Samy Kamkar is in a dark room in Bally’s Casino in Las Vegas; the room is lit by blue lights and the glow of laptop screens. A DJ is spinning lyric-less music while hackers sit at round tables intermittently coding and chatting. This is the designated “chill-out room” at DEFCON, the annual hacking convention, but Kamkar is not feeling chill at the moment. He’s preparing to give a presentation to thousands of fellow hackers on how to “wirelessly steal cars,” and he’s still putting the finishing touches on his PowerPoint.
“I submitted the idea for this talk months ago, but I only did the work for it in the last two weeks,” he explains. Kamkar, 29, knew the conference organizers would choose a talk about hacking cars, and he was so sure he’d find a security flaw that he proposed the talk before he actually found one. And he was right; in the month before the conference, he built a device that can wirelessly unlock people’s cars.
“This security flaw has been known about for 20 years. That’s why we have those RSA tokens with codes that only last for seconds,” he says. “But you need a good demo for the car industry to take it seriously.”
Kamkar may seem overly confident in his hacking abilities. But he’s got a history to back up his bravado. In 2005, when he was 19, he found a flaw in MySpace’s code that let him force any visitor to his profile to automatically become his friend and insert a line of text on their profiles that read: “samy is my hero.” He was also able to inject the code into other users’ MySpace profiles to replicate the virus. Within 20 hours, his friend count jumped from 73 to over a million, and the entire internet was freaking out about the “Samy worm.” MySpace eventually had to go offline to fix the vulnerability.
“I had never written a virus before,” Kamkar says now. “I had no idea how fast it would spread.”
As a result of the Samy worm, Kamkar’s MySpace account was deleted. Six months later, after putting him under online and physical surveillance, the Secret Service raided his home and office. He was charged with computer tampering, and reached a plea deal with prosecutors, agreeing to not touch a computer for three years.
“It was hard for the first week, but I managed. The hardest thing was not having access to Google Maps,” Kamkar says. “It was actually good for me. I read books. It made me more sociable. I was shy and more anti-social before.”
He says his felony criminal conviction hasn’t hurt him in the working world, though he did have to talk Big Brother/Big Sister into ignoring its ban on felony convicts to let him mentor a youngster in L.A. who was interested in computers. He decided to stay independent, focusing on security research and engineering consulting. And he started aYouTube channel where he posts a popular series of geeky videos, showing viewers how to hack combination locks, drones, and cars.
“His videos are so personal, they’re like DIY make-up tutorials,” says Andrew Crocker, a lawyer at Electronic Frontier Foundation who works with hackers, including Kamkar, to help them disclose vulnerabilities to companies without getting in trouble. “He embodies the hacker’s glee without being devious or malicious.”
Kamkar’s videos, along with his MySpace-hacking past, have given him elite status within the hacker community. When Kamkar visited the “DEFCON kids” area to give a talk about 3D-printing a tool that breaks master combination locks, a 12-year-old came up to Kamkar to ask for his autograph, saying he watches all of Kamkar’s videos.
“He’s a crypto rock star,” remarked one of the DEFCON organizers. “I’ve never seen that before.”
“It’s a USB drive-by,” he explains. When he plugs it into a USB drive, the computer thinks it’s a keyboard, which computers always accept without authentication. “It types commands in a few seconds, and then I have a back door into their Macbook indefinitely,” says Kamkar.
Companies used to ignore hackers who discovered security problems in their products, or threaten them with legal action and hope they’d go away. But after the high-profile hacks of Target, Home Depot, Sony Pictures, and other large companies, security has become a mainstream concern. And white-hat hackers like Kamkar, who understand security exploits and can help companies patch them before it’s too late, have become the stars of a multi-billion-dollar industry.
The “cypher punks” who used to work in IT by day and play around with security projects on the side are now being recruited heavily by big technology companies and cybersecurity companies. The flaws they point out get written up by journalists, fixed by companies, and addressed by lawmakers who are worried about the economic impact of insecure products. The skills of the hackster-trickster are now understood to be incredibly valuable.
“More and more companies have a public security contact and bug bounty programs,” says Kamkar. “They encourage security research as long as it doesn’t harm them or their users, and they might even pay you for finding issues.”
(Not every company takes such an open approach to hackers. Oracle’s security chief recently complained in a now-deleted post about people looking at the company’s code for flaws, while companies like GM and John Deere are trying to use copyright law to prevent hackers from touching their proprietary software.)
Kamkar is a hacker’s hacker — a skilled coder who can impress the tech-savvy with the techniques involved in his latest hack, but also break down the stakes with flair and drama for the general public.
“Samy seems to have an uncanny capability of breaking anything he touches,” says Mikko Hypponen, a well-known cybersecurity expert. “His research is important because he doesn’t just focus on hacking computers but everything else.”
“I got many more dates,” he said of the exploit. “But the hacking was more fun than the dates.”
Kamkar says he got into hacking at 10 years old, as soon as he got a computer.
“My first day with it, I went into an IRC channel, and someone told me to get out or else.’ I didn’t and then my computer crashed,” he says. “I was terrified and fascinated. If they could do that, I could do that.”
He lived in a tiny apartment in L.A., with his mom, who was always working trying to keep them afloat, he says. Kamkar spent a lot of time on his computer and started hacking games, posting cheat software for his favorite, Counterstrike. The software was impressive enough that a gaming company in San Diego called him up and offered him a job. So at 16, he dropped out of high school and moved to a new city.
“When I got there, the company realized how young I was and said they weren’t sure it was legal to hire me,” he says. He told them it was okay because he had a work permit from his school. The form was forged, based on a template he found online. He also whipped up official looking emancipation documents, so that, as a minor, he could sign contracts for an apartment and a phone.
In 2000, when he was 14, Kamkar went to his first DEFCON; the conference has been held annually in Las Vegas since the early 1990s. He describes his first of many DEFCON visits as “crazy.” “My cell phone didn’t work because someone was jamming,” he says. “Attendees stole a golf cart and drove it into the pool, which they had dyed purple. They took over the TVs. I saw a woman topless for the first time. In person, that is.”
DEFCON is much tamer these days, thanks in part to the mainstreaming of security technology. The weekend conference now attracts 19,000 attendees, many of them from big tech companies and cybersecurity firms with flush expense accounts. Facebook sponsors a party at the Wynn Casino, as does Rapid 7, a large cybersecurity firm that recently went public. These days, the biggest trouble caused by DEFCON attendees is jamming up the local radio frequencies, flooding them with vile language to the angst of ham radio operators, and taking pictures of attendees without permission — a huge no-no for the privacy-conscious group. It “reminded me of going to see a great aunt on life support,” complained one attendee on Twitter.