At A Pair Of Hackers' Conventions, The Focus Is On Phones
ARUN RATH, HOST:
Thousands of hackers have been in Las Vegas all this week. They're at two conferences called Black Hat and DEFCON. And they've spent a lot of time this week talking about consumer devices, how hackers can attack various stuff that you and I buy, from smartphones to cars. To recap, we're joined by NPR technology reporter Aarti Shahani. Hi, Aarti.
AARTI SHAHANI, BYLINE: Hi.
RATH: So one of the biggest pieces of news this week came from Google.
SHAHANI: Yeah, that's right. The head of Android security, Adrian Ludwig, announced that Google will start doing security updates for its Nexus phones on monthly basis, so not just patches to give nice new app features. He made this announcement because in the last couple weeks, Google's come under some very heavy fire for a big flaw that independent researchers found in the heart of the Android operating system. The flaw would let a hacker take over a phone just by sending a text message.
RATH: Wow, that doesn't sound good.
SHAHANI: No, very serious, that's right. And a lot of Android users reached out to Google about it. Speaking on stage at Black Hat, Ludwig ended up speaking on behalf of a bunch of other companies that make Android phones, like Samsung and LG and HTC. And he promised that this month, they're all going to roll out a fix for that specific bug. And with a bit of dramatic flair, he called the joint effort the single largest software update the world has ever seen.
RATH: So let's turn to cars. I know you spend some time on this. Last month, hackers showed they could remotely take over a Jeep while it was driving on the highway. And Fiat Chrysler also had to recall 1.4 million cars.
SHAHANI: Yeah, I actually got to witness a very awkward moment with the two Jeep hackers. I was about to interview them here outside of a talk when some Fiat Chrysler executives walked by. So everyone stopped and shook hands, but there was not a whole lot of love in the air. And that hack brings to light a big problem for the auto industry. Our cars are increasingly computers on wheels, but most carmakers don't have any system in place to regularly do over-the-air software updates.
RATH: So sort of like the way that your iPhone does automatically.
SHAHANI: Yeah, exactly. One exception, though, Tesla, the electric car company, does do that. There's another set of hackers who are at DEFCON and showed that they could take control of a Tesla Model S, and the company used its update system to roll out a software patch to all Tesla owners.
RATH: Now, I understand these conferences are also huge marketing events for cybersecurity companies who all say they've solved X, Y or Z huge security problem. Do you see any cool solutions this year?
SHAHANI: Yeah, you know, one thing I really liked is I came across a company called Saaspass, and they believe that they've solved the problem of passwords, that, as you know, passwords are constantly being stolen and being weak and hard to use. And they've basically turned the smartphone into a verification tool. So if you want to go log into Facebook or your mail or some other password-protected site on your laptop, you can use your phone to scan one of those little black and white square QR codes instead of typing in a bunch of letters and numbers. So the demo is super simple, and I wouldn't be surprised if it takes off.
RATH: Any other predictions for this next year based on what you're seeing and hearing there?
SHAHANI: Actually, you know, yeah, I was talking to this one guy who pointed out that parents don't really have modern up-to-date tools to track and protect their kids online, right? Make sure that they're safe from cyber bullies and not watching porn and stuff like that. And, you know, a lot of parents think about this stuff. I wouldn't be surprised if in the next year we see security tools that are marketed to parents, much like we've already seen a ton of products for employers to track their employees.
RATH: That's NPR's Aarti Shahani in Las Vegas. Aarti, thank you.
SHAHANI: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.