Skip to main content
Global Edition
Thursday, March 28, 2024

Hacker Explains One Concept in 5 Levels of Difficulty

Credit: WIRED
Duration: 25:23s 0 shares 1 views

Hacker Explains One Concept in 5 Levels of Difficulty
Hacker Explains One Concept in 5 Levels of Difficulty

Security researcher and computer hacker Samy Kamkar is asked to explain the concept of computer hacking to 5 different people; a child, a teen, a college student, a grad student, and an expert.

- Hi, my name is Samy Kamkar.I am a security researcher,computer hacker,and co-founder of Openpath Security.I've been challenged todayto explain one simple conceptin five levels of increasing complexity.My topic, hacking.Hacking to me is using ormanipulating a system in a waythat it wasn't intendedor really expected.And that could be a computeror it could be a phoneor a drone or a satellite.It could really be anything.[bright music]Do you know what computer hacking is?- It's bad.Like, I'm going into someone'spersonal account or account,changing some stuff or juststealing some informationor your money.- Yeah, it's crazy.They're really a lot of bador malicious hackers out therewho are doing just that.They're going into people's accountsand they're stealing money,but there's also another sideof computer hacking wherethere are people whoare trying to learn howthose bad hackers are actually breaking into the bank accounts.- Do they, like, return the money?Like, give them their moneyor something like that?- What they're trying to do isthey're trying to even preventthe bad hackers from gettingin in the first place.- So they put like a protectionaccount or something.- Yeah, exactly.They're looking for ways thatthey can create protection.It's kind of like thelock on your front door.That lock is to essentially preventbad people from coming inor people accidentally comingin when they shouldn't.A hacker is essentially looking at a way,how can I get into this lock?But then there are the goodones who are trying to unlock itso that they can tell thecompany that made the lock, hey,we can actually protect peopleby making the lock a little harder.- What would they do about thepeople and the broken lock?- In many cases, they'llsend them a new lock.So it's an upgraded, better version.Sometimes that's new features,but sometimes that's bug fixesand ways to protect you as well.- But like, they may get arrestedbecause they might get mistaken.- That's a very good point.You should definitely make surethat you're obeying the law.They might work with thelock company and say,"I'm trying to improve your product."And they're trying to findthese holes or problems,and then share that with the company.Even though the good hacker isdoing exactly the same thingas the bad hacker, it'sthe same exact skillset,and you're using the same exacttechniques and informationto try to break that lock,but your goal as a good hackeris really to help everyonelike you and me to make surethat our stuff is protected.So hopefully they don't get in troublebecause they're the good guys.- When did you start doing,like, the good hacking?- I started doing the good hackingwhen I turned nine years old.- Wow.- I started going on thecomputer and playing video games,but I had some ideas of my own,and that's where I startedto learn how to hack.I wanted to play with myfriends on this video gameand just change the way that things look.- But that would be kinda bad,because maybe the creatordid it for a reason.- That's entirely possible.They may have done it for a reason,but you may have come upwith a really good idea that,do you think there are other peoplewho might like the ideathat you came up with?- Yeah.- When you have creative ideas like that,hacking can actually allow you tochange the way a system works,and that means you can change a gameand how the game is played,and then you can sharethat with your friendsand other people who like that game.Once I started learning how to do it,I found that, thingsthat were harder for me,I could make easier.- Did your parents approve of it?- I don't think my parents knew,but when my parents found outthat I was doing it for good,I think they were happy.Do you do anything withcomputers or any coding?- I like to play coding games,and I like to go oncode.org, and they havea variety of games for different ages.So like, I really like to do that.For example, like the game Flappy Bird,it's like puzzle pieces,so they would tell youto connect something andthen you would play the gameand then you could see what you connected.- [Samy] Interesting, so it'slike a graphical interfacewhere you can connectdifferent pieces together.Kinda like wire them together.- [Linda] Yeah.- Oh, that's pretty cool.What do you know about computer hacking?- I don't really know muchabout computer hacking actually.- So on code.org, one ofthe things you've been doingis actually building a gameor that they have a gameand then you can actuallyrewire some of the inputsand outputs of that.Is that right?- Yeah.- Okay.

With computer hacking,it's actually the same thing.Really, you have some sort of systemand you have a bunch of inputsand you have some sort of output,and actually you, as the designer,you're essentially designinggames and software.You're saying, well,I will only allow a user toreally control these inputs.Can you think of any inputsthe computer might have?- [Linda] Space bar.- Yep, there's also things like your mouseand there's even thingslike the microphone itselfis actually an input device.It's taking something from you,which is the sound and it'sthen transmitting that,ad it's actually sending it to me.Are there any other things thatyou can talk to a computer?You can give it information.- Camera.- That's absolutely another inputthat exists on your computer.That's how I try to think of thingsis there's just a bunch of inputs.Often, if you're trying to break somethingor hack something, you'rereally saying, okay,how can I control theseinputs in a way thatwasn't necessarily expected?- What inputs would younormally use to hack?- Typically, it's going to be somethinglike the keyboard, right?I'm just going to be typing keystrokesto be talking to some pieceof software or hardware,but other times it can be other thingslike even the temperature of a computercan actually affect howthe computer operates,and it might be advantageousto me to cool down the computerand actually slow down themovement of electrons insomething like memory, sothat if a computer shuts off,it stores something thatwasn't memory like a passwordand stores it for a long enough timethat I might be able to actuallyextract it through some other methods.- How long does it take to get in?- It just depends whatyou're trying to do.In some cases, it couldliterally be secondsbecause you already knowhow the system works,and other times, it could be years.So what have you learned about hacking?- I think hacking isactually really interesting.There's different languages to hack in.I've also learned that a lotof things could be hackedthat you don't necessarilythink that can be hacked.- Have you started studying cybersecurity?- I started this year,I took my first course,so haven't gone too deep into it,but we got a basic idea of, like,basics of informationand network security.We learned about how networks are set up,like the different types oftopologies, like Star and Mesh,and also how networks are designedwith different levels of security.- Have you heard of the breach of Targetwhere they were breached many years agoand their point of salesystems were hacked?- Yes, I heard about that.- So where people areswiping credit cards,those credit card numbers were stolen.They hired a company to come inand perform a penetration test to see,can the good guysessentially break in againto prevent this sortof thing in the future?And when this team came in,they found they actually were ableto get pretty much to thesame point of sale system,and the way they didthat was by exploitingan internet-connected deli meat scale.Once the company was able to essentiallyget into the deli scale,because the deli scale wason the internal network,then they were able to reallyescalate privilege and finda vulnerability within another system.Essentially, that justgot them into the network.and once you're in the network,it's often really easy tothen escalate from there.- I've heard about similar attacksin hospitals using hospital equipment,but I'm surprised that somethingas simple as a meat scalewould have been used in such an attack.We discussed it in classas how hackers look atsome of the weakest linksin these large networksand use those to tap into networks.- Yeah, that's anotherinteresting concept.It's really just different layersthat we have for protection,because often when you're talking aboutsomething like a corporate network,or even your home network,you typically have sort ofone level of defense, right?If someone can break thator it can get in through some other systemthat is connected or exposessome other protocol,like Bluetooth, right?You can connect to a Bluetooth devicewithout being on the wireless network,without being on the LAN.That potentially gives you another placethat you can pivot on andthen access other devices,because if something has bothBluetooth and also Wi-Fi,well, if you can get in through Bluetooth,then you can then access the Wi-Fiand get to other devices on the network.Are you familiar with buffer overflows?- No, I am not familiar with that.- If we were to write a programthat asked for your nameand you typed in your name,but before you could type in your name,in a low leveling, which is like C or C++,you'd have to allocate some memory.So you might allocate abuffer of a hundred bytesbecause whose name is going to be longerthan a hundred bytesor a hundred character?But what happens if youwere to not really checkthat they limited to a hundred bytes?Do you know what happensif they essentiallystart typing over that hundred bytes?- In that case,it would be an error foraccessing invalid memory.- Absolutely, you would essentially causea segmentation fault.- Yeah.- But what's really cool about that is,when you're going into memory,you're starting to cross overthat boundary of thathundred byte allocation,and now you're starting towrite over additional memory.That other memory isreally important stuff.So you have your name,the hundred bytes there,and then right next to yourname is the return address,and that's the address thatthe code is gonna executeand it's going to return toafter that function is done,and it's going to jump to that address,but after you type your hundred bytes,the next few bites that you type,you're actually going tooverwrite that return address.So that return addresscould essentially beanother address in memory.So what you end updoing is you type a nameand it's not really a name,it's really just code.And that code, you keep typing untilyou get to the return address,and you start typing an address,which is really the beginning of your nameand your computer or your processoris actually going to read that addressand it will jump back to the beginningand then execute that payload.So that was sort of the veryfirst thing that I think wassuper exciting to me when I startedlearning about really reverse engineering.- So how does the buffer overloadingrelate to what you are doing in terms ofnetwork security or designing softwarefor penetration testing?- Ever since buffer overflowstarted many years ago,there been a lot of protection mechanismsbuilt to make it difficult to exploit.More and more, we're actually usingsmaller and smaller computerswith smaller amounts of compute power.If you take a car, you havehundreds of microcontrollersthat are all running there.So they don't really have asophisticated operating systemthat can try to preventattacks like buffer overflows.So how do we keep these lowcost computers in here whileadding layers of protectionto prevent maliceand these types of attacks?Sometimes it actually is,how can we write softwareor how can we build a systemthat prevents these typesof attacks from entering?But oftentimes, it's reallylooking for how can we findnew attacks that we haven'teven necessarily thought of?What got you interestedin computer scienceand information security?- I got interested in cybersecuritybecause I'm really into globalaffairs, global politics,and you often hear in the news aboutthe rising power of China,the rising power of Iran.I enjoy how interdisciplinarycomputer science is.Like, nowadays there's so much going onin the world of computers andthat's what fascinated me.- You brought up China and Iran,and something that'sinteresting about those areasis really censorship, right?They have essentially censored internet.In the US, we have a really interestinginternal struggle herewhere we actually havegovernment agencies likethe state departmentthat are funding softwareto evade censorship,like Tor and other mechanisms.While then we also have aninternal struggle where we haveother organizations like the NSAwho are specifically lookingto break that exact same systemthat the US government is also funding.- There are a lot of ethical questionsabout whether we should beintervening in other countries,but it's pretty interesting thattwo different agencies of the governmentare actually working oncontrasting technology.I can actually understand that becauseif we are creating a technologythat we are going todeploy somewhere else,we should know its limitations.We should know how to control it.- It's good for us to understandhow these systems can really break down.Although, I think one thing that I seeis that some of, let's say,the organizations thatare looking to break thisare not necessarily going to shareonce they actually learn that information.They might actually sort ofhold that in their back pocketand use it when it's advantageous to them.What kind of projects are you working on?- This is the end of my first year.I'm a PhD student at NYUTandon School of Engineering.I'm studying security systemsand operating systems.So, security for operating systems.I've been mostly working on a projectthat limits executables'exposure to bugs in the kernel.It's run by professor Justin Cappos there.He found that the majority of bugsthat occur in the Linux kernelhappen when you're doing things thatpeople don't do that often,the programs don't do that often.So designing a runtimeenvironment that lets youlimit what a certainprogram has access to,but also the things thatit does have access tois also limited to thosepopular paths in the kernel.So it can't access areas thataren't under more scrutiny.- So essentially it's a really,definitely a strippeddown operating system,or I guess it's a virtual machine.- Basically, we're creating auser space operating system.- Have you done any workin side channel analysis?- Like, a little bit.I read the Rowhammer paper.I found it really interesting,but it's nothing thatI've actually worked with.- So the side channelanalysis is really lookingnot at a vulnerability within a system,but really unintended consequencesof what the system is built on.A very simple example of a side channelis putting your ear tothe ground to hear ifthere are horses coming towards you,and the same thing applies to technology.So you can have something likea CPU, it's executing instructions,certain instructions thatuse a little bit more power,and power is reserved in these capacitors,which are like tinybatteries next to your CPU.And as they're pulling power,there's something in physics calledthe electrostrictive effectwhere the capacitor will movein a very, very tiny amount.And then although we can't hear it,the microphone on a mobile devicecan actually listen to that.If you then listen to that and you say,oh, I see a pattern here,and you can go all the way downand then extract and reveal thefull password, the full key,even though it could be argued thatthe algorithm itself,there's no problem with it.- So all memory devices are just,it's just a bunch ofgates and they're in rows.They basically all holddifferent pieces of memory.That's all the gates are.Either they're turned onor they're turned off.So what Rowhammer found was they testeda bunch of different memorydevices and found thatby doing a certainorder of storing things,and then pulling thatinformation back in a certain wayin one place would actuallyflip gates in a different place.So you could actually do a bunch of thingsto a piece of memory thathad nothing to do withsomething that may becritical in a different placeand actually change its contents,and that obviously exposesall sorts of security issues,because that's very hard to predict.- Yeah, I suppose the physical adjacencyof the underlyingtransistors and capacitorsthat are holding that storage.That's crazy.I think the first time I heard ofan interesting attacklike that was learningabout the cold boot attack.Being able to, you know,someone enters theirpassword on their computerand that decrypts their harddrive and then they walk away.Being able to extract thatpassword is really difficult.If I can pull that memory chipout and extract that memory,put it in my own device,except the problem is memory is volatile,so it'll erase as soon as I pull it out.You can take something likecanned air, turn it upside down,cool that computer, makeit real nice and cool.Then you have a minute ortwo to pull out the memory,put into your own device,extract the memory,and then you're good.It's such a simple method to reallyextract something kind of critical.Like Rowhammer, it's such alow level of vulnerabilityand you could argue thatit's not necessarilya vulnerability in thearchitecture itself,but rather exploitationof physics at that point.- I've spent a decent amountof time with this stuff,and in my mind, a lotof that is a nightmare.Over the last year while Iwas doing some other stuff,I actually designed somemicrocontroller boardsfor a company that was doing stuff with,like, a smart watering project.The problems with updating is just, like,that scares me the most.Like, people don't update their own stuff,let alone these, like, devices.- I keep forgetting to update my fridge.- I find myself trying to shy awayfrom owning like smart things.- That's pretty challengingif you want to use wireless, right?If you wanna use a wireless router.- Yeah, I mean, there'sobviously essentials,but yeah, no matter what,you can't really avoid any of this.- The risk right now, justduring this quarantine,is actually massive nowthat we think about it,because you might havethese legacy systems.You know, they werebuilt 20, 30 years ago,and it's too costly to upgrade,but now you can't actuallyhave a lot of peoplein a single location, so potentially,they actually do haveto now add some sort ofremote capabilities to these systemsthat were never meantto be on the internet.Have you ever had any ethical concernswith the stuff you're interestedin or the work you do?- Oh yeah, for sure.When people find vulnerabilities,I think it's their duty torelease those to the public.- Especially now that we'reseeing more and more companieswho are trying to make it illegal for youto inspect the vehicle thatyou've purchased, right?Something that you actually own.- Yeah, I think that's nuts.I'm firmly against that for sure.- What if it were illegal?Would you then do it?Fortunately it's not today, right?It hasn't been, you know,despite their attempts,none of that has been passed,but if you had a vehicle andyou wanted to inspect it,but all of a sudden, it passed, I mean.- I don't know, probably, yeah.[laughing]I don't think that's hurting anyone,- But the laws don't alwaysequate to hurting anyone.I ethically think similarto you in that, you know,what is moral to me isas long as I'm not intentionallyhurting others, right?I think we see every daythat ethics and the lawsaren't necessarily thesame thing all the time.- Hey Colin, we already know each other,but why don't you introduce yourselffor the people watching?- Hi, I'm Colin O'Flynn.I live in Halifax, Nova Scotia, Canada.I do hardware hacking both in academiaat Dalhousie University,and in industry at mystartup, NewAE Technology.- What have you been up to?And yeah, what are you working on?- Lately I've been doing, you know,always a little bit ofside channel analysis.So what I really do, youknow, is all hardware layer.So I've been looking, you know,at some various devices lately,at how susceptible theyare to fault attacks,what that sort of means in real life.You know, not justpurely the research side,but also how much shouldyou care about it.- Maybe a mutual acquaintance of ours,Jasper gave a example of fault injection,and I like to use that as,when I'm trying toexplain fault injection,he shows a pinball machineand the pinball machine,obviously the two inputsare the two plungerswhen you're playing a pinball machine,but fault injection,you can tilt the entirepinball machine, right?You're just introducingsome external variablethat's outside of the traditional inputsthat you're used toand you've now controlled the environmentin a advantageous way tothe user or the player.Can you give an example ofsome type of fault injectionthat you're doing or working on?- One of them was looking at, like,a little hardware Bitcoin wallet,and you could use fault injectionto actually recover secrets from it,and a lot of devices.I mean, the whole ideais pretty cool, right?Because you tell the device,"Hey, I want to authenticate,"and it's supposed to runsome really crazy maththat authenticates it,but instead of doing that crazymath and attacking the math,you just attack the check at the end.- We're also scratching the surface of,like, what is possible?It's not necessarilyjust the system itselfand not necessarily that algorithm itself.Like you said, you don't necessarilyneed to attack the math in some cases.You can just attack that check.And I think somethingthat's been pretty coolis looking at higher energy particles.It's going to be maybehard to entirely confirm,but I think it'd be really,really cool to actually see.Like, I want to see one of these faultsbecause I haven't seen it myself.And also, how do youknow that you've seen it?I've started playing with, like,setting up a cloud chamber.A cloud chamber lets you actually viewhigh energy particles going throughsort of like in a small jarwith some evaporated alcohol.And I thought it'd be really coolif we put some memory chip in there,like a basic memory chip andwe just fill it with some data,but then you put a camera onthat area and you just watch.Assuming that there isa high energy particlethat actually hits that memory,that should potentially flipthe energy state of that bit.The outside microcontrollersshould be able to readthat and actually say,"Oh wait, the data, eventhough I'm not changing data,I'm only reading data,"and we should be able tovisibly or optically see it.What I'm wondering is couldthat be a next area of research?Because I don't thinkanyone's actually looking atintentionally injectinghigh energy particlesto take over a computer,when really, you know,that's another techniquefor fault injection,technically speaking.- This was actually tiedinto something recentlyI was looking at, which was, you know,flipping flash and EPROM memory.- You mean flipping bits within flash?- Yeah, exactly, right.So flipping it in thissort of flash memory.And so someone's done it with x-rays.There's actually, I forget who now.There's a paper, at least one,and it's just like alittle plate they makewith like a hole in it toconcentrate the x-ray sourceand it works, so yeah,it's super interesting.Like, one bit in memory means a lot,especially in the flash memory side.Yeah, visualizing it would be cool though.- I've never seen...Maybe call it a verifiablevisualization of it, right?We know it's true, you know,you can get skin cancer by going outsideand having too many highenergy particles hit you,but we've never seen it.And we know it can happento a computer chip,but I've never seen both.- Yeah, so actually, soit's funny you mentioned,like, making it more obvious.I mean, staying on faultinjection right now,this is lately what I've been up to.A lot of making a littlekind of, you know,like electronics kits of old, right?And you can assemble it allyourself and see how it works.So making something likethat for fault injection.So all kind of olderlogic and stuff like that.So, I mean, it's sort of based on, like,you're presented the little MUX chip.You know, voltage switcher.That sort of idea, usingjust discreet logicto generate the actual glitch itself.So, but you know, it's partof, I think, this stuff, right?It's like people don'tknow about it sometimes.Like, even engineers designing systems.It's new to a lot of people.- The thing is, evenif you know about that,then there's so many others thatsomeone won't necessarily know about,because there's so many, I guess,potential areas for a fault to occur.Where do you think security is goingor new research is going?Are there any new areas you thinkare coming out or are goingto be more interesting,you know, pretty soon?- Fault injection hasbecome pretty interesting.Like, there's been a lotof people poking at that,and I think a lot moreproducts of interest.Side channel still mighthave a bit of a comeback.Basically, what I kind of see isa lot of the really coolstuff has been in academiabecause product securityhasn't kept up, right?For the longest time, doingthese attacks on hardwarewas pretty straightforward.You didn't need these crazy attacks.It looks like a lot ofdevices are coming out nowthat actually have realclaims to security, right?More than just a data sheet mentioned.There's actually something behind it.- For me, I think thethings that have beenrecent and super interestingare typically down tophysics-level effectsthat maybe we haven't seen before.I think my mind was blown with the,there was the light commands research,and they were able to modulate sound,although it's purelyover light using a laser,they would hit the MEMS microphone,and it was picking that up andwas able to then interpret itand essentially take control over light.- I'm curious of the backstoryto how they found that.Because if you told me that, right?So you said like, "Hey, Colin,you should test this out."I probably would be like, "Itprobably won't even work."Which is like a lot of side channels.When I first heard about it, you know,working, doing firmwarestuff, it was like,"Oh, that sounds like it's not gonna work.Like, that sounds impossible."You know, the whole areaof hardware hacking,it feels kinda like cheatingbecause, you know, as you said,someone designing thesystem needs to know aboutso many different ways, right?So there's so many waysto break the system,and if you're designing them,you need to know all of them,but when you're attacking it,you really need to know one, right?So I can know nothing about, like,how does ECC actually work?You know, I have some vague hand-wavingI can tell you about,but if you gave me a penand told me, like, "Okay, write it down,specifically the equationsand what they meanand how the point model works and stuff."Right, no idea, but designersare like the other side.It's almost like, I don'twanna say the lazy side of it.- It's the easier side.I would say my side isthe easier side, right?I'm on the offensive side.I want to break into things.Someone on the defense side,they might have, you know,a system was developedand they now need topatch a hundred holes.They patch 99 of them.

Ionly need to find that one.- Yeah.

There's no downsidesis what you're saying.- Yeah, only when you get caught.I hope you learnedsomething about hacking.Maybe next time a system behaves in a waythat you weren't expecting, youmight just be curious enoughto try to understand why.Thanks for watching.[bright music]

You might like