I spent last weekend at Defcon 23, the annual hackerpalooza in Las Vegas. As usual, the experience was good for quickly disabusing people like me of the comfortable fiction that any digital information is truly secure. In five simultaneous tracks over three days and multiple ongoing “villages,” computer-savvy technophiles demonstrated their ability to gain unintended access to nearly every digital device imaginable.
Presenter after presenter shared intricate details of the code used to accomplish these feats. The illustrated, step-by-step explanations (peppered with obligatory memes) followed a familiar pattern: hacker sees device; hacker determines how device operates; hacker applies a handful of well-known methods of attack; hacker obtains access to device, to the amusement of all present. And the amazing part is how easy they all make it look. Samy Kamkar broke down how he repurposed a child’s toy into a device that could crack any garage door opener within 8 seconds–all because manufacturers chose to use static codes instead of rolling ones (not that those proved impenetrable either).
Then there was the name-brand safe designed to securely store paper money in commercial establishments. Dan Petro and Oscar Salazar seemed almost embarrassed to explain how easy it had been to crack this design. The audience roared over such laugh lines as “it has an easily accessible USB port,” “I plugged in a mouse–and it worked,” “the control panel was held in place by uncovered, Phillips-head screws,” and “it runs Windows XP!”
But the most disturbing IoT hacks were those applied to connected cars and their infrastructure. The headline of the conference, of course, was the remote Jeep hack that had been released to the press a week before the event. (There was even a demonstration Jeep on hand in the Car Hacking Village, although with its name badges mercifully obscured.) Mark Rogers and Kevin Mahaffey walked through their successful attempt to commandeer a Tesla, although the lengths to which they were required to go demonstrated that the car was one of the most secure on the road. Kamkar explained how he managed to intercept and use door-unlocking signals from a driver’s key fob.
Proving that the future holds no promise of security, moreover, Colby Moore gave a chilling demonstration of how he managed to hack the orbital satellites used to track the geolocation of vehicles and other connected assets. Specifically, he managed not only to decode the signals coming from those satellites, but also to commandeer the signal to send his own, false location information. Using this method, one could conceivably send an entire fleet of self-driving cars over a cliff like so many lemmings.
In keeping with the “white hat” ethos of the event, each of these researchers had disclosed the results of their efforts to the manufacturers of the devices in question before publicly disclosing their methods. In most cases, they found the manufacturers to be receptive, even grateful. Tesla went so far as to send its CTO to the even to be onstage with the presenters, and had one of their vehicles on display in the Car Hacking Village. It is one of a growing number of companies that incentivize hackers like these with “bug bounties,” in order to test and improve their products’ security. As usual, the Federal Trade Commission was there recruiting, and DARPA plans to participate in one of the event’s challenges next year. But there are always a few manufacturers who don’t appreciate being exposed, such as the maker of the aforementioned satellite network. According to the presenters, this company had been less than cooperative with their attempts to report and rectify the insecurity. This leads one to wonder just how many vulnerabilities out there could have been fixed if manufacturers had been more willing to listen.
As the internet continues to seep its way into the things that make up our daily lives, the idea of information security will continue to be an increasingly tenuous concept. Fortunately, the motley assortment of hackers who descend upon Vegas every summer are out there, on our side.
Oh yeah–and it’s also refreshing to find they have great taste in books, too. I was humbled and gratified to see my recent book on Augmented Reality Law, Privacy and Ethics on sale in the Defcon Vendor Room!