This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point : All Tech Considered Everything from cars to thermostats is being connected to the Internet, raising security concerns. Samy Kamkar, who once hacked MySpace, hopes exposing vulnerabilities will make these things safer.
NPR logo

This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point

  • Download
  • <iframe src="https://www.npr.org/player/embed/583682220/588198809" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point

This 'Gray Hat' Hacker Breaks Into Your Car — To Prove A Point

  • Download
  • <iframe src="https://www.npr.org/player/embed/583682220/588198809" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

RACHEL MARTIN, HOST:

The Internet is in the midst of a revolution. We won't just be using it to search for stuff, watch videos or send email. It's going to control cars, washers, dryers, even toasters. And that's what it means when you hear that phrase - the Internet of things. As part of her series Artists and Criminals, NPR's Laura Sydell looks at what happens when hackers take control of all these connected devices.

LAURA SYDELL, BYLINE: These days, stealing a car is easy if you have the right gadget. I'm standing in NPR's parking lot in Culver City, Calif. My accomplice, Samy Kamkar, stands about 20 feet away. We each hold a small circuit board with dangling wires. Kamkar unlocks a keyless entry Chevy Bolt.

All right. So we're in. We're going to steal this car.

And I press the start button.

And the car is driving.

For the record, the car belonged to a colleague. And she wasn't very happy to see how easy it was to hack into her car. Kamkar says his gadget can pick up on signals being sent out by the owner's key fob and imitate it. It's easy to use this technology in a crowded parking lot.

SAMY KAMKAR: There are a lot of cars coming in and out. So it's essentially dealer's choice at that point.

SYDELL: Samy Kamkar is one of the most famous hackers in America. He's made a career out of working his way into network devices. It takes a lot of skill. And you have to think a bit like a criminal. That's where Kamkar has an advantage. He's a convicted felon. Kamkar became notorious at 19 years old. It was 2005. And Kamkar signed up for the biggest social network of the time, MySpace. He didn't have many friends on the site, but he found a hacker workaround.

KAMKAR: So now, when someone would visit my profile, I wrote some code so that you'd add me as a friend. And additionally, you would add Samy's my hero to the bottom of your profile. I thought that would be funny.

SYDELL: It worked really, really well. Kamkar had created the fastest-spreading computer worm of its time. MySpace crashed. He was arrested and charged with cyber hacking. The judge found a punishment to fit the crime. He was banned from the Internet for life.

(SOUNDBITE OF MUSIC)

SYDELL: As it turns out, Kamkar now thinks time off the computer was exactly what he needed.

KAMKAR: I think it was really good for me because I now - I was forced to partake in other parts of life - things that I'd never done before - right? - like go outside and look at the sun and get a little color, read books, hang out with people, like, in real life - or IRL, as we say online, right?

SYDELL: After three years, they lifted his sentence for good behavior. And Kamkar had changed. He still loved hacking, of course.

KAMKAR: But I do it with a hat now where I think, would I want this done to me?

SYDELL: He's what they call a gray-hat hacker - not all good, not all bad. He works on the edges of the law, breaking into cars, connected doorbells, phones to try and find vulnerabilities. But when he succeeds, he lets the world know, so it can be fixed. And this is a valuable service. Law enforcement is finding that even ordinary household appliances can be turned into weapons.

RICHARD DOWNING: I was, just over the holidays, installing a new smart thermostat in my house and thinking about this very problem because, of course, it's connected to the Internet.

SYDELL: This is Richard Downing, who heads the Justice Department's Computer Crime and Intellectual Property Section. And yes, even a thermostat could potentially be hacked. Last year, the Justice Department prosecuted a college student in New Jersey and two of his friends for hacking into hundreds of thousands of Internet devices - DVRs, routers, even baby monitors. Downing says they turned all these little devices into a supercomputer called a botnet.

DOWNING: They were able to sell access to the botnet to others who wanted to cause denial-of-service attacks. They were able to knock offline some of their own competitors. They had a business, and they were able to harm their competitors' businesses as a result of these denial-of-service attacks.

SYDELL: The botnet they created shut down Twitter, Netflix and the network at Rutgers University, where one of them went to school. One of the problems is that security is weak. Manufacturers give thousands of devices the same password.

DOWNING: Unfortunately, these Internet-of-things devices sometimes don't have as robust security as our phones or our computers do.

SYDELL: Manufacturers are rushing to be the first out with an Internet-connected toaster or doorbell. And security isn't the top priority. And that's where a gray-hat hacker like Samy Kamkar comes in. He can embarrass a company into providing more security. For instance, shortly after Amazon announced it was interested in using drones to deliver packages, Kamkar announced he'd found a way to take them over.

(SOUNDBITE OF VIDEO)

KAMKAR: Hi. I'm Samy. And I am going to do a quick demo here of my zombie drone software.

SYDELL: This is from a video on Kamkar's YouTube channel. He's using an iPad to hack into a nearby drone.

(SOUNDBITE OF VIDEO)

KAMKAR: Now it's attempting to connect to the drone that it hacked. And then it's going to turn it on and take it over.

SYDELL: It's not hard to imagine the nightmare scenarios. What if a terrorist manages to take control of an army of drones. Or what about cars? In the not-too-distant future, autonomous vehicles will be clogging the freeways of Los Angeles. And they'll be hackable. A few years ago, a couple of gray-hat hackers, Charlie Miller and a colleague, proved it could be done with an Internet-connected Jeep Cherokee.

(SOUNDBITE OF VIDEO)

UNIDENTIFIED MAN: We're in a parking lot. And I'm going to remotely hack into the car and turn the steering wheel.

SYDELL: The car drove into a fence.

Fiat Chrysler did fix that. But Kamkar says there will always be other bugs.

KAMKAR: I'm worried that someone really young will do something really stupid because they don't understand what they're doing, ultimately. So I'm worried about someone who hasn't had a lot of life experience but has a lot of power. And that's simply because we're making things more accessible.

SYDELL: In other words, someone just like the 19-year-old Samy Kamkar, who created the world's fastest-spreading worm. Only this time, the potential for inflicting damage is so much greater. Companies could make their devices more secure, but it might make them harder to use.

KAMKAR: I only see change when you have customers demanding that change. It's only when everyone, you know, yells at a company and says, this needs to change, this needs to occur - that's when change occurs.

SYDELL: Kamkar will keep raising the alarm. But ultimately, it's up to us to decide whether to buy the most convenient, new gadget or the most secure. We may not be able to have both. Laura Sydell, NPR News.

(SOUNDBITE OF RAMTIN ARABLOUEI'S "MUSIC FOR HACKING THE INTERNET OF THINGS")

Copyright © 2018 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.