10 years after his epic MySpace hack, Samy Kamkar is trying to turn hackers into heroes
Samy Kamkar is in a dark room in Bally’s Casino in Las Vegas; the room is lit by blue lights and the glow of laptop screens. A DJ is spinning lyric-less music while hackers sit at round tables intermittently coding and chatting. This is the designated “chill-out room” at DEFCON, the annual hacking convention, but Kamkar is not feeling chill at the moment. He’s preparing to give a presentation to thousands of fellow hackers on how to “wirelessly steal cars,” and he’s still putting the finishing touches on his PowerPoint.
“I submitted the idea for this talk months ago, but I only did the work for it in the last two weeks,” he explains. Kamkar, 29, knew the conference organizers would choose a talk about hacking cars, and he was so sure he’d find a security flaw that he proposed the talk before he actually found one. And he was right; in the month before the conference, he built a device that can wirelessly unlock people’s cars.
“This security flaw has been known about for 20 years. That’s why we have those RSA tokens with codes that only last for seconds,” he says. “But you need a good demo for the car industry to take it seriously.”
Kamkar may seem overly confident in his hacking abilities. But he’s got a history to back up his bravado. In 2005, when he was 19, he found a flaw in MySpace’s code that let him force any visitor to his profile to automatically become his friend and insert a line of text on their profiles that read: “samy is my hero.” He was also able to inject the code into other users’ MySpace profiles to replicate the virus. Within 20 hours, his friend count jumped from 73 to over a million, and the entire internet was freaking out about the “Samy worm.” MySpace eventually had to go offline to fix the vulnerability.
“I had never written a virus before,” Kamkar says now. “I had no idea how fast it would spread.”
“I had no idea how fast it would spread.”
As a result of the Samy worm, Kamkar’s MySpace account was deleted. Six months later, after putting him under online and physical surveillance, the Secret Service raided his home and office. He was charged with computer tampering, and reached a plea deal with prosecutors, agreeing to not touch a computer for three years.
“It was hard for the first week, but I managed. The hardest thing was not having access to Google Maps,” Kamkar says. “It was actually good for me. I read books. It made me more sociable. I was shy and more anti-social before.”
Kamkar continued working in technology even while banned from working with computers, as head of engineering at the start-up he had co-founded at 17, a VoIP for business service called Fonality. He couldn’t touch a keyboard, but he could manage engineers who could. Soon after the ban was lifted, though, in 2010, he left the company, burnt out from the start-up life.
“The hardest thing was not having access to Google Maps.”
He says his felony criminal conviction hasn’t hurt him in the working world, though he did have to talk Big Brother/Big Sister into ignoring its ban on felony convicts to let him mentor a youngster in L.A. who was interested in computers. He decided to stay independent, focusing on security research and engineering consulting. And he started a YouTube channel where he posts a popular series of geeky videos, showing viewers how to hack combination locks, drones, and cars.
“His videos are so personal, they’re like DIY make-up tutorials,” says Andrew Crocker, a lawyer at Electronic Frontier Foundation who works with hackers, including Kamkar, to help them disclose vulnerabilities to companies without getting in trouble. “He embodies the hacker’s glee without being devious or malicious.”
Kamkar’s videos, along with his MySpace-hacking past, have given him elite status within the hacker community. When Kamkar visited the “DEFCON kids” area to give a talk about 3D-printing a tool that breaks master combination locks, a 12-year-old came up to Kamkar to ask for his autograph, saying he watches all of Kamkar’s videos.
“He’s a crypto rock star,” remarked one of the DEFCON organizers. “I’ve never seen that before.”
“He’s a crypto rock star.”
Years beyond his shy phase, Kamkar is no longer the stereotypical maladjusted hacker, like the ultra-awkward Elliot Alderson seen on USA’s Mr. Robot. He’s gregarious, extroverted, and hoodie-free. At DEFCON, he wore dark jeans, red Leather Converse sneakers and a faded ‘Blood, Sweat & Gears’ t-shirt. Around his neck, he wears a chain with a tiny circuit board.
“It’s a USB drive-by,” he explains. When he plugs it into a USB drive, the computer thinks it’s a keyboard, which computers always accept without authentication. “It types commands in a few seconds, and then I have a back door into their Macbook indefinitely,” says Kamkar.
Companies used to ignore hackers who discovered security problems in their products, or threaten them with legal action and hope they’d go away. But after the high-profile hacks of Target, Home Depot, Sony Pictures, and other large companies, security has become a mainstream concern. And white-hat hackers like Kamkar, who understand security exploits and can help companies patch them before it’s too late, have become the stars of a multi-billion-dollar industry.The “cypher punks” who used to work in IT by day and play around with security projects on the side are now being recruited heavily by big technology companies and cybersecurity companies. The flaws they point out get written up by journalists, fixed by companies, and addressed by lawmakers who are worried about the economic impact of insecure products. The skills of the hackster-trickster are now understood to be incredibly valuable.
“More and more companies have a public security contact and bug bounty programs,” says Kamkar. “They encourage security research as long as it doesn’t harm them or their users, and they might even pay you for finding issues.”
(Not every company takes such an open approach to hackers. Oracle’s security chief recently complained in a now-deleted post about people looking at the company’s code for flaws, while companies like GM and John Deere are trying to use copyright law to prevent hackers from touching their proprietary software.)
Kamkar is a hacker’s hacker — a skilled coder who can impress the tech-savvy with the techniques involved in his latest hack, but also break down the stakes with flair and drama for the general public.
“Samy seems to have an uncanny capability of breaking anything he touches,” says Mikko Hypponen, a well-known cybersecurity expert. “His research is important because he doesn’t just focus on hacking computers but everything else.”
“Samy seems to have an uncanny capability of breaking anything he touches.”
Sometimes, his hacks shed light on serious vulnerabilities. (He made headlines in 2010 for the “evercookie,” a zombie tracker he created that could recreate itself on someone’s hard drive even after they’d cleared their cookies.) Other times, they’re just for fun. Over dinner one night, he recalled that, as a single guy in his twenties, he took advantage of a cross-scripting vulnerability on a popular dating site to A/B test his messages to women. He sent two versions of his message to thousands of female users to see which did better. The vulnerability, which he never told the dating site about, let him see whether they’d opened his messages or not.
“I got many more dates,” he said of the exploit. “But the hacking was more fun than the dates.”
Kamkar says he got into hacking at 10 years old, as soon as he got a computer.
“My first day with it, I went into an IRC channel, and someone told me to get out or else.’ I didn’t and then my computer crashed,” he says. “I was terrified and fascinated. If they could do that, I could do that.”
He lived in a tiny apartment in L.A., with his mom, who was always working trying to keep them afloat, he says. Kamkar spent a lot of time on his computer and started hacking games, posting cheat software for his favorite, Counterstrike. The software was impressive enough that a gaming company in San Diego called him up and offered him a job. So at 16, he dropped out of high school and moved to a new city.
“When I got there, the company realized how young I was and said they weren’t sure it was legal to hire me,” he says. He told them it was okay because he had a work permit from his school. The form was forged, based on a template he found online. He also whipped up official looking emancipation documents, so that, as a minor, he could sign contracts for an apartment and a phone.
In 2000, when he was 14, Kamkar went to his first DEFCON; the conference has been held annually in Las Vegas since the early 1990s. He describes his first of many DEFCON visits as “crazy.” “My cell phone didn’t work because someone was jamming,” he says. “Attendees stole a golf cart and drove it into the pool, which they had dyed purple. They took over the TVs. I saw a woman topless for the first time. In person, that is.”
DEFCON is much tamer these days, thanks in part to the mainstreaming of security technology. The weekend conference now attracts 19,000 attendees, many of them from big tech companies and cybersecurity firms with flush expense accounts. Facebook sponsors a party at the Wynn Casino, as does Rapid 7, a large cybersecurity firm that recently went public. These days, the biggest trouble caused by DEFCON attendees is jamming up the local radio frequencies, flooding them with vile language to the angst of ham radio operators, and taking pictures of attendees without permission — a huge no-no for the privacy-conscious group. It “reminded me of going to see a great aunt on life support,” complained one attendee on Twitter.
At this year’s DEFCON, the most anticipated presentation was that by venerated security researchers Charlie Miller and Chris Valasek, who demonstrated that Chrysler had a vulnerability in its UConnect wi-fi system that allowed them to hack a Jeep from afar — blasting the car’s music, turning on the windshield wipers and screwing with the speed of the car. Kamkar chose to do a car-hacking talk in part because of Miller, who is a kind of hacker-hero to him.
“He’s been doing crazy exploits for years,” says Kamkar. “Before his work, I had no idea cars were connected to so many things.”
The preeminent car hackers admired Kamkar back, saying his presentation was the only one (beyond their own) that they attended at DEFCON.
“Hacking is fun,” says Kamkar. “It’s a puzzle. It’s such a good feeling when you solve something that wasn’t meant to be solved. When something works, I jump up and do a dance for 10 minutes. It’s a feeling I chase.”
“Hacking is fun. It’s a puzzle. It’s such a good feeling when you solve something that wasn’t meant to be solved.”
Kamkar is adept at conveying the fun of hacking, while emphasizing its seriousness. After discovering that many garages, including the one in his L.A. apartment building, can be opened by sending them a “fixed code,” he reprogrammed a pink, hand-held messaging toy from Mattel to perform a brute force attack on a garage door’s code that could crack it within 8 seconds. He called the device “OpenSesame” and announced it the month before the conference on his YouTube channel.
Kamkar’s tease worked. Thousands of hackers filled the huge room where he gave his talk in front of the DEFCON logo—a smiley face and crossbones.
But the highlight of Kamkar’s talk was the “RollJam,” a device he built for around $30 in parts, which can unlock many different types of car remotely. Most cars’ remoteless key fobs use a “rolling code” system to communicate with cars, so that each code sent from your fob to your car is unique. But his radio-frequency sniffing device intercepts the “rolling code” and jams the car from getting it. When a person’s fob doesn’t work, they push the button again, sending a second code that his device intercepts. It then replays the first signal to pop the locks, but it sits on the second code to use later.
Kamkar imagines that a car thief could plant a RollJam-like device under a target’s car, and then break into it whenever he or she wanted. He’s releasing the code for RollJam online, but it will be broken, missing a line. “Criminals won’t be able to use it but a security researcher could,” he says. “If criminals ever get high-tech, we’re screwed.”
He says it’s already happening, pointing to a news cast from March, “Thieves Now Use Mysterious Electronic Device to Unlock, Break into Cars.”
“I hope this changes the future of car key security,” says Kamkar.
After his talk, Kamkar moved to the side of the room while sipping a yellow can of Rock Star Energy, to talk to attendees. A firefighter came up to him, asking if he could work with him to use his garage door opener when fighting house fires. It would save them from having to break someone’s door down. “I’m not sure about the legality of that,” he said.
Then two attendees who worked in security at an automotive company approached him to tell him they liked his talk and love his videos.
“My email has been blowing up because of your key fob research,” one says.
They say his work makes their jobs harder, but that his adeptness at getting media attention means that their higher-ups take notice and give them more resources to shore up security.
In other words, the automotive security guys want to help Kamkar hack them. They suggest he check out a particular wireless spectrum used by an auto company for vulnerabilities and recommend a tool he can use to read signals coming off engines. (“You guys just saved me hours of research,” Kamkar says.)
There’s a virtuous circle to hacking. It leads to freak-outs, but seems to be the only thing that convinces companies to get serious about spending money on security. With his simple tutorials and emphasis on the inexpensive tools he uses, Kamkar is trying to make it as easy, and cheap, as possible for other people to get into hacking to increase the pressure on companies to improve their wares.
Later, over the phone, Kamkar says: “What I like about my work is making people and companies more cognizant of these issues. I hope it leads to better experiences for users and consumers.”
Then, as if to distill his message for a lay observer, he adds: “Anyone can break into my mom’s car. That’s not cool.”