Hacking Real Things Becomes Child's Play At This Camp
At r00tz, a camp that takes place each year during the Def Con convention in Las Vegas, children learn to pick locks, hack smart TVs and, most important, how to take apart and understand the technology that surrounds them.
The scene inside the camp a couple weeks ago was a bit of a madhouse — controlled chaos. Little kids everywhere. Brendan Herman was trying to program a machine to draw pictures on ping-pong balls, wearing a tinfoil hat.
"To protect me from aliens," he said.
And Herman, an elementary school student, fit right in. His counselors were adults covered in tattoos, explaining circuits and simple switches. Some campers milled around watching others, like tag team programmers.
"I am just messing around with it trying to figure out stuff," said Owen Chilcoat, who sat hunched over a tablet, scrolling through code. "I'm trying to break it."
On the other side of the room was Mark Risher, who created a website called SaaSCrack, dedicated to teaching kids to hack.
"We [originally] built SaaSCrack ... for the Def Con kids event," Risher explained. The site teaches kids — or adults — how to poke around in online software and websites looking for vulnerabilities. It works like a game.
"This guy here is already on the leader board with 300 points," said Risher, pointing at Tye Harmer. Tye barely glanced up.
If your target audience is 8- to 13-year-old kids, a name like SaaSCrack gets attention — but I wondered if the kids got the joke.
When I pried Tye away from his screen and asked, he just smirked, and pointed at his tablet. But when I asked if he knows what SaaS stands for I was greeted with a blank stare.
SaaS — which stands for Software as a Service — is really just any software you subscribe to online. It's becoming ubiquitous, but it isn't always as secure as we might hope. Think about all those websites we sign into every day — all those services, from mobile banking apps to email. Risher says figuring out how SaaS can be cracked could help these kids avoid hundreds of headaches later in life.
Hacking The Internet Of Things
But hacking software on websites, computers and apps is just the beginning at r00tz. Today, all sorts of devices and physical things are being connected to the Internet.
"Everything that could possibly be connected will be connected," said Marc Rogers, a security expert at Lookout. "We have watches that can be connected. We have televisions that can be connected. We have radios that can be connected. My stereo system calls Japan on a regular basis."
But that means all these things can now be hacked. Even thermostats are connected to the Internet and run software.
"The flip side is by changing things like this we change their value for a bad guy," Rogers said.
Hack a connected thermostat, and a burglar could figure out when you are out of town. Hack a million connected thermostats and you can attack the electrical grid.
And Rogers says the security in many so-called smart things is so lax that hacking into them is child's play.
Back at r00tz, 13-year-old Neal Delosruyes decided he'd try to hack a smart TV at camp.
"Just for the fun of it — I just wanted to try it out," Delosruyes said. "And this is my first year so I just wanted to try some new things."
To be fair, Delosruyes had some accomplished teachers. Aaron Grattafiori and Josh Yavor work at the security firm iSEC Partners. A couple of months ago, they figured out how to hack into Samsung's smart TVs.
"We could hijack the TV and see the camera remotely," said Grattafiori. They were able to turn the camera on, take pictures and record video without the owner's knowledge.
Bug Bounty Hunters
Samsung made some fixes but other little bugs remained, like those in the Facebook app built by Samsung for its TVs. Then, Grattafiori and Yavor had an idea — why not teach kids how to find those bugs? Grattafiori ran it by Facebook.
"They were definitely game with the idea of having the kids find bugs. They thought that was cool," he said. After all, finding bugs and fixing them helps Facebook. "It's their name so they don't want their users at risk — so hopefully we can have a 10-year-old do it."
Both Facebook and Samsung have something called a bug bounty program. That means these companies will pay hackers real money if they find security holes in their products and report them. These bounties can sometimes be worth thousands of dollars per bug. And within just a few hours, the kids at this camp found three bugs.
"I knew it was a minimum of $1,000," said one girl, who goes by the hacking handle Cy-Fi. But Cy-Fi doesn't plan to keep all the cash for herself.
"I get a third of it," she said. "Then another third goes to my education and then another third goes to my favorite nonprofit."
In Cy-Fi's case, her favorite nonprofit is the Electronic Frontier Foundation. She's 13. She's been the victim of identity theft and she doesn't think kids should use their real names online. She said EFF defends privacy rights online and stands up for hacker rights.
Neal Delosruyes found a bug too. And Neal is going to give some of his cash bounty to his church to help underprivileged children in Africa. Talk about a white hat hacker.
Copyright 2021 NPR. To see more, visit https://www.npr.org.