Cybercrime is expanding beyond computers and cellphones. Cars, washers and dryers, and even toasters are going online — an evolution of technology called the Internet of things.
Samy Kamkar, a felon who knows how to hack these things, may be the best person to help us understand all the possibilities for crime as we move toward a fully connected world.
I met up with him at the parking lot of NPR West in Culver City, Calif. We planned to steal a car. Kamkar arrived with a couple of gadgets that looked like hand-sized circuit boards with wires dangling from them.
We picked a Chevy Bolt with keyless entry. Kamkar stood 20 feet away with one of the gadgets, and I stood next to the car with the other one. The Bolt unlocked. I got in, started the car and then I was off — ready for a trip to the beach.
For the record, the Bolt belongs to an NPR colleague, who wasn’t happy to see how easy it was to hack her car.
Kamkar says his gadget can imitate signals being sent from the owner’s key fob to the car. Parking lots are a treasure trove for thieves, he says. “There are a lot of cars coming in and out, so it’s essentially dealer’s choice,” he says.
Kamkar is one of the most famous hackers in America. He has made a career out of working his way into networked devices. It takes a lot of skill, and you have to think a bit like a criminal. That is why Kamkar has an advantage.
He became notorious when he was 19 years old. It was 2005, and he had signed up for the biggest social network of its time, MySpace. He didn’t have many friends on the site, but he found a hacker workaround. “When someone would visit my profile, it wrote some code so that you would add me as a friend,” he says. “Additionally you would add, ‘Samy is my hero’ to the bottom of your profile. I thought that would be funny.”
It worked very, very well. In fact, it was the fastest-spreading computer worm of its time. Unfortunately, it also crashed MySpace. Kamkar was arrested and charged with cyberhacking. The judge found a punishment to fit the crime: Kamkar was banned from the Internet for life.
As it turns out, Kamkar now thinks time off the computer was just what he needed.
Courtesy of Samy Kamkar
“It think it was really good for me because … I was forced to partake in other parts of life,” he says. “Things that I’d never done before like go outside and look at the sun and get a little color, read books, hang out with people in real life, or IRL as we say online.”
After three years, his sentence was lifted for good behavior. But, over those three years, Kamkar had changed. He says he still loved hacking. “I … really enjoy understanding how technology works and using it in a way that you wouldn’t expect,” he says. “But … I think, ‘Would I want this done to me?’ “
Kamkar is a “gray hat” hacker — not all good, not all bad. He works on the edges of the law — breaking into cars, connected doorbells, drones and phones to try to find vulnerabilities. When he succeeds, he lets the world know so the vulnerability can be fixed.
As the world moves toward being fully connected — and ordinary household appliances are converted into cyberweapons — Kamkar is offering a valuable service.
The security risks of connected devices hit home personally for Richard Downing, head of the Justice Department’s Computer Crime and Intellectual Property section. “I was just over the holidays installing a new smart thermostat in my house,” he says, “and thinking about this very problem because, of course, it’s connected to the Internet.”
And yes, even a thermostat could potentially be hacked.
Last year, the Justice Department prosecuted a student at a New Jersey college and two of his friends for hacking into hundreds of thousands of Internet-connected devices — DVRs, routers, even baby monitors. Downing says they turned all these little devices into a supercomputer called a botnet.
“They were able to sell access to the botnet to others who wanted to cause denial-of-service attacks,” he says. “They had a business and they were able to harm their competitors’ businesses as a result of these denial-of-service attacks.”
The botnet they created took down Twitter, Netflix and the network at Rutgers University — where one of them went to school.
Security on Internet-connected devices is often very weak. Manufacturers often give every device the same password, and it can be difficult or impossible to change. “Unfortunately, these Internet-of-things devices sometimes don’t have as a robust security as our phones or our computers do,” Downing says.
Manufacturers are rushing to sell Internet-connected toasters or doorbells, and security isn’t the top priority. And that is where a gray-hat hacker like Kamkar comes in. He can embarrass a company into providing more security. For instance, shortly after Amazon said it was interested in using drones to deliver packages, Kamkar announced he had found a way to take them over. He shared the hack on his YouTube channel.
Imagine if a terrorist managed to take control of an army of drones. Or what about cars? In the not-too-distant future, autonomous vehicles will be clogging the freeways of Los Angeles. And they’re hackable. A few years ago, Chris Valasek and Charlie Miller, a couple of gray hat hackers, proved it with an Internet-connected Jeep Cherokee.
Fiat Chrysler has fixed that problem.
But Kamkar says there will always other bugs. “I’m worried that someone really young will do something really stupid because they don’t understand what they’re doing ultimately,” he says. “So I’m worried about someone who hasn’t had a lot of life experience, but has a lot of power. And that’s simply because we’re making things more accessible.”
At the moment, there is a lot of competitive pressure on companies to make things as easy to use as possible. Kamkar hopes that by finding vulnerabilities and making them public customers will demand change. “It’s only when everyone yells at a company and says, ‘This needs to change.’ … That’s when change occurs,” he says.
Kamkar will keep raising the alarm — but ultimately it’s up to us to decide whether to buy the most convenient new gadget or the most secure. We may not be able to have both.