Samy Kamkar

Last updated
Samy Kamkar
Samy Kamkar.jpg
Kamkar speaking at the Black Hat conference in 2010
Born (1985-12-10) December 10, 1985 (age 38)
NationalityAmerican
Occupation(s)Privacy and security researcher, computer hacker, whistleblower and entrepreneur
Known forReleasing the Samy worm, Evercookie, SkyJack, and iPhone, Android and Windows Mobile phone tracking research
Website samy.pl

Samy Kamkar (born December 10, 1985) [1] is an American privacy and security researcher, computer hacker and entrepreneur. At the age of 16, he dropped out of high school. [2] One year later, he co-founded Fonality, a unified communications company based on open-source software, which raised over $46 million in private funding. [3] In 2005, he created and released the fastest spreading virus of all time, [4] the MySpace worm Samy, and was subsequently raided by the United States Secret Service under the Patriot Act. [5] He also created SkyJack, a custom drone which hacks into any nearby Parrot drones allowing them to be controlled by its operator [6] and created the Evercookie, which appeared in a top-secret NSA document [7] revealed by Edward Snowden and on the front page of The New York Times . [8] He has also worked with The Wall Street Journal , and discovered the illicit mobile phone tracking where the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies. His mobile research led to a series of class-action lawsuits against the companies and a privacy hearing on Capitol Hill. [9] Kamkar has a chapter giving advice in Tim Ferriss' book Tools of Titans .

Contents

Work

Samy worm

In 2005, Kamkar released the Samy worm, the first publicly released self-propagating cross-site scripting worm, onto MySpace. [10] The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile and cause the victim to unknowingly send a friend request to Kamkar. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours [11] of its October 4, 2005 release, over one million users had run the payload, [12] making it the fastest spreading virus of all time. [4] The MySpace team temporarily shut down MySpace to fix the problem that allowed the worm to operate.

In 2006, Kamkar was raided by the United States Secret Service and Electronic Crimes Task Force, expanded from the Patriot Act, for releasing the worm. [5] After being presented with a plea bargain for no prison time, but paying a fine of US$20,000, serving three years of probation, working 720 hours of community service, Kamkar pled guilty to a felony charge of computer hacking in Los Angeles Superior Court. [13] Also per the aforementioned agreement, Kamkar was allowed to keep a single computer that was not connected to a network, but explicitly prohibited from any internet access during his sentence. [14] Since 2008, Kamkar has been doing independent computer security and privacy research and consulting. [15]

Notable works

In 2008, after Kamkar's restriction from computers was lifted, he demonstrated weaknesses in Visa, MasterCard and Europay credit cards with near field communication (NFC) and radio-frequency identification (RFID) chips built in and released software demonstrating the ability to steal credit card information, including name, credit card number, and expiration date, wirelessly from these cards. [16] [17] He also released code demonstrating wireless identity theft of physical access control cards, including that of HID Global cards, using RFID with the use of only a credit card sized device, removing the need for any computer to be connected. [18] [19]

In 2010, Kamkar traveled to more than a dozen countries speaking about his mobile security research and weaknesses he discovered from his cryptanalysis of the PHP programming language, including speaking at some of the largest annual hacker conventions in the world such as DEF CON, Black Hat Briefings and ToorCon. [20] [21] [22]

In late 2010, Kamkar traveled to Bratislava to attend Faraday Hack Day to help expose political and corporate corruption within Slovakia's government. [23] [ failed verification ]

In early 2011, Kamkar joined the Board of Directors of Brave New Software, [24] a non-profit organization originally funded by a multimillion-dollar U.S. State Department grant. [25] The nonprofit is responsible for creating uProxy with the University of Washington and Google Ideas, a browser extension intended to allow users in repressive regimes to access the Internet without being monitored. The nonprofit also created Lantern, a network designed to circumvent Internet censorship and defeat the suppression of digital information and freedom of speech. [26]

In addition to releasing the Evercookie as free and open source software, and exposing the surreptitious collection of data by Apple, Google and Microsoft, [27] in 2011, Kamkar also exposed KISSmetrics, an online advertising network, and Hulu as recreating tracking cookies after consumers deleted them by storing the unique tracking identifiers in Flash cookies and HTML5 Local Storage, which were not automatically deleted when consumers cleared their browser cookies. [28] [29] Several companies identified as performing cookie respawning were subsequently sued by class-action lawyers. In January 2013, KISSmetrics settled its cookie respawning related lawsuit for $500,000. [30]

Flaw in PHP

In early 2010, Kamkar discovered a major flaw in all versions of the PHP programming language, specifically in the pseudorandom number generator, which allowed an attacker to hijack the session ID of a user and take over their session. [31] Kamkar released a patch [32] and once fixed, released exploit code demonstrating the attack which was possible on major banks, social networks, and forums. [33] [34] [35]

Evercookie

In 2010, Kamkar released Evercookie, a cookie that "apparently cannot be deleted", which subsequently was documented on the front page of The New York Times . [8] [36] [37] In 2013, a top-secret NSA document was leaked [7] by Edward Snowden citing Evercookie as a method of tracking Tor users.

Mobile research

In 2011, Kamkar discovered the iPhone, Android and Windows Phone mobile devices were continuously sending GPS coordinates, correlated to Wi-Fi MAC addresses, back to Apple, Google and Microsoft respectively, and released his research through several front page The Wall Street Journal articles. [27] [38] [39] The iPhone would continue to send location data "even when the location services were turned off". [38] The Windows Phone would also continue to send location data "even when the user has not given the app permission to do so". He discovered that some of this data was exposed by Google and he released Androidmap, a tool exposing Google's database of Wi-Fi MAC addresses correlated to the physical coordinates populated by Android phones. [40]

Parrot AR Drone research

In 2013, Kamkar created SkyJack, a combination of open source software and hardware to run on an unmanned aerial vehicle which was "engineered to autonomously seek out, hack, and wirelessly take over other Parrot drones within wifi distance, creating an army of zombie drones". [6] [41] The entire software and hardware specification was released as open source and detailed on his website. [41] [42] The software was released one day after Amazon.com announced Amazon Prime Air, a possible future delivery service using drones to deliver small packages in as early as 2015. [43]

Automotive security research

On July 30, 2015, Kamkar introduced OwnStar - a small electronic device that could be concealed on or near a General Motors vehicle to interpose itself between the vehicle's OnStar link and the driver's OnStar RemoteLink app. In this classic man-in-the-middle attack, Kamkar, or any unauthorized user, could substitute his OnStar commands to locate, unlock, or start the vehicle. By August 11, General Motors had released upgrades to the OnStar server software and RemoteLink app to block such attacks. [44]

In 2015, it was reported that Kamkar had built an inexpensive electronic device about the size of a wallet that could be concealed on or near a locked vehicle to capture a single keyless entry code to be used at a later time to unlock the vehicle. The device transmits a jamming signal to block the vehicle's reception of rolling code signals from the owner's fob, while recording these signals from both of his two attempts needed to unlock the vehicle. The recorded first code is sent to the vehicle only when the owner makes the second attempt, while the recorded second code is retained for future use. Kamkar stated that this vulnerability had been widely known for years to be present in many vehicle types, but was previously undemonstrated. [45] A demonstration was announced for DEF CON 23. [46]

Magnetic stripe and credit card emulation device

On November 24, 2015, Samy Kamkar released MagSpoof; [47] a portable device that can spoof/emulate any magnetic stripe or credit card "wirelessly", even on standard magstripe readers by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.

In his own words, MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Internet traffic hijacking

On November 16, 2016, Samy Kamkar released PoisonTap; [48] a USB Ethernet emulator that can be used to hijack all Internet traffic on a target machine, even if the computer was password protected and locked.

A backdoored device can be remotely forced to make a request with its user's cookies on HTTP (unsecured) websites that have no security flags, meaning that the attacker can remotely impersonate a local user.

On May 2, 2022, a suspected North Korean spy recruited a 38-year-old South Korean crypto exchange executive and a 29-year-old military officer to use PoisonTap in order to hack into the Korean Joint Command and Control System (KJCCS). [49]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Computer and network surveillance is the monitoring of computer activity and data stored locally on a computer or data being transferred over computer networks such as the Internet. This monitoring is often carried out covertly and may be completed by governments, corporations, criminal organizations, or individuals. It may or may not be legal and may or may not require authorization from a court or other independent government agencies. Computer and network surveillance programs are widespread today and almost all Internet traffic can be monitored.

<span class="mw-page-title-main">Wardriving</span> Search for wireless networks with mobile computing equipment

Wardriving is the act of searching for Wi-Fi wireless networks as well as cell towers, usually from a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the internet.

<span class="mw-page-title-main">Mobile computing</span> Human–computer interaction in which a computer is expected to be transported during normal usage

Mobile computing is human–computer interaction in which a computer is expected to be transported during normal usage and allow for transmission of data, which can include voice and video transmissions. Mobile computing involves mobile communication, mobile hardware, and mobile software. Communication issues include ad hoc networks and infrastructure networks as well as communication properties, protocols, data formats, and concrete technologies. Hardware includes mobile devices or device components. Mobile software deals with the characteristics and requirements of mobile applications.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

<span class="mw-page-title-main">Remote keyless system</span> Electronic lock without a mechanical key

A remote keyless system (RKS), also known as remote keyless entry (RKE) or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control (activated by a handheld device or automatically by proximity). RKS largely and quickly superseded keyless entry, a budding technology that restrictively bound locking and locking functions to vehicle-mounted keypads.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">Samy (computer worm)</span>

Samy is a cross-site scripting worm that was designed to propagate across the social networking site MySpace by Samy Kamkar. Within just 20 hours of its October 4, 2005 release, over one million users had run the payload making Samy the fastest-spreading virus of all time.

<span class="mw-page-title-main">Google Pay Send</span> Mobile payment system developed by Google

Google Pay Send, previously known as Google Wallet, was a peer-to-peer payments service developed by Google before its merger into Google Pay. It allowed people to send and receive money from a mobile device or desktop computer.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors' activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

<span class="mw-page-title-main">Evercookie</span> JavaScript application programming interface

Evercookie is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. It was created by Samy Kamkar in 2010 to demonstrate the possible infiltration from the websites that use respawning. Websites that have adopted this mechanism can identify users even if they attempt to delete the previously stored cookies.

A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

SkyJack is an unmanned aerial vehicle created by Samy Kamkar which specifically seeks out other Parrot drones and hijacks them through their wireless network, giving the SkyJack pilot the ability to control and view the camera sources of the affected drone.

The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: Identity Management, Credit card, Debit card or driver license. A non-physical digital card, unlike a Magnetic stripe card can emulate (imitate) any kind of card.

Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles, mobile phones, and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita/PlayStation TV, PlayStation 4, Nintendo 3DS and Nintendo Switch. Installing custom firmware on some devices requires bootloader unlocking.

Automotive hacking is the exploitation of vulnerabilities within the software, hardware, and communication systems of automobiles.

References

  1. "Twitter / samykamkar". Twitter.
  2. "Samy Kamkar got 3-year computer ban now he's a hacker hero". Fusion (TV channel). September 28, 2015. Retrieved 2015-09-28.
  3. "Open Source - Fonality". Intel.
  4. 1 2 Jeremiah Grossman (April 2006). "Cross-Side Scripting Worms and Viruses: The Impending Thread and the Best Defense" (PDF). Whitehat Security. Archived from the original (PDF) on 2011-01-04.
  5. 1 2 "[Owasp-losangeles] OWASP LA" . Retrieved 25 December 2015.
  6. 1 2 Goodin, Dan (2013-12-08). "Flying hacker contraption hunts other drones, turns them into zombies". Ars Technica.
  7. 1 2 "'Tor Stinks' presentation". The Guardian.
  8. 1 2 "New Web Code Draws Concern Over Privacy Risks". The New York Times . October 10, 2010. Retrieved 2011-05-19.
  9. "Google and Apple on Capitol Hill for high-tech privacy hearing". CNN.
  10. "Cross-Site Scripting Worm Hits MySpace". Betanews. October 13, 2005.
  11. "MySpace Worm Explanation". Archived from the original on 24 September 2015. Retrieved 25 December 2015.
  12. "Cross-Site Scripting Worm Floods MySpace". Slashdot. 14 October 2005.
  13. "MySpace speaks about Samy Kamkar's sentencing". TechSpot. Retrieved 2017-07-15.
  14. "Greatest Moments In Hacking History: Samy Kamkar Takes Down Myspace". Vice-videos. Retrieved 2017-07-15.
  15. "Background Data". The Wall Street Journal. April 22, 2011.
  16. "chap.py".
  17. "RFIDiot Documentation".
  18. "SpiderLabs - Getting in with the Proxmark3".
  19. "Proxmark3 Code".
  20. "Samy Kamkar Talks" . Retrieved 2013-04-28.
  21. "DEF CON 18 Speakers". Archived from the original on 2010-10-20. Retrieved 2013-04-28.
  22. "Black Hat USA 2010 Speakers" . Retrieved 2013-04-28.
  23. "Faraday Hack Day" . Retrieved 2013-04-28.
  24. "Brave New Software".
  25. "Brave New Software". Archived from the original on 2013-10-31. Retrieved 2013-10-30.
  26. "Lantern".
  27. 1 2 "Apple, Google Collect User Data". The Wall Street Journal. April 22, 2011. Retrieved 2011-05-19.
  28. "Respawn Redux by Ashkan Soltani". 11 August 2011.
  29. "Samy Kamkar KISSmetrics Research" (PDF).
  30. Davis, Wendy (2013-01-23). "KISSmetrics Finalizes Supercookies Settlement". MediaPost New. Retrieved 2013-01-18.
  31. "PHP blunders with random numbers".
  32. "PHP 5.3.2 Release Announcement".
  33. Baldoni, Roberto; Chockler, Gregory (2012). Collaborative Financial Infrastructure Protection.
  34. "Attack on PHP sessions and random numbers".
  35. "Advisory: Weak RNG in PHP session ID generation leads to session hijacking".
  36. "'Evercookie' is one cookie you don't want to bite". MSNBC. September 22, 2010. Archived from the original on September 24, 2010. Retrieved 2011-05-19.
  37. "Q&A: Evercookie Creator Samy Kamkar". 31 August 2022.
  38. 1 2 "Jobs Tries to Calm iPhone Imbroglio". The Wall Street Journal. April 28, 2011. Retrieved 2011-05-19.
  39. "Microsoft collects phone location data without permission". CNET Networks. September 2, 2011. Retrieved 2011-05-19.
  40. "Google's Wi-Fi Database May Know Your Router's Physical Location". Huffington Post. April 25, 2011. Retrieved 2011-05-19.
  41. 1 2 "Samy Kamkar - SkyJack".
  42. "SkyJack source code". GitHub . 2013-12-08. Retrieved 2013-12-08.
  43. Strange, Adario. "Amazon Unveils Flying Delivery Drones on '60 Minutes'". Mashable. Retrieved 2013-12-01.
  44. Woodcock, Glen (2015-08-11). "OnStar Plugs Hacker Attacks". Autonet . Retrieved 2015-08-11.
  45. Thompson, Cadie (2015-08-06). "A hacker made a $30 gadget that can unlock many cars that have keyless entry". Tech Insider . Retrieved 2015-08-11.
  46. Kamkar, Samy (2015-08-07). "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars". DEF CON 23. Retrieved 2015-08-11.
  47. "samyk/magspoof". GitHub. Retrieved 25 December 2015.
  48. "samyk/poisontap". GitHub. Retrieved 16 November 2016.
  49. "Two South Koreans arrested for helping Pyongyang steal 'military secrets' | NK News". www.nknews.org. Archived from the original on 3 May 2022. Retrieved 15 May 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.