Samy Kamkar

Samy Kamkar is a famous "grey hat" hacker. That means he's not bad, but he's not quite good either. A high school drop out, he gained attention (and a felony charge) for his 2005 "Samy worm" virus on MySpace, which added "Samy is my hero" to victims' profiles. Since then, he actually has become something of hero, with hacks that publically demonstrate—often to the chagrin of corporations and the US government—security weaknesses and vulnerabilities. (When Amazon announced they would use drones, he figured out how to hack one and posted the video on his YouTube channel.) He also isn’t afraid to play whistleblower, as he proved in 2011 with headline-making research on how Google and Apple surreptitiously collect user data. Below, we talk with Samy about computer-jumping viruses, government cyber warfare and a fun little hack you can try at home.

Ok so, first thing’s first, what is the biggest risk to our personal data right now?

When it comes to technology, if you’re trying to exploit something, you’re looking for the weakest link and we, as humans, are the weakest link. I think passwords are a terrible thing. We are inherently bad at remembering them so we use either short weak ones or the same ones across multiple sites.

Smart TVs, cell phones, cars—everything is internet-connected now so there are ways to get in. But most hackers aren’t going to go to that effort if they can get to you more easily through password theft. If it’s a criminal organization doing it, they probably aren’t even targeting you personally. They just want to make money.

How can we better protect ourselves?

One, use a password manager like 1Password, there are a couple out there, I don’t have a specific preference. They make really hard passwords to use. And I suggest that you use one that protects all of your passwords with a single password. That way, you will only have to remember one password and it will do the rest for you. It will log in to websites and if any of the individual ones get hacked, only that password has been hacked and nothing else.

Second, use two-factor authentication. It’s basically an extra level of security that links something you know (like a password) with something you have (like a phone or email address). So when you go to sign in to a website it might send a login to your phone that you then have to enter.

Of course, for you, password theft is child’s play. You deal more in the sophisticated exploitation of technology.

Yes, how technology works and how we can break in, because there are governments and criminal organizations—lots of groups—using those techniques. They aren’t just going for a little bit of money with ransomware and passwords. They’re more far-reaching attacks that are targeting, let’s say, political figures or entire nation states. The Stuxnet virus is an example. No one has ever admitted creating it but the consensus is that the US and Israeli governments worked together to create this virus that spread across the internet to attack Iranian nuclear reactors and essentially shut them down. But here’s where it gets crazy: the nuclear reactors weren’t even on the internet. So why send a virus when you can’t even reach them?

The Stuxnet virus was targeted to the laptops of specific Iranian contractors. And once it got into their laptops, it was specially crafted to jump from the computer into any USB drive that they plugged in. So one of the contractors goes to upgrade software on one of the nuclear reactors; they take the infected USB out of their computer and log into the reactor and the virus jumps off of the USB drive into the nuclear reactor and actually shuts it down. That’s crazy to be able to create something that can jump from machine to USB drive to nuclear reactor! So if that happened five or ten year ago, imagine what governments have created since then.

So when you see these headlines declaring cyber terrorism as the next big threat to world order, you agree? They’re not doomsday-ing for the sake of clicks?

While headlines may be overblown today, the threat is becoming more likely as more industrial systems like power plants, nuclear facilities, and other services have their systems connected to the internet, or connected to other networked systems. Like even electricity and water, those are controlled by data systems that someone could hack into and wreak havoc on cities.

Do you have a nightmare scenario?

Electromagnetic pulses can be crazy because they actually destroy electronics. It requires a lot of power and they’re kind of localized but someone could just come near your house and destroy all your electronics. People taking electric grids down would also be bad, traffic light systems—there are just a lot of unfortunate situations that I hope don’t happen.

So now that we’ve outlined how the end of the world is going to play out, let’s talk about your own experience as a hacker. Do you think you’d have gone down a more criminal path if you hadn’t gotten caught for the “Samy worm”? Did that experience give you more of a conscience?

Yeah, I mean I was a teenager and it was a silly thing to do. I’d like to think that I would have matured a bit either way, although I’m sure it helped. I would say it was really good for me because as part of my punishment, I couldn’t use a computer for three years. So that by itself led to me having to spend time doing other things that I think were beneficial. I became a better communicator, met more people, read more books, went out. I would like to actually do that experience again because I think it helped me quite a bit. But I never felt like I was a malicious person to begin with.

Being offline for three years, what changes in digital culture struck you when you first logged back in?

It was right when the iPhone came out. It’s interesting, today people are worried about things like the Amazon Echo because it has a microphone and I’m like, there’s been a computer in your pocket for the last ten years that has not just one camera but two and a microphone and it’s often listening and you don’t know it. I don’t think anyone has any idea how much information our smart phones are taking and how they can abuse that information.

So when I first got back online I was interested in how smart phones work. I started reverse-engineering the iPhone and Android and doing research around the things that can be exploited in these systems. I’ll give you an example. No one realized until I actually proved it that literally every phone is scanning wire-to-wire networks and taking GPS information and sending it to Google and Apple. So when you’re walking down the street, any router that’s nearby, your phone is taking that router’s unique identifier, taking the GPS location and sending it to Google or Apple. So if a person goes online, Google and Apple know exactly where they are because someone’s phone told them. What’s more, they’re looking at how fast you’re traveling. If your phone is at this location one minute and now it’s at this location 10 seconds later well, then, you’re probably traveling along a certain road, and that’s how you get things like live traffic view on Google Maps; it’s simply because it's getting live information from everyone’s phone.

What are you working on now?

Honestly, a lot of my time I just spend trying to learn new things. Lately, I’ve been trying to learn more about physics because I want to understand how electromagnetism works. Electromagnetism is how radio waves travel from you phone or Bluetooth or WiFi. Whenever you’re typing on a keyboard, your keyboard is actually producing electromagnetic waves so there’s potential that I could see your keystrokes and what you’re typing just by radio waves.

I also co-founded a security company called Openpath. My co-founders and I found that there are areas of physical security that have been ignored for years and are extremely inconvenient for users. I had previously released software for a device that can clone and brute force credentials to easily break into buildings by exploiting legacy RFID readers, and this attack continues to seem to be possible everywhere I go. This issue along with the inconvenience of still using physical key cards seemed like an area that needed change and where we personally wanted to see improvements.

Your hacking tagline is “think bad, do good.” You work on the fringes of the law but you’re out to help the little guy. It sounds like you live this maverick lifestyle that’s dramatic and sometimes dangerous. Is that how you experience it?

I don’t know about that. All of this is just super interesting to me. I do feel like my personal life is always a little suspenseful—which is both good and bad. I simply keep getting in trouble, unfortunately. I’m not trying to be a bad person, I’m trying to do good. But sometimes to do that you have to ruffle some feathers.

I've discovered that often positive changes in the security of systems and protection of data only occur once we see how "bad" something can be. Only then are we motivated to resolve it. If I write about something, it doesn’t really make a difference. If I want to make change, I’ve found that I have to demonstrate it. If there’s an issue that I believe people are abusing or are going to abuse that will hurt others, the only way to resolve it quickly is to demonstrate it. It’s exciting and it makes me feel good when I’m able to do that. But unfortunately some organizations and government agencies aren’t so happy with me. I’m really fortunate to have great attorneys who help me pro bono. The EFF (Electronic Frontier Foundation), they’re a non-profit group of attorneys similar to the ACLU. They help me a ton. The stuff I work on is a big gray area. My intentions are good but I can understand why some people get upset.

Is it more government agencies or private corporations?

Corporations don’t do too much and often I will give the information to them so they can actually solve the problem.

Have you ever had a "Michael Clayton" moment?

Nothing that dramatic. I mean I’ve definitely had some weird things happen —like hotel rooms broken into and things stolen but I’m very fortunate that nothing really bad has happened.

Are you active in the hacker community? Edward Snowden used something you had created, right?

Oh, he just released documents from the NSA showing they were using technology I’d created to basically track people on the internet. I guess you could say I’m part of the community. I work on my own projects but I really like sharing so I put a lot of things in the public domain for people to be able to use and learn from and improve upon. So…I like sharing, I’ll just leave it at that.

But it’s not like you’re in a chat room at 2 a.m. with members of Anonymous?

[laughs] Well, actually, I guess I am. A lot of the other people who work on similar technology issues, we do idle in chat rooms and share information and work on projects together.

What are the biggest misconceptions about hackers?

That’s a good question. I’m not sure. I’d say a lot of common perceptions are accurate. But it really runs the gamut. Some hackers are exactly what you see on TV. A bunch are academics at universities and they’re researching and discovering amazing new things. Some are people who want to test and share knowledge. And then, of course, you have criminal organizations. Growing up, I definitely made friends with some people who maybe were more on the black hat or dark side.

So shady characters and civic-minded crusaders are in the same chat rooms?

Yeah, I’d say that's the most interesting part. The lines are really blurred. You would think the good guys might not talk to the bad guys, but they’re mingling in the same underground chat rooms and they know maybe that they’re on opposite sides and yet they’re still interacting which I think is kind of crazy but also interesting.

What does "bad guy” mean?

Yeah, I guess those terms are in the eye of the beholder. I guess I’m thinking of people who use hacking for financial or personal gain, stealing information and selling it. There are actually public groups that you can sell data to. And it’s crazy because you don’t know who you’re ultimately selling to—you’re selling it to a middleman who then will go and sell it to the highest bidder..and that’s typically just some government.

It sounds like governments play a much bigger role in the hacking ecosystem than the public is perhaps aware of.

It’s huge in governments. There are people—I know a few in the US government—who are part of these underground teams. All they do is look for vulnerabilities in the systems that you and I use every single day. So they’re looking at the iPhone and they’re finding ways to break it because they’re going to use it against someone in another country who they believe is causing the US harm. And they’re not telling Apple because Apple will fix it.

For example, maybe the target is someone who works at a company that designs aircrafts or electrical industrial systems, things that would have far-reaching power if you were able to infect them. You know, a lot of hacking is just bouncing from one system to another. So you start with someone’s phone and when they walk into work you jump off the phone and onto the work network and then you attack a computer, maybe it’s a supervisor’s computer so now you can access more privileged information. You just keep jumping around and get more and more data and access.

Well that is terrifying. Let’s end on a cheerful note. Can you walk us through a hack any novice could pull off?

Take your router or a spare router, change the wireless name to "attwifi", remove any password so it's an open network, then wait. In a few minutes, people's devices such as laptops, phones and tablet will connect unbeknownst to them simply because they've joined a network with the same name in the past. All of their internet traffic is now under your control to inspect, alter, or deny, without any warning to them.

Keep up with Samy:

Website: Samy.pl
Youtube: Applied Hacking With Samy Kamkar
Twitter: @samykamkar