It took the hackers one day to break into the smart lock used to secure people’s front doors. But breaking and entering wasn’t the goal — the hackers wanted access to the “smart hub” that controlled this lock and others like it across the globe. Two days later, they were in.
When Charles Dardaman, a 20-something hacker and video game enthusiast living in Dallas, and his friend Jason Wheeler, an information security expert, opened the hub, they found the admin password hardcoded on its memory card. This was much more valuable than just breaking into the smart lock itself. Smart hubs, like the ones made by the technology company Zipato, control a variety of gadgets from locks to thermostats and security systems. Gaining admin access to the hub was like getting a master key to any home that used Zipato’s tech. “If I’m attacking someone’s network, I view it as either I win and I get in, or I lost,” said Dardaman. This time, he won.
But Dardaman wasn’t after people’s stuff. In fact, he and Wheeler immediately notified Zipato about the breach.
Dardaman and Wheeler are ethical hackers — people who break into systems for a living to help make technology more secure. These “white-hat hackers” differentiate themselves from criminal hackers in that they won’t do anything illegal. Many work for government agencies or corporations, while others operate out of home laboratories, preferring to just hack for fun.
But that doesn’t mean all their hacks are strictly authorized. While Dardaman and Wheeler spend their workdays hacking into companies that have asked them to test their vulnerabilities, they spend their nights and weekends pursuing unofficial “side projects.”
One of those weekend experiments was the Zipato hack, inspired by fellow information security expert Lesley Carhart, who, when she found out her landlord was switching the entire apartment building to smart locks earlier this year, decided to start looking for a new home.
Dardaman and Wheeler hacked into the hub to prove Carhart’s apprehension was well founded. They gave the report to TechCrunch, and the news immediately went viral. “Companies are putting smart home technology out there without security because they don’t think anyone will check,” Dardaman explained.
This type of ethical hacking can have real implications for people’s safety.
In 2015, hackers were able to remotely hijack a Jeep while someone was driving, prompting Chrysler to recall 1.4 million vehicles. Hackers from the white-hat collective Anonymous Calgary Hivemind broke into Nest security cameras last year to warn people about vulnerabilities — scaring homeowners and forcing Nest to reset passwords and encourage users to adopt two-factor verification. Earlier this year, ethical hackers revealed that security vulnerabilities in Medtronic heart implants could allow an attacker to change a patient’s implant settings from as far as 20 feet away. The Food and Drug Administration is currently working with Medtronic to fix the vulnerabilities as a result of the hackers’ report.
These hackers are aware of how most people associate their craft with criminality. “People talk about life hacking or travel hacking and there’s no negative connotation,” said a hacker who goes by wirefall and asked not to be identified by their real name. “But put ‘computer’ with it and it becomes this scary hooded figure. Locksmiths don’t get asked, ‘Why didn’t you get into burglary?’”
But the relationship between ethical hackers and the companies they hack into can be tenuous. While some organizations welcome the knowledge, others see hackers as the enemy and hardly distinguish between white hats and cybercriminals. “For many companies, it’s cheaper to pay a fine than do security right,” wirefall added. Without adequate regulation, some hackers say, media attention and public pressure can be the best way to enforce security.
For Dardaman, criminal hacking was never an option. “I wanted a normal life,” he said. “And a 401(k).”
The summer between high school and college, he started writing cheats for the video game Minecraft and fell in love with the puzzle-solving aspects of legal hacking. By the time he graduated from university with a degree in information technology, he knew he would be an ethical hacker.
Today, Dardaman works at Critical Start, a firm that contracts out ethical hackers to large corporations and banks. The company is part of a growing information security industry that’s working to stem the rising tide of cyberattacks.
The field started to grow in the early 2000s in response to early data breaches and the advent of social media and online retail. In those days, it wasn’t unusual for people to go from criminal hacking into white-hat hacking after being caught by the government. Now people like Dardaman can take ethical hacking courses in school and receive online certifications in cybersecurity.
Most of Dardaman’s contracts run between one and two weeks. Oftentimes, a company won’t tell their security team Dardaman is there, allowing him to move around their networks quietly, observing how things work and finding his way deeper into the system. But the cat-and-mouse game only lasts a few days.
“The goal is by the end of the week that I’m extremely loud,” he added, noting that his final move is typically to gain domain access to the company’s servers to set off alarms on the security team. “If they don’t catch me by the end of the week, they should reassess their security tools.”
In his free time, Dardaman hacks smart home technology — appliances that can be voice-activated or remotely controlled with sensors or an internet connection — because he believes people don’t adequately understand the security risks.
A 2018 hack on a Guardzilla security camera allowed him to gain access to the information stored on user’s devices. (He notes he didn’t actually access the information, because that would be “very illegal.”)
“There’s no better way to protect your system than testing it as an adversary,” said Phillip Wylie, a penetration tester at US Bank and ethical hacking professor at Richland College. “This is the way a nation-state or a hacktivist or cybercriminal will try to break into the system.”
Like Dardaman, Wylie was drawn to mental puzzles, the excitement of breaking into a closed system. Before joining US Bank, he worked as a consultant, doing penetration tests, or authorized cyberattacks, on web apps. Once, he found a serious vulnerability that allowed him to gain access to a client’s core database. “The password was ‘password1,’’ he said. He used a tool called John the Ripper to get inside (it took him all of 30 seconds). “I could add users to that system; I could’ve shut the server down, dumped the database, deleted records …”
But not all hackers are there solely to expose security risks. Jane Manchun Wong, a 23-year-old computer scientist in Hong Kong, spends her free time reverse-engineering apps to find out what features are coming next. “The stuff I find is public information,” Wong said. “It’s hiding inside everyone’s phone. It doesn’t make it illegal to extract it just because it’s hard to find.”
In April, she broke the news that Instagram was going to try hiding “like” counts on photos for certain users. “When I first posted about that, Instagram tried to say, ‘We’re not testing this.’ But the code exists — that’s the bottom line,” she said. Later that month, Instagram announced that it would in fact start to test hiding likes for some users in seven countries.
Still, Wong’s larger goals are the same. When she finds leaked user data in the code, she reports it to the company so it can fix the potential breach. She also does it for fun, saying she enjoys the puzzle-solving aspect.
In an interview with the BBC, Wong explained, “Since I started getting some interest and the companies started monitoring my tweets, more companies have been improving their app security. That is one of my points of doing this … companies will improve their app security so it’s harder to break in.”
Wong’s hacks have indeed garnered significant media attention. When she released the news about Instagram, “almost the entire internet blew up.” Wong noted that companies don’t like what she’s doing, but there’s not much they can do to keep her quiet.
Most white-hat hackers say they are not trying to make companies look bad. Typically, they’ll notify an organization privately and give them about 90 days — a norm promoted by Google’s Project Zero — to patch any security vulnerabilities. “If they respond and fix it, great,” said Dardaman, who abides by this strict ethical code. “If they say they won’t fix it, I release the report early. If they try to drag it out for six months, I’ll just drop it — there’s no reason not to. If it’s a real issue, then you should be able to fix it within that time frame.”
But many hackers say they feel a responsibility to let users know about security flaws. When companies get mad at them for exposing potential vulnerabilities, they question whether the organization is taking security seriously. “If someone finds a vulnerability and reports it and the vendor says they’re going to report them to law enforcement, that’s a problem,” Wylie said, even though these are ultimately empty threats. “You should be happy you got a free pen test.”
In the case of the Zipato smart hub, the company responded shortly after receiving the report, promising to fix the flaws as soon as possible. “They didn’t like to hear from me,” Dardaman said, laughing. “But they fixed it.”
A few weeks later, once that was done, he released the report.
All Rights Reserved for Zoe Schiffer