology has already come crashing through the thin membranes that separate us from our tools. From the use of glasses to correct vision in the 13th century to modern science’s work on pacemakers, insulin pumps, implanted RFID chips and magnets, and artificial pancreases, technology has become inextricably intertwined with our bodies.

Gibson wrote in Johnny Mnemonic with apparent prescience: “We’re an information economy. They teach you that in school. What they don’t tell you is that it’s impossible to move, to live, operate at any level without leaving traces, bits, seemingly meaningless fragments of personal information. Fragments that can be retrieved, amplified….”

That quote recognized where information technology was headed 38 years in advance. What if he was right about selling space in our brains to store and ferry data too?

Enjoying these posts? Subscribe for more