- Hi, my name is Samy Kamkar.
I am a security researcher,
computer hacker,
and co-founder of Openpath Security.
I've been challenged today
to explain one simple concept
in five levels of increasing complexity.
My topic, hacking.
Hacking to me is using or
manipulating a system in a way
that it wasn't intended
or really expected.
And that could be a computer
or it could be a phone
or a drone or a satellite.
It could really be anything.
[bright music]
Do you know what computer hacking is?
- It's bad.
Like, I'm going into someone's
personal account or account,
changing some stuff or just
stealing some information
or your money.
- Yeah, it's crazy.
They're really a lot of bad
or malicious hackers out there
who are doing just that.
They're going into people's accounts
and they're stealing money,
but there's also another side
of computer hacking where
there are people who
are trying to learn how
those bad hackers are actually breaking in
to the bank accounts.
- Do they, like, return the money?
Like, give them their money
or something like that?
- What they're trying to do is
they're trying to even prevent
the bad hackers from getting
in in the first place.
- So they put like a protection
account or something.
- Yeah, exactly.
They're looking for ways that
they can create protection.
It's kind of like the
lock on your front door.
That lock is to essentially prevent
bad people from coming in
or people accidentally coming
in when they shouldn't.
A hacker is essentially looking at a way,
how can I get into this lock?
But then there are the good
ones who are trying to unlock it
so that they can tell the
company that made the lock, hey,
we can actually protect people
by making the lock a little harder.
- What would they do about the
people and the broken lock?
- In many cases, they'll
send them a new lock.
So it's an upgraded, better version.
Sometimes that's new features,
but sometimes that's bug fixes
and ways to protect you as well.
- But like, they may get arrested
because they might get mistaken.
- That's a very good point.
You should definitely make sure
that you're obeying the law.
They might work with the
lock company and say,
"I'm trying to improve your product."
And they're trying to find
these holes or problems,
and then share that with the company.
Even though the good hacker is
doing exactly the same thing
as the bad hacker, it's
the same exact skillset,
and you're using the same exact
techniques and information
to try to break that lock,
but your goal as a good hacker
is really to help everyone
like you and me to make sure
that our stuff is protected.
So hopefully they don't get in trouble
because they're the good guys.
- When did you start doing,
like, the good hacking?
- I started doing the good hacking
when I turned nine years old.
- Wow.
- I started going on the
computer and playing video games,
but I had some ideas of my own,
and that's where I started
to learn how to hack.
I wanted to play with my
friends on this video game
and just change the way that things look.
- But that would be kinda bad,
because maybe the creator
did it for a reason.
- That's entirely possible.
They may have done it for a reason,
but you may have come up
with a really good idea that,
do you think there are other people
who might like the idea
that you came up with?
- Yeah.
- When you have creative ideas like that,
hacking can actually allow you to
change the way a system works,
and that means you can change a game
and how the game is played,
and then you can share
that with your friends
and other people who like that game.
Once I started learning how to do it,
I found that, things
that were harder for me,
I could make easier.
- Did your parents approve of it?
- I don't think my parents knew,
but when my parents found out
that I was doing it for good,
I think they were happy.
[bright music]
Do you do anything with
computers or any coding?
- I like to play coding games,
and I like to go on
code.org, and they have
a variety of games for different ages.
So like, I really like to do that.
For example, like the game Flappy Bird,
it's like puzzle pieces,
so they would tell you
to connect something and
then you would play the game
and then you could see what you connected.
- [Samy] Interesting, so it's
like a graphical interface
where you can connect
different pieces together.
Kinda like wire them together.
- [Linda] Yeah.
- Oh, that's pretty cool.
What do you know about computer hacking?
- I don't really know much
about computer hacking actually.
- So on code.org, one of
the things you've been doing
is actually building a game
or that they have a game
and then you can actually
rewire some of the inputs
and outputs of that.
Is that right?
- Yeah.
- Okay. With computer hacking,
it's actually the same thing.
Really, you have some sort of system
and you have a bunch of inputs
and you have some sort of output,
and actually you, as the designer,
you're essentially designing
games and software.
You're saying, well,
I will only allow a user to
really control these inputs.
Can you think of any inputs
the computer might have?
- [Linda] Space bar.
- Yep, there's also things like your mouse
and there's even things
like the microphone itself
is actually an input device.
It's taking something from you,
which is the sound and it's
then transmitting that,
ad it's actually sending it to me.
Are there any other things that
you can talk to a computer?
You can give it information.
- Camera.
- That's absolutely another input
that exists on your computer.
That's how I try to think of things
is there's just a bunch of inputs.
Often, if you're trying to break something
or hack something, you're
really saying, okay,
how can I control these
inputs in a way that
wasn't necessarily expected?
- What inputs would you
normally use to hack?
- Typically, it's going to be something
like the keyboard, right?
I'm just going to be typing keystrokes
to be talking to some piece
of software or hardware,
but other times it can be other things
like even the temperature of a computer
can actually affect how
the computer operates,
and it might be advantageous
to me to cool down the computer
and actually slow down the
movement of electrons in
something like memory, so
that if a computer shuts off,
it stores something that
wasn't memory like a password
and stores it for a long enough time
that I might be able to actually
extract it through some other methods.
- How long does it take to get in?
- It just depends what
you're trying to do.
In some cases, it could
literally be seconds
because you already know
how the system works,
and other times, it could be years.
So what have you learned about hacking?
- I think hacking is
actually really interesting.
There's different languages to hack in.
I've also learned that a lot
of things could be hacked
that you don't necessarily
think that can be hacked.
[bright music]
- Have you started studying cybersecurity?
- I started this year,
I took my first course,
so haven't gone too deep into it,
but we got a basic idea of, like,
basics of information
and network security.
We learned about how networks are set up,
like the different types of
topologies, like Star and Mesh,
and also how networks are designed
with different levels of security.
- Have you heard of the breach of Target
where they were breached many years ago
and their point of sale
systems were hacked?
- Yes, I heard about that.
- So where people are
swiping credit cards,
those credit card numbers were stolen.
They hired a company to come in
and perform a penetration test to see,
can the good guys
essentially break in again
to prevent this sort
of thing in the future?
And when this team came in,
they found they actually were able
to get pretty much to the
same point of sale system,
and the way they did
that was by exploiting
an internet-connected deli meat scale.
Once the company was able to essentially
get into the deli scale,
because the deli scale was
on the internal network,
then they were able to really
escalate privilege and find
a vulnerability within another system.
Essentially, that just
got them into the network.
and once you're in the network,
it's often really easy to
then escalate from there.
- I've heard about similar attacks
in hospitals using hospital equipment,
but I'm surprised that something
as simple as a meat scale
would have been used in such an attack.
We discussed it in class
as how hackers look at
some of the weakest links
in these large networks
and use those to tap into networks.
- Yeah, that's another
interesting concept.
It's really just different layers
that we have for protection,
because often when you're talking about
something like a corporate network,
or even your home network,
you typically have sort of
one level of defense, right?
If someone can break that
or it can get in through some other system
that is connected or exposes
some other protocol,
like Bluetooth, right?
You can connect to a Bluetooth device
without being on the wireless network,
without being on the LAN.
That potentially gives you another place
that you can pivot on and
then access other devices,
because if something has both
Bluetooth and also Wi-Fi,
well, if you can get in through Bluetooth,
then you can then access the Wi-Fi
and get to other devices on the network.
Are you familiar with buffer overflows?
- No, I am not familiar with that.
- If we were to write a program
that asked for your name
and you typed in your name,
but before you could type in your name,
in a low leveling, which is like C or C++,
you'd have to allocate some memory.
So you might allocate a
buffer of a hundred bytes
because whose name is going to be longer
than a hundred bytes
or a hundred character?
But what happens if you
were to not really check
that they limited to a hundred bytes?
Do you know what happens
if they essentially
start typing over that hundred bytes?
- In that case,
it would be an error for
accessing invalid memory.
- Absolutely, you would essentially cause
a segmentation fault.
- Yeah.
- But what's really cool about that is,
when you're going into memory,
you're starting to cross over
that boundary of that
hundred byte allocation,
and now you're starting to
write over additional memory.
That other memory is
really important stuff.
So you have your name,
the hundred bytes there,
and then right next to your
name is the return address,
and that's the address that
the code is gonna execute
and it's going to return to
after that function is done,
and it's going to jump to that address,
but after you type your hundred bytes,
the next few bites that you type,
you're actually going to
overwrite that return address.
So that return address
could essentially be
another address in memory.
So what you end up
doing is you type a name
and it's not really a name,
it's really just code.
And that code, you keep typing until
you get to the return address,
and you start typing an address,
which is really the beginning of your name
and your computer or your processor
is actually going to read that address
and it will jump back to the beginning
and then execute that payload.
So that was sort of the very
first thing that I think was
super exciting to me when I started
learning about really reverse engineering.
- So how does the buffer overloading
relate to what you are doing in terms of
network security or designing software
for penetration testing?
- Ever since buffer overflow
started many years ago,
there been a lot of protection mechanisms
built to make it difficult to exploit.
More and more, we're actually using
smaller and smaller computers
with smaller amounts of compute power.
If you take a car, you have
hundreds of microcontrollers
that are all running there.
So they don't really have a
sophisticated operating system
that can try to prevent
attacks like buffer overflows.
So how do we keep these low
cost computers in here while
adding layers of protection
to prevent malice
and these types of attacks?
Sometimes it actually is,
how can we write software
or how can we build a system
that prevents these types
of attacks from entering?
But oftentimes, it's really
looking for how can we find
new attacks that we haven't
even necessarily thought of?
What got you interested
in computer science
and information security?
- I got interested in cybersecurity
because I'm really into global
affairs, global politics,
and you often hear in the news about
the rising power of China,
the rising power of Iran.
I enjoy how interdisciplinary
computer science is.
Like, nowadays there's so much going on
in the world of computers and
that's what fascinated me.
- You brought up China and Iran,
and something that's
interesting about those areas
is really censorship, right?
They have essentially censored internet.
In the US, we have a really interesting
internal struggle here
where we actually have
government agencies like
the state department
that are funding software
to evade censorship,
like Tor and other mechanisms.
While then we also have an
internal struggle where we have
other organizations like the NSA
who are specifically looking
to break that exact same system
that the US government is also funding.
- There are a lot of ethical questions
about whether we should be
intervening in other countries,
but it's pretty interesting that
two different agencies of the government
are actually working on
contrasting technology.
I can actually understand that because
if we are creating a technology
that we are going to
deploy somewhere else,
we should know its limitations.
We should know how to control it.
- It's good for us to understand
how these systems can really break down.
Although, I think one thing that I see
is that some of, let's say,
the organizations that
are looking to break this
are not necessarily going to share
once they actually learn that information.
They might actually sort of
hold that in their back pocket
and use it when it's advantageous to them.
[bright music]
What kind of projects are you working on?
- This is the end of my first year.
I'm a PhD student at NYU
Tandon School of Engineering.
I'm studying security systems
and operating systems.
So, security for operating systems.
I've been mostly working on a project
that limits executables'
exposure to bugs in the kernel.
It's run by professor Justin Cappos there.
He found that the majority of bugs
that occur in the Linux kernel
happen when you're doing things that
people don't do that often,
the programs don't do that often.
So designing a runtime
environment that lets you
limit what a certain
program has access to,
but also the things that
it does have access to
is also limited to those
popular paths in the kernel.
So it can't access areas that
aren't under more scrutiny.
- So essentially it's a really,
definitely a stripped
down operating system,
or I guess it's a virtual machine.
- Basically, we're creating a
user space operating system.
- Have you done any work
in side channel analysis?
- Like, a little bit.
I read the Rowhammer paper.
I found it really interesting,
but it's nothing that
I've actually worked with.
- So the side channel
analysis is really looking
not at a vulnerability within a system,
but really unintended consequences
of what the system is built on.
A very simple example of a side channel
is putting your ear to
the ground to hear if
there are horses coming towards you,
and the same thing applies to technology.
So you can have something like
a CPU, it's executing instructions,
certain instructions that
use a little bit more power,
and power is reserved in these capacitors,
which are like tiny
batteries next to your CPU.
And as they're pulling power,
there's something in physics called
the electrostrictive effect
where the capacitor will move
in a very, very tiny amount.
And then although we can't hear it,
the microphone on a mobile device
can actually listen to that.
If you then listen to that and you say,
oh, I see a pattern here,
and you can go all the way down
and then extract and reveal the
full password, the full key,
even though it could be argued that
the algorithm itself,
there's no problem with it.
- So all memory devices are just,
it's just a bunch of
gates and they're in rows.
They basically all hold
different pieces of memory.
That's all the gates are.
Either they're turned on
or they're turned off.
So what Rowhammer found was they tested
a bunch of different memory
devices and found that
by doing a certain
order of storing things,
and then pulling that
information back in a certain way
in one place would actually
flip gates in a different place.
So you could actually do a bunch of things
to a piece of memory that
had nothing to do with
something that may be
critical in a different place
and actually change its contents,
and that obviously exposes
all sorts of security issues,
because that's very hard to predict.
- Yeah, I suppose the physical adjacency
of the underlying
transistors and capacitors
that are holding that storage.
That's crazy.
I think the first time I heard of
an interesting attack
like that was learning
about the cold boot attack.
Being able to, you know,
someone enters their
password on their computer
and that decrypts their hard
drive and then they walk away.
Being able to extract that
password is really difficult.
If I can pull that memory chip
out and extract that memory,
put it in my own device,
except the problem is memory is volatile,
so it'll erase as soon as I pull it out.
You can take something like
canned air, turn it upside down,
cool that computer, make
it real nice and cool.
Then you have a minute or
two to pull out the memory,
put into your own device,
extract the memory,
and then you're good.
It's such a simple method to really
extract something kind of critical.
Like Rowhammer, it's such a
low level of vulnerability
and you could argue that
it's not necessarily
a vulnerability in the
architecture itself,
but rather exploitation
of physics at that point.
- I've spent a decent amount
of time with this stuff,
and in my mind, a lot
of that is a nightmare.
Over the last year while I
was doing some other stuff,
I actually designed some
microcontroller boards
for a company that was doing stuff with,
like, a smart watering project.
The problems with updating is just, like,
that scares me the most.
Like, people don't update their own stuff,
let alone these, like, devices.
- I keep forgetting to update my fridge.
- I find myself trying to shy away
from owning like smart things.
- That's pretty challenging
if you want to use wireless, right?
If you wanna use a wireless router.
- Yeah, I mean, there's
obviously essentials,
but yeah, no matter what,
you can't really avoid any of this.
- The risk right now, just
during this quarantine,
is actually massive now
that we think about it,
because you might have
these legacy systems.
You know, they were
built 20, 30 years ago,
and it's too costly to upgrade,
but now you can't actually
have a lot of people
in a single location, so potentially,
they actually do have
to now add some sort of
remote capabilities to these systems
that were never meant
to be on the internet.
Have you ever had any ethical concerns
with the stuff you're interested
in or the work you do?
- Oh yeah, for sure.
When people find vulnerabilities,
I think it's their duty to
release those to the public.
- Especially now that we're
seeing more and more companies
who are trying to make it illegal for you
to inspect the vehicle that
you've purchased, right?
Something that you actually own.
- Yeah, I think that's nuts.
I'm firmly against that for sure.
- What if it were illegal?
Would you then do it?
Fortunately it's not today, right?
It hasn't been, you know,
despite their attempts,
none of that has been passed,
but if you had a vehicle and
you wanted to inspect it,
but all of a sudden, it passed, I mean.
- I don't know, probably, yeah.
[laughing]
I don't think that's hurting anyone,
- But the laws don't always
equate to hurting anyone.
I ethically think similar
to you in that, you know,
what is moral to me is
as long as I'm not intentionally
hurting others, right?
- Yeah.
I think we see every day
that ethics and the laws
aren't necessarily the
same thing all the time.
[bright music]
- Hey Colin, we already know each other,
but why don't you introduce yourself
for the people watching?
- Hi, I'm Colin O'Flynn.
I live in Halifax, Nova Scotia, Canada.
I do hardware hacking both in academia
at Dalhousie University,
and in industry at my
startup, NewAE Technology.
- What have you been up to?
And yeah, what are you working on?
- Lately I've been doing, you know,
always a little bit of
side channel analysis.
So what I really do, you
know, is all hardware layer.
So I've been looking, you know,
at some various devices lately,
at how susceptible they
are to fault attacks,
what that sort of means in real life.
You know, not just
purely the research side,
but also how much should
you care about it.
- Maybe a mutual acquaintance of ours,
Jasper gave a example of fault injection,
and I like to use that as,
when I'm trying to
explain fault injection,
he shows a pinball machine
and the pinball machine,
obviously the two inputs
are the two plungers
when you're playing a pinball machine,
but fault injection,
you can tilt the entire
pinball machine, right?
You're just introducing
some external variable
that's outside of the traditional inputs
that you're used to
and you've now controlled the environment
in a advantageous way to
the user or the player.
Can you give an example of
some type of fault injection
that you're doing or working on?
- One of them was looking at, like,
a little hardware Bitcoin wallet,
and you could use fault injection
to actually recover secrets from it,
and a lot of devices.
I mean, the whole idea
is pretty cool, right?
Because you tell the device,
"Hey, I want to authenticate,"
and it's supposed to run
some really crazy math
that authenticates it,
but instead of doing that crazy
math and attacking the math,
you just attack the check at the end.
- We're also scratching the surface of,
like, what is possible?
It's not necessarily
just the system itself
and not necessarily that algorithm itself.
Like you said, you don't necessarily
need to attack the math in some cases.
You can just attack that check.
And I think something
that's been pretty cool
is looking at higher energy particles.
It's going to be maybe
hard to entirely confirm,
but I think it'd be really,
really cool to actually see.
Like, I want to see one of these faults
because I haven't seen it myself.
And also, how do you
know that you've seen it?
I've started playing with, like,
setting up a cloud chamber.
A cloud chamber lets you actually view
high energy particles going through
sort of like in a small jar
with some evaporated alcohol.
And I thought it'd be really cool
if we put some memory chip in there,
like a basic memory chip and
we just fill it with some data,
but then you put a camera on
that area and you just watch.
Assuming that there is
a high energy particle
that actually hits that memory,
that should potentially flip
the energy state of that bit.
The outside microcontrollers
should be able to read
that and actually say,
"Oh wait, the data, even
though I'm not changing data,
I'm only reading data,"
and we should be able to
visibly or optically see it.
What I'm wondering is could
that be a next area of research?
Because I don't think
anyone's actually looking at
intentionally injecting
high energy particles
to take over a computer,
when really, you know,
that's another technique
for fault injection,
technically speaking.
- This was actually tied
into something recently
I was looking at, which was, you know,
flipping flash and EPROM memory.
- You mean flipping bits within flash?
- Yeah, exactly, right.
So flipping it in this
sort of flash memory.
And so someone's done it with x-rays.
There's actually, I forget who now.
There's a paper, at least one,
and it's just like a
little plate they make
with like a hole in it to
concentrate the x-ray source
and it works, so yeah,
it's super interesting.
Like, one bit in memory means a lot,
especially in the flash memory side.
Yeah, visualizing it would be cool though.
- I've never seen...
Maybe call it a verifiable
visualization of it, right?
We know it's true, you know,
you can get skin cancer by going outside
and having too many high
energy particles hit you,
but we've never seen it.
And we know it can happen
to a computer chip,
but I've never seen both.
- Yeah, so actually, so
it's funny you mentioned,
like, making it more obvious.
I mean, staying on fault
injection right now,
this is lately what I've been up to.
A lot of making a little
kind of, you know,
like electronics kits of old, right?
And you can assemble it all
yourself and see how it works.
So making something like
that for fault injection.
So all kind of older
logic and stuff like that.
So, I mean, it's sort of based on, like,
you're presented the little MUX chip.
You know, voltage switcher.
That sort of idea, using
just discreet logic
to generate the actual glitch itself.
So, but you know, it's part
of, I think, this stuff, right?
It's like people don't
know about it sometimes.
Like, even engineers designing systems.
It's new to a lot of people.
- The thing is, even
if you know about that,
then there's so many others that
someone won't necessarily know about,
because there's so many, I guess,
potential areas for a fault to occur.
Where do you think security is going
or new research is going?
Are there any new areas you think
are coming out or are going
to be more interesting,
you know, pretty soon?
- Fault injection has
become pretty interesting.
Like, there's been a lot
of people poking at that,
and I think a lot more
products of interest.
Side channel still might
have a bit of a comeback.
Basically, what I kind of see is
a lot of the really cool
stuff has been in academia
because product security
hasn't kept up, right?
For the longest time, doing
these attacks on hardware
was pretty straightforward.
You didn't need these crazy attacks.
It looks like a lot of
devices are coming out now
that actually have real
claims to security, right?
More than just a data sheet mentioned.
There's actually something behind it.
- For me, I think the
things that have been
recent and super interesting
are typically down to
physics-level effects
that maybe we haven't seen before.
I think my mind was blown with the,
there was the light commands research,
and they were able to modulate sound,
although it's purely
over light using a laser,
they would hit the MEMS microphone,
and it was picking that up and
was able to then interpret it
and essentially take control over light.
- I'm curious of the backstory
to how they found that.
Because if you told me that, right?
So you said like, "Hey, Colin,
you should test this out."
I probably would be like, "It
probably won't even work."
Which is like a lot of side channels.
When I first heard about it, you know,
working, doing firmware
stuff, it was like,
"Oh, that sounds like it's not gonna work.
Like, that sounds impossible."
You know, the whole area
of hardware hacking,
it feels kinda like cheating
because, you know, as you said,
someone designing the
system needs to know about
so many different ways, right?
So there's so many ways
to break the system,
and if you're designing them,
you need to know all of them,
but when you're attacking it,
you really need to know one, right?
So I can know nothing about, like,
how does ECC actually work?
You know, I have some vague hand-waving
I can tell you about,
but if you gave me a pen
and told me, like, "Okay, write it down,
specifically the equations
and what they mean
and how the point model works and stuff."
Right, no idea, but designers
are like the other side.
It's almost like, I don't
wanna say the lazy side of it.
- It's the easier side.
I would say my side is
the easier side, right?
I'm on the offensive side.
I want to break into things.
Someone on the defense side,
they might have, you know,
a system was developed
and they now need to
patch a hundred holes.
They patch 99 of them. I
only need to find that one.
- Yeah. There's no downsides
is what you're saying.
- Yeah, only when you get caught.
I hope you learned
something about hacking.
Maybe next time a system behaves in a way
that you weren't expecting, you
might just be curious enough
to try to understand why.
Thanks for watching.
[bright music]
