When Hackers Test For Flaws, They Might Earn Cash — Or Threats : All Tech Considered Security researchers use their hacking skills to look for security holes that companies should fix. But their good intentions aren't always appreciated by the organizations they investigate.
NPR logo

When Hackers Test For Flaws, They Might Earn Cash — Or Threats

  • Download
  • <iframe src="https://www.npr.org/player/embed/338776873/338776874" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
When Hackers Test For Flaws, They Might Earn Cash — Or Threats

When Hackers Test For Flaws, They Might Earn Cash — Or Threats

  • Download
  • <iframe src="https://www.npr.org/player/embed/338776873/338776874" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

DAVID GREENE, HOST:

To hack or not to hack - that is the question in Las Vegas this week at two conferences. One's called Black Hat, the other, Defcon. Many of the attendees are people who poke at websites, smart phones and other wireless devices looking for security gaps that companies should fix. But even when they're hacking with good intentions, they can get into big trouble. NPR's Aarti Shahani reports.

AARTI SHAHANI, BYLINE: Security researcher Logan Lamb was supposed to be on stage giving a presentation. Instead, he's standing in a corner literally trembling as he talks to me.

LOGAN LAMB: Well, I was going to be presenting - right? - and because of these pressures put on me, I can't now.

SHAHANI: Lamb won't spell out the pressures, but it's a well-known fact in these hallways that companies threaten people who find weaknesses in their software. Lamb, who's based in Knoxville, Tennessee, tested three well-known home alarm systems to see if they're easy to hack. He says he did this in his own apartment and at two friend's houses.

LAMB: I just, you know, push the cats off the kitchen table, throw all my gear on the table and walk around trying to set things off and suppress them.

SHAHANI: Lamb found that inside a home, he could break the communication between the sensors that monitor movements and the keypad that tells the corporate network when an intruder has broken in. He could also fake an intruder to set off a false alarm. He says it was fairly easy because the makers of these wireless devices left them unencrypted.

LAMB: So some guy with the right hardware can sit out in front of someone's home and listen in. That's pretty disconcerting, I think.

SHAHANI: And which home security systems - by who?

LAMB: I can't go into that.

SHAHANI: The companies Honeywell, ADT Corp and Vivint were all named in the online summary of his research. None responded immediately to NPR's inquiry. Security researcher Jesus Molina did give his talk. And it went something like this...

JESUS MOLINA: At the hotel, which is a five-star luxury hotel, I was able to control every device in every room.

SHAHANI: Molina, based in San Francisco, says he checked into a Starwood-owned hotel as a guest. The rooms were high tech, with an iPad that acted as a remote control for the appliances.

MOLINA: The TVs, the lights, the blinds...

SHAHANI: And Molina noticed the iPad in his room was on the open guest network. So from his computer, he could see and record transmissions, figure out the protocol and spoof the iPad. He suspected this was a systemic flaw across all rooms. And to really nail it, he kept telling the front desk he needed a new room.

MOLINA: I went to three or four rooms. I changed rooms continuously which ended me in a suite. And then I had to say I don't want this suite. I want another room.

SHAHANI: He cracked the pattern and created a dictionary of every device. Now under U.S. law, security researchers are obliged to tell companies about the holes they find. And Molina did that after he was safely back in the U.S. You see, there is one more key detail. Molina's luxury hotel is in China.

MOLINA: It would be very sad for me to end up in a Chinese jail just because I was trying to prove a point, right?

KURT OPSAHL: I mean, I don't know about Chinese wiretap laws, but if you wanted to try and replicate that research here, it probably would be a good idea to speak to a lawyer first.

SHAHANI: Kurt Opsahl is a lawyer with the nonprofit Electronic Frontier Foundation. He's not giving legal advice about this case or the many others he hears in Las Vegas. But he does share this rule of thumb.

OPSAHL: One of the things that people need to be cautious of is accessing things without authorization, accessing packets without the consent of the parties involved.

SHAHANI: Parties involved could include the company that makes the faulty product. A handful of groups are cropping up now, trying to convince companies that hackers who find and report bugs can be great for business, and should get paid a bug bounty for all their hard work. Aarti Shahani, NPR News, Las Vegas.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.