NPR

Hackers Convene To Find Mobile Security Flaws

Computer experts say mobile phones are prime targets for hacking because of the ways they connect to networks. (NPR)

This week thousands of hackers — computer security researchers, government recruiters, spooks and cyberpunks — descended on Las Vegas for the annual summer hacker convention.

Hosted by organizations called Black Hat and Defcon, these events are known for their elaborate, though often crude, computer pranks. The convention's actual purpose, however, is pretty serious.

Stephen Ridley, an independent security consultant, says almost every aspect of our lives today is touched by computers and machines that speak in ones and zeroes, and most of us don't understand how they work.

"I am of the mind that people who do have this knowledge are actively exploiting these things now," he says.

Ridley says the hackers in Las Vegas who are taking this stuff apart and poking holes in products we depend on are kind of like the investigative reporters of the digital age. He says their goal is to expose problems before criminals can find them and take advantage.

"The more that this is out in the open, the more you can have skilled people chose what side of the fence they want to be on," he says. "I believe in kind of the goodness of human nature."

If you don't know where the problems are, no one can fix them. This year's conference includes talks on how to hack the air traffic control system and how to break open your mobile phone.

"When I'm sleeping [my mobile phone] is on my nightstand; when I am traveling around it's in my pocket," says Nicholas Percoco, an ethical hacker and security researcher. "So the ability to do things to a mobile phone becomes even more enticing to a criminal."

In a couple of ways, mobile phones are inherently vulnerable. They connect with other networks in all kinds of ways and some have payment systems that use near-field communication, or NFC, chips. These chips let you wave you phone near an NFC reader, your phone connects and you can pay.

Charlie Miller, a researcher at Accuvant, realized he could use those chips to break a phone wide open. For this hack to work, Miller just has to be standing next to you.

"So now I can do things like read all the files," Miller says.

That is one of just half a dozen mobile hacks unveiled at the convention this week. Percoco figured out how to slip past Google's bouncer, the system that polices Android's app store. Ridley and his partner figured out how to attack the computer chips that run pretty much every mobile phone.

"By clicking on a link we took over their phone, basically," Ridley says.

Ridley's been giving a how-to course on this attack all over the country and his customers include some of the biggest cellphone makers in the world. After Percoco figured out how to beat up on Google's bouncer, his first call was to Google.

"Google is a great organization to work with, they want to learn," he says. Google says it's already made a fix.

Still, the relationship between hackers and big companies has not always been so cozy. Miller got so tired of firms fixing the problems he pointed out without so much as a thank you note, last year he publicly went on strike and vowed not to reveal his attacks until firms agreed to pay.

Now, companies sponsor contests where they pay hackers up to $100,000 to break into their products. Miller, who has two kids and college funds to think about, is already hard at work.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

GUY RAZ, HOST:

This week, thousands of computer hackers descended on Las Vegas for the annual summer hackers convention. The hot topic this year: hacking attacks on smartphones. NPR's Steve Henn is there, where he witnessed seasoned hackers display their destructive prowess at two of the main conferences: the Black Hat and Defcon.

STEVE HENN, BYLINE: These events, especially Defcon, are known for their pranks. Nicholas Percoco says that one year, all the ATMs in one of the casinos were hacked. No money was stolen but...

NICHOLAS PERCOCO: Instead of the screen saver for the bank, they put pornography on the screen.

HENN: The banks and the casino were understandably flummoxed.

PERCOCO: And they put a piece of paper over it that said: ATM maintenance in progress. That's what it said. It was like a piece of paper over there. You could still see the image flashing behind the paper. They didn't even turn it off.

HENN: Every year here someone tries to show off. Some of the pranks can be crude. But actually, the purpose of these events is pretty serious. Stephen Ridley is an independent security consultant. Ridley says in the digital age, almost every aspect of our lives is touched by computers and machines that speak in ones and zeros. And frankly, most of us don't understand how they work.

STEPHEN RIDLEY: I am of the mind that people who do have this knowledge are actively exploiting these things now.

HENN: He believes that most of the hackers here, who take the stuff apart and poke holes in all these products that we depend on, are kind of like the investigative reporters of the digital age. Ridley says their goal is to expose problems before bad actors can find them and take advantage.

RIDLEY: The more that it's out in the open, the more that you can have skilled people choose what side of the fence they want to be on. And I believe in kind of the goodness of human nature.

HENN: If you don't know where the problems are, no one can fix them. This year, there are talks on how to hack into the new air traffic control system and lots of talks about how to break open your mobile phone. Nicholas Percoco gave one.

PERCOCO: I have my iPhone here, and it sits on the nightstand every single night when I'm sleeping. When I'm traveling around, it's in my pocket. And so the ability to do things to people's mobile devices becomes even more enticing to a criminal.

HENN: In some ways, mobile phones are inherently vulnerable. They connect with other networks in all kinds of ways, and some have payment systems that use near field communication or NFC chips. These chips let you wave your phone near a reader. Your phone connects, and you can pay.

But Charlie Miller, a researcher at Accuvant, realized he could use these chips to break your phone wide open. And for this hack to work, Charlie just has to be standing next to you.

CHARLIE MILLER: So now I can do things like, you know, read all the files.

HENN: And that's just one of the half-dozen mobile hacks unveiled here this week. Nicholas Percoco figured out how to slip past Google's bouncer. That's the system that polices Android's app store. Stephen Ridley and his partner figured out how to attack computer chips that run on pretty much every mobile phone.

RIDLEY: By clicking on a link, we took over their phone, basically. They have to click the link.

HENN: Ridley's been giving a how-to course on this attack all over the country. His customers include some of the biggest cell phone makers in the world. And after Nicholas Percoco figured out how to beat up on Google's bouncer, his first call was to Google.

PERCOCO: Google's a great organization to work with. They want to learn.

HENN: Google says it's already made a fix. Still, the relationship between hackers and big companies has not always been so cozy. Charlie Miller got so tired of firms fixing the problems he pointed out without so much as a thank you note, last year he publicly went on strike, vowing not to reveal his attacks until firms agreed to pay. Now, many companies sponsor contests, where they pay hackers up to $100,000 to break their products. And Miller, who has a couple of kids and college funds to think about, is already hard at work. Steve Henn, NPR News, Las Vegas. Transcript provided by NPR, Copyright NPR.

Most Popular