Hackers spread the word about cybersecurity problems
Kai Ryssdal: Las Vegas is no stranger to shady characters, but there's a plethora in town this week. So shady, in fact, they call themselves Black Hats. It's a convention of hackers and cybersecurity researchers who, it turns out, are trying to do good by being bad.
Marketplace's Steve Henn is on an all-expenses paid trip to Vegas for the conference. Steve, having fun yet?
Steve Henn: Yeah, I am having fun. It's kind of an interesting scene out here. You know, I was registering for this conference, and the guy behind the press desk was this bearded, tattooed dude, and I asked him if there was a wireless connection I could hook up to. And he just looked at me like I was this lost, pathetic soul, and said, 'Man, don't use the wireless.' And I was thinking, why not? So I asked, and he said, 'You're at a hacker convention.'
Ryssdal: I like that actually, that's pretty good. He was doing you a favor.
Henn: He was. Yeah, I owe him a drink.
Ryssdal: Well, that's an entirely different thing. Beyond the wireless, though, what exactly is going on there?
Henn: There's a lot going on. There are a lot of people here who are raising concerns about how interconnective lots of different devices are. So there's this guy named Don Bailey at iSEC Partners, and he's hacked into this device called the Zoombak. Here he is at the conference talking about this.
Don Bailey: This is literally just a small consumer tracking device. Nobody knew who the heck this thing was -- before Oprah went on and said, 'Hey, you know what's really cool? You can track your kids and make sure they're safe. To do that, use this little small device that you can throw in their backpack and now they're super safe, and you track them online with a web 2.0 interface. Thumbs up!' I heard that and thought, 'Oh dear god, no. Please Oprah no, no Oprah no!'
Yeah, so Don is really good at hacking into the mobile cell phone network, and this device, the Zoombak, basically uses the cell phone network. So he targeted it. He got on the network, looked around, was able to identify these things, could track these devices as they moved around, right -- so like track your kid. And then he realized he could spoof them. So he could send fake information about where a device was back to the Zoombak website -- which is, if you're a parent, terrifying.
Ryssdal: Yeah obviously not good. What did Zoombak do about it? One guesses he told Zoombak, right?
Henn: Yeah, he did. But at first, honestly, they thought he was nuts. It took him a couple months to break through and get in touch with people who actually would address the problem. And eventually they patched it. But as he was doing this research, he realized that Zoombak wasn't the only company out there using mobile phone chips to do this kind of stuff: home alarms were doing it; car alarms; water treatment facilities; the electric grid. So you know, all of these devices were vulnerable in the same way.
Ryssdal: Let me ask you this, though, Steve: Hackers are guys who work in secret, they wear black hats as we're told, it's all hush hush -- I don't understand why they're at a big convention in Vegas telling everybody about what they're doing.
Henn: Well the guys giving the talks here generally are the good guys. They're not the people out there stealing your credit card number. And what they're trying to do is alert companies that use these technologies that we have some real weak spots in our security infrastructure, and that if they don't take steps to fix them and spend some money to fix them, they could have problems. The whole idea is to basically spread the word and make us all safer.
Ryssdal: And we're doing our part. Marketplace's Steve Henn at the Black Hat conference out in Las Vegas, Nev. Steve, thanks a lot.
Henn: Sure thing.