Hackers Convene To Find Mobile Security Flaws
This week thousands of hackers — computer security researchers, government recruiters, spooks and cyberpunks — descended on Las Vegas for the annual summer hacker convention.
Hosted by organizations called Black Hat and Defcon, these events are known for their elaborate, though often crude, computer pranks. The convention's actual purpose, however, is pretty serious.
Stephen Ridley, an independent security consultant, says almost every aspect of our lives today is touched by computers and machines that speak in ones and zeroes, and most of us don't understand how they work.
"I am of the mind that people who do have this knowledge are actively exploiting these things now," he says.
Ridley says the hackers in Las Vegas who are taking this stuff apart and poking holes in products we depend on are kind of like the investigative reporters of the digital age. He says their goal is to expose problems before criminals can find them and take advantage.
"The more that this is out in the open, the more you can have skilled people chose what side of the fence they want to be on," he says. "I believe in kind of the goodness of human nature."
If you don't know where the problems are, no one can fix them. This year's conference includes talks on how to hack the air traffic control system and how to break open your mobile phone.
"When I'm sleeping [my mobile phone] is on my nightstand; when I am traveling around it's in my pocket," says Nicholas Percoco, an ethical hacker and security researcher. "So the ability to do things to a mobile phone becomes even more enticing to a criminal."
In a couple of ways, mobile phones are inherently vulnerable. They connect with other networks in all kinds of ways and some have payment systems that use near-field communication, or NFC, chips. These chips let you wave you phone near an NFC reader, your phone connects and you can pay.
Charlie Miller, a researcher at Accuvant, realized he could use those chips to break a phone wide open. For this hack to work, Miller just has to be standing next to you.
"So now I can do things like read all the files," Miller says.
That is one of just half a dozen mobile hacks unveiled at the convention this week. Percoco figured out how to slip past Google's bouncer, the system that polices Android's app store. Ridley and his partner figured out how to attack the computer chips that run pretty much every mobile phone.
"By clicking on a link we took over their phone, basically," Ridley says.
Ridley's been giving a how-to course on this attack all over the country and his customers include some of the biggest cellphone makers in the world. After Percoco figured out how to beat up on Google's bouncer, his first call was to Google.
"Google is a great organization to work with, they want to learn," he says. Google says it's already made a fix.
Still, the relationship between hackers and big companies has not always been so cozy. Miller got so tired of firms fixing the problems he pointed out without so much as a thank you note, last year he publicly went on strike and vowed not to reveal his attacks until firms agreed to pay.
Now, companies sponsor contests where they pay hackers up to $100,000 to break into their products. Miller, who has two kids and college funds to think about, is already hard at work.
Copyright 2020 NPR. To see more, visit https://www.npr.org.