WXXI AM News

This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point

Feb 23, 2018
Originally published on February 26, 2018 9:47 am

Cybercrime is expanding beyond computers and cellphones. Cars, washers and dryers, and even toasters are going online — an evolution of technology called the Internet of things.

Samy Kamkar, a felon who knows how to hack these things, may be the best person to help us understand all the possibilities for crime as we move toward a fully connected world.

I met up with him at the parking lot of NPR West in Culver City, Calif. We planned to steal a car. Kamkar arrived with a couple of gadgets that looked like hand-sized circuit boards with wires dangling from them.

We picked a Chevy Bolt with keyless entry. Kamkar stood 20 feet away with one of the gadgets, and I stood next to the car with the other one. The Bolt unlocked. I got in, started the car and then I was off — ready for a trip to the beach.

For the record, the Bolt belongs to an NPR colleague, who wasn't happy to see how easy it was to hack her car.

Kamkar says his gadget can imitate signals being sent from the owner's key fob to the car. Parking lots are a treasure trove for thieves, he says. "There are a lot of cars coming in and out, so it's essentially dealer's choice," he says.

Kamkar is one of the most famous hackers in America. He has made a career out of working his way into networked devices. It takes a lot of skill, and you have to think a bit like a criminal. That is why Kamkar has an advantage.

He became notorious when he was 19 years old. It was 2005, and he had signed up for the biggest social network of its time, MySpace. He didn't have many friends on the site, but he found a hacker workaround. "When someone would visit my profile, it wrote some code so that you would add me as a friend," he says. "Additionally you would add, 'Samy is my hero' to the bottom of your profile. I thought that would be funny."

It worked very, very well. In fact, it was the fastest-spreading computer worm of its time. Unfortunately, it also crashed MySpace. Kamkar was arrested and charged with cyberhacking. The judge found a punishment to fit the crime: Kamkar was banned from the Internet for life.

As it turns out, Kamkar now thinks time off the computer was just what he needed.

"It think it was really good for me because ... I was forced to partake in other parts of life," he says. "Things that I'd never done before like go outside and look at the sun and get a little color, read books, hang out with people in real life, or IRL as we say online."

After three years, his sentence was lifted for good behavior. But, over those three years, Kamkar had changed. He says he still loved hacking. "I ... really enjoy understanding how technology works and using it in a way that you wouldn't expect," he says. "But ... I think, 'Would I want this done to me?' "

Kamkar is a "gray hat" hacker — not all good, not all bad. He works on the edges of the law — breaking into cars, connected doorbells, drones and phones to try to find vulnerabilities. When he succeeds, he lets the world know so the vulnerability can be fixed.

As the world moves toward being fully connected — and ordinary household appliances are converted into cyberweapons — Kamkar is offering a valuable service.

The security risks of connected devices hit home personally for Richard Downing, head of the Justice Department's Computer Crime and Intellectual Property section. "I was just over the holidays installing a new smart thermostat in my house," he says, "and thinking about this very problem because, of course, it's connected to the Internet."

And yes, even a thermostat could potentially be hacked.

Last year, the Justice Department prosecuted a student at a New Jersey college and two of his friends for hacking into hundreds of thousands of Internet-connected devices — DVRs, routers, even baby monitors. Downing says they turned all these little devices into a supercomputer called a botnet.

"They were able to sell access to the botnet to others who wanted to cause denial-of-service attacks," he says. "They had a business and they were able to harm their competitors' businesses as a result of these denial-of-service attacks."

The botnet they created took down Twitter, Netflix and the network at Rutgers University — where one of them went to school.

Security on Internet-connected devices is often very weak. Manufacturers often give every device the same password, and it can be difficult or impossible to change. "Unfortunately, these Internet-of-things devices sometimes don't have as a robust security as our phones or our computers do," Downing says.

Manufacturers are rushing to sell Internet-connected toasters or doorbells, and security isn't the top priority. And that is where a gray-hat hacker like Kamkar comes in. He can embarrass a company into providing more security. For instance, shortly after Amazon said it was interested in using drones to deliver packages, Kamkar announced he had found a way to take them over. He shared the hack on his YouTube channel.

Imagine if a terrorist managed to take control of an army of drones. Or what about cars? In the not-too-distant future, autonomous vehicles will be clogging the freeways of Los Angeles. And they're hackable. A few years ago, Chris Valasek and Charlie Miller, a couple of gray hat hackers, proved it with an Internet-connected Jeep Cherokee.

Fiat Chrysler has fixed that problem.

But Kamkar says there will always other bugs. "I'm worried that someone really young will do something really stupid because they don't understand what they're doing ultimately," he says. "So I'm worried about someone who hasn't had a lot of life experience, but has a lot of power. And that's simply because we're making things more accessible."

At the moment, there is a lot of competitive pressure on companies to make things as easy to use as possible. Kamkar hopes that by finding vulnerabilities and making them public customers will demand change. "It's only when everyone yells at a company and says, 'This needs to change.' ... That's when change occurs," he says.

Kamkar will keep raising the alarm — but ultimately it's up to us to decide whether to buy the most convenient new gadget or the most secure. We may not be able to have both.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

RACHEL MARTIN, HOST:

The Internet is in the midst of a revolution. We won't just be using it to search for stuff, watch videos or send email. It's going to control cars, washers, dryers, even toasters. And that's what it means when you hear that phrase - the Internet of things. As part of her series Artists and Criminals, NPR's Laura Sydell looks at what happens when hackers take control of all these connected devices.

LAURA SYDELL, BYLINE: These days, stealing a car is easy if you have the right gadget. I'm standing in NPR's parking lot in Culver City, Calif. My accomplice, Samy Kamkar, stands about 20 feet away. We each hold a small circuit board with dangling wires. Kamkar unlocks a keyless entry Chevy Bolt.

All right. So we're in. We're going to steal this car.

And I press the start button.

And the car is driving.

For the record, the car belonged to a colleague. And she wasn't very happy to see how easy it was to hack into her car. Kamkar says his gadget can pick up on signals being sent out by the owner's key fob and imitate it. It's easy to use this technology in a crowded parking lot.

SAMY KAMKAR: There are a lot of cars coming in and out. So it's essentially dealer's choice at that point.

SYDELL: Samy Kamkar is one of the most famous hackers in America. He's made a career out of working his way into network devices. It takes a lot of skill. And you have to think a bit like a criminal. That's where Kamkar has an advantage. He's a convicted felon. Kamkar became notorious at 19 years old. It was 2005. And Kamkar signed up for the biggest social network of the time, MySpace. He didn't have many friends on the site, but he found a hacker workaround.

KAMKAR: So now, when someone would visit my profile, I wrote some code so that you'd add me as a friend. And additionally, you would add Samy's my hero to the bottom of your profile. I thought that would be funny.

SYDELL: It worked really, really well. Kamkar had created the fastest-spreading computer worm of its time. MySpace crashed. He was arrested and charged with cyber hacking. The judge found a punishment to fit the crime. He was banned from the Internet for life.

(SOUNDBITE OF MUSIC)

SYDELL: As it turns out, Kamkar now thinks time off the computer was exactly what he needed.

KAMKAR: I think it was really good for me because I now - I was forced to partake in other parts of life - things that I'd never done before - right? - like go outside and look at the sun and get a little color, read books, hang out with people, like, in real life - or IRL, as we say online, right?

SYDELL: After three years, they lifted his sentence for good behavior. And Kamkar had changed. He still loved hacking, of course.

KAMKAR: But I do it with a hat now where I think, would I want this done to me?

SYDELL: He's what they call a gray-hat hacker - not all good, not all bad. He works on the edges of the law, breaking into cars, connected doorbells, phones to try and find vulnerabilities. But when he succeeds, he lets the world know, so it can be fixed. And this is a valuable service. Law enforcement is finding that even ordinary household appliances can be turned into weapons.

RICHARD DOWNING: I was, just over the holidays, installing a new smart thermostat in my house and thinking about this very problem because, of course, it's connected to the Internet.

SYDELL: This is Richard Downing, who heads the Justice Department's Computer Crime and Intellectual Property Section. And yes, even a thermostat could potentially be hacked. Last year, the Justice Department prosecuted a college student in New Jersey and two of his friends for hacking into hundreds of thousands of Internet devices - DVRs, routers, even baby monitors. Downing says they turned all these little devices into a supercomputer called a botnet.

DOWNING: They were able to sell access to the botnet to others who wanted to cause denial-of-service attacks. They were able to knock offline some of their own competitors. They had a business, and they were able to harm their competitors' businesses as a result of these denial-of-service attacks.

SYDELL: The botnet they created shut down Twitter, Netflix and the network at Rutgers University, where one of them went to school. One of the problems is that security is weak. Manufacturers give thousands of devices the same password.

DOWNING: Unfortunately, these Internet-of-things devices sometimes don't have as robust security as our phones or our computers do.

SYDELL: Manufacturers are rushing to be the first out with an Internet-connected toaster or doorbell. And security isn't the top priority. And that's where a gray-hat hacker like Samy Kamkar comes in. He can embarrass a company into providing more security. For instance, shortly after Amazon announced it was interested in using drones to deliver packages, Kamkar announced he'd found a way to take them over.

(SOUNDBITE OF VIDEO)

KAMKAR: Hi. I'm Samy. And I am going to do a quick demo here of my zombie drone software.

SYDELL: This is from a video on Kamkar's YouTube channel. He's using an iPad to hack into a nearby drone.

(SOUNDBITE OF VIDEO)

KAMKAR: Now it's attempting to connect to the drone that it hacked. And then it's going to turn it on and take it over.

SYDELL: It's not hard to imagine the nightmare scenarios. What if a terrorist manages to take control of an army of drones. Or what about cars? In the not-too-distant future, autonomous vehicles will be clogging the freeways of Los Angeles. And they'll be hackable. A few years ago, a couple of gray-hat hackers, Charlie Miller and a colleague, proved it could be done with an Internet-connected Jeep Cherokee.

(SOUNDBITE OF VIDEO)

UNIDENTIFIED MAN: We're in a parking lot. And I'm going to remotely hack into the car and turn the steering wheel.

SYDELL: The car drove into a fence.

Fiat Chrysler did fix that. But Kamkar says there will always be other bugs.

KAMKAR: I'm worried that someone really young will do something really stupid because they don't understand what they're doing, ultimately. So I'm worried about someone who hasn't had a lot of life experience but has a lot of power. And that's simply because we're making things more accessible.

SYDELL: In other words, someone just like the 19-year-old Samy Kamkar, who created the world's fastest-spreading worm. Only this time, the potential for inflicting damage is so much greater. Companies could make their devices more secure, but it might make them harder to use.

KAMKAR: I only see change when you have customers demanding that change. It's only when everyone, you know, yells at a company and says, this needs to change, this needs to occur - that's when change occurs.

SYDELL: Kamkar will keep raising the alarm. But ultimately, it's up to us to decide whether to buy the most convenient, new gadget or the most secure. We may not be able to have both. Laura Sydell, NPR News.

(SOUNDBITE OF RAMTIN ARABLOUEI'S "MUSIC FOR HACKING THE INTERNET OF THINGS") Transcript provided by NPR, Copyright NPR.