10 years after his epic MySpace hack, Samy Kamkar is trying to turn hackers into heroes (2023)

Samy Kamkar is ina darkroom in Bally's Casino in Las Vegas; the roomis lit by blue lights and the glowof laptopscreens. A DJ is spinning lyric-less music while hackers sit at round tables intermittently coding and chatting. This is thedesignated "chill-out room" at DEFCON, the annual hacking convention, but Kamkar is not feeling chill at the moment. He's preparing to givea presentation to thousands of fellow hackers on how to "wirelessly steal cars," and he's still putting the finishing touches on his PowerPoint.

Watch

Trump Pulls a Charlottesville and Says He Hates All Kinds of 'Supremacy'

Joe Biden Claims He Didn't Know a Fossil Fuel Executive Was Hosting a Fundraiser for HimSeptember 5, 2019
Elizabeth Warren Blows Ridiculous CNN Climate Change Question Out of the WaterSeptember 5, 2019

"I submitted the idea for this talk months ago, but I only did the work for it in the last two weeks," heexplains. Kamkar, 29, knew the conference organizers would choose a talk about hacking cars, and he was so sure he'd find a security flaw that he proposed the talk before he actually found one. And he was right; in the month before the conference, he built a device that can wirelesslyunlock people's cars.

"This security flaw has been known about for 20 years. That's why we have those RSA tokens with codes that only last for seconds," he says. "But you need a good demo for the car industry to take it seriously."

Advertisement

Kamkar may seem overly confident in his hacking abilities. But he's got a history to back up his bravado. In 2005, when he was 19,he found a flaw in MySpace's code that let him forceany visitor to his profile to automatically become his friendand insert a line of text on their profiles thatread:"samy is my hero."He was also able to inject the code into other users' MySpace profiles to replicate the virus.Within 20 hours, his friend count jumped from 73 to over amillion, and the entire internet was freaking out about the "Samy worm." MySpace eventually had to go offline to fix the vulnerability.

"I had never written a virus before," Kamkarsays now. "I had no idea how fast it would spread."

G/O Media may get a commission

(Video) The 19-Year-Old Who Hacked Myspace

Advertisement

As a result of the Samy worm,Kamkar's MySpace account was deleted. Six months later, after putting him under online and physical surveillance, the Secret Serviceraided his home and office. He was charged withcomputer tampering, and reached a plea deal with prosecutors, agreeing to not touch a computer for three years.

Advertisement

"It was hard for the first week, but I managed. The hardest thing was not having access to Google Maps," Kamkar says. "It was actually good for me. I read books.It made me more sociable. I was shy and more anti-social before."

Kamkar continued working in technology even while banned from working with computers, ashead of engineeringat thestart-up he had co-founded at 17,a VoIP for business servicecalled Fonality. He couldn't touch a keyboard, but he couldmanage engineers who could. Soon after the ban was lifted, though, in 2010, he left the company, burnt out from the start-up life.

Advertisement

He says his felony criminal conviction hasn't hurt him in the working world, though he did have to talk Big Brother/Big Sister into ignoringits ban on felony convicts to let him mentora youngster in L.A. who was interested in computers. He decided to stay independent, focusing on security research and engineering consulting. And he started a YouTube channel where he posts a popular series ofgeeky videos, showingviewershow to hack combination locks, drones, and cars.

Advertisement

"His videos are so personal, they're like DIY make-up tutorials," says Andrew Crocker, a lawyer at Electronic Frontier Foundationwho works with hackers, including Kamkar, to help them disclose vulnerabilities to companies without getting in trouble. "He embodies the hacker's glee without being devious or malicious."

Kamkar's videos, along with his MySpace-hacking past, have given him elitestatus within the hacker community.WhenKamkar visited the"DEFCON kids" area to give a talk about 3D-printing a tool that breaks master combination locks, a 12-year-old came up to Kamkar to ask for his autograph, saying he watches all of Kamkar's videos.

Advertisement

(Video) Hacker Breaks Down Hacking Scenes From Movies & TV | WIRED

"He's a crypto rock star," remarked one of the DEFCON organizers. "I've never seen that before."

Advertisement

Years beyond his shy phase, Kamkar is no longer the stereotypical maladjusted hacker, likethe ultra-awkward Elliot Alderson seen on USA'sMr. Robot. He'sgregarious,extroverted, and hoodie-free. At DEFCON, he wore dark jeans, red Leather Converse sneakers and a faded'Blood, Sweat & Gears't-shirt. Around his neck, he wears a chain with a tiny circuit board.

"It's a USB drive-by," he explains. When he plugs it into a USB drive, the computerthinks it's a keyboard, which computers alwaysaccept without authentication. "It types commandsin a few seconds, andthen I have a back door into their Macbook indefinitely," says Kamkar.

Companies used to ignore hackerswho discovered security problems in their products, or threaten them with legal action and hope they'd go away. But after thehigh-profile hacks of Target, Home Depot, Sony Pictures, and other large companies, security has becomea mainstream concern. And white-hat hackers like Kamkar, whounderstand security exploitsand can help companies patch them before it's too late, have become the starsof a multi-billion-dollar industry.

Advertisement

The "cypher punks" who used to work in IT by day and play around with security projects on the side are now being recruited heavily by big technology companies and cybersecurity companies. The flaws they point out get written up by journalists, fixedby companies, and addressed bylawmakers who are worried about the economic impact of insecure products. The skills of the hackster-trickster are now understood to be incredibly valuable.

"More and more companies have a public security contact and bug bounty programs," says Kamkar. "They encourage security research as long as it doesn't harm themor theirusers, and theymighteven pay you for finding issues."

(Not every company takes such an open approach to hackers.Oracle's security chief recently complained in a now-deleted post about people looking at the company's code for flaws, while companies like GM and John Deere are trying to use copyright law to prevent hackers from touching their proprietary software.)

Kamkar is ahacker's hacker— a skilled coderwhocan impressthe tech-savvy with the techniques involved in hislatest hack,but also break down the stakes with flair and drama forthe general public.

Advertisement

"Samy seems to have an uncanny capability of breaking anything he touches," saysMikko Hypponen, a well-known cybersecurity expert. "His research is important because he doesn't just focus on hacking computers but everything else."

Advertisement

Sometimes, his hacks shed light on serious vulnerabilities. (He made headlinesin 2010 forthe "evercookie," a zombie tracker he created that could recreate itself on someone's hard drive even after they'd cleared their cookies.) Other times,they're just for fun.Over dinner one night, he recalled that, as a single guy in his twenties, he tookadvantage of a cross-scripting vulnerabilityon a popular dating siteto A/B test his messages to women. He sent twoversions of his message to thousands of female usersto see which did better. The vulnerability, which he never told the dating siteabout, let him see whether they'd opened hismessages or not.

"I got many more dates," he said of the exploit. "But the hacking was more fun than the dates."

Advertisement

(Video) The Man Who Stole MySpace | Samy

Kamkar says he got into hacking at 10 years old, as soon as hegot a computer.

"My first day with it, I went into an IRC channel, and someone told me to get out or else.' I didn't and then my computer crashed," he says. "I was terrified and fascinated. If they could do that, I could do that."

Advertisement

He lived in a tiny apartment in L.A., with his mom, who was always working trying to keep them afloat, he says. Kamkar spent a lot of time on his computer andstarted hacking games, posting cheat software for his favorite, Counterstrike.The software was impressive enough that a gaming company in San Diego called him up and offered him a job. So at 16, he dropped out of high schooland moved to a new city.

"When I got there, the company realized how young I was and said they weren't sure it was legal to hire me," he says. He told them it was okay because he had a work permitfrom his school. The form was forged, based on a template he found online. He also whipped up official looking emancipation documents, so that, as a minor, he could sign contracts for an apartment and a phone.

Advertisement

In 2000, when he was 14, Kamkarwent to his first DEFCON; the conference has beenheldannually in Las Vegas since theearly 1990s. He describes his first of many DEFCON visits as "crazy." "My cell phone didn't work because someone was jamming," he says. "Attendeesstole a golf cart and drove it into the pool, which they had dyedpurple. They took over the TVs. I saw a woman topless for the first time. In person, that is."

DEFCON is much tamer these days, thanks in part to the mainstreaming of security technology. The weekend conference nowattracts 19,000 attendees, many of them from big tech companies and cybersecurity firms with flush expense accounts. Facebook sponsors a party at the Wynn Casino, as does Rapid 7, a large cybersecurity firm that recently went public. These days, the biggesttrouble caused by DEFCON attendees is jamming up the local radio frequencies, flooding them with vile language to the angst of ham radio operators, and taking pictures of attendees without permission — a huge no-no for the privacy-conscious group. It "reminded me of going to see a great aunt on life support," complainedone attendee on Twitter.

Advertisement

At this year's DEFCON, the most anticipatedpresentation was that by veneratedsecurity researchers Charlie Miller and Chris Valasek, who demonstrated that Chrysler had a vulnerability in its UConnect wi-fi system that allowed them to hack a Jeep from afar — blasting the car's music, turning on the windshield wipers and screwing with the speed of the car. Kamkar chose to do a car-hacking talk in part because of Miller, who is a kind of hacker-hero to him.

Advertisement

"He's been doing crazy exploits for years," says Kamkar. "Before his work, I had no idea cars were connected to so many things."

The preeminent car hackers admired Kamkarback, saying his presentation was the only one (beyond their own) that they attended at DEFCON.

Advertisement

"Hacking is fun," says Kamkar. "It's a puzzle. It's such a good feeling when you solve something that wasn't meant to be solved. When something works, I jump up and do a dance for 10 minutes. It's a feeling I chase."

Advertisement

Kamkar is adept atconveying thefun of hacking, while emphasizing its seriousness. After discovering that many garages, including the one in his L.A. apartment building, can be opened bysending them a "fixed code," he reprogrammed a pink, hand-held messaging toy fromMattel toperform a brute force attack on a garage door's code that could crack it within 8 seconds. He called the device"OpenSesame" and announced it the monthbefore the conference on his YouTube channel.

Advertisement

(Video) Hacker Explains One Concept in 5 Levels of Difficulty | WIRED

Kamkar's tease worked. Thousands of hackers filled the huge room where he gave his talk in front ofthe DEFCON logo—a smiley face and crossbones.

Advertisement

But the highlight of Kamkar's talk was the "RollJam," a device he built for around$30 in parts, which can unlock many different typesof car remotely. Most cars' remotelesskeyfobs use a "rolling code" system to communicate with cars, so that each code sent from your fob to your car is unique. But his radio-frequency sniffing device intercepts the "rolling code" and jams the car from getting it. When a person's fob doesn't work, they push the button again, sending a second code that his device intercepts. It then replays the first signal to pop the locks, but it sits on the second code to use later.

Advertisement

Kamkarimagines that a car thief could plant a RollJam-like deviceunder a target'scar, and then break into it whenever he or she wanted.He's releasing the code for RollJam online, but it will be broken, missing a line."Criminals won't be able to use it but a security researcher could," he says. "If criminals ever get high-tech, we're screwed."

He says it's already happening, pointing to anews cast from March, "Thieves Now Use Mysterious Electronic Device to Unlock, Break into Cars."

Advertisement

"I hope thischanges the future of car key security," says Kamkar.

After his talk, Kamkar moved to the side of the room while sipping a yellow can of Rock Star Energy, to talk to attendees. Afirefighter cameup to him, asking if hecould work with him to use his garage door opener when fighting house fires. It would save them from having to break someone's door down. "I'm not sure about the legality of that," he said.

Advertisement

Then two attendees who worked in security at an automotive company approachedhim to tell him they liked his talk and love his videos.

"My email has been blowing up because of your key fob research," one says.

They say his work makes their jobs harder, but that his adeptness at getting media attention means that their higher-ups take notice and give them more resources to shore up security.

Advertisement

In other words, the automotive security guys want to help Kamkarhack them. They suggest he check out a particular wireless spectrum used by an auto company for vulnerabilities and recommend a tool he can use to read signals coming off engines. ("You guys just saved me hours of research," Kamkarsays.)

There's a virtuous circle to hacking. It leads to freak-outs, but seems to be the only thing that convinces companies to get serious about spending money on security. With his simple tutorials and emphasis on the inexpensive tools he uses,Kamkar is trying to make it as easy, and cheap, as possible for other people to get into hacking to increase the pressure on companies to improve their wares.

Advertisement

(Video) Samy Kamkar (Hacker) | TNW Conference | Secret Hacking Techniques

Later, over the phone,Kamkar says: "What I like about my work is makingpeople andcompanies more cognizant of these issues. I hope it leads to better experiences for users and consumers."

Then, as if to distill his message for a lay observer, he adds: "Anyone can break into my mom's car. That's not cool."

Videos

1. "60 Minutes" shows how easily your phone can be hacked
(CBS Mornings)
2. Professional hackers reveal why most companies don't stand a chance
(KARE 11)
3. The Million-Dollar Hacker
(Bloomberg Quicktake: Originals)
4. High Tech Hackers Documentary - Modern Day Hacking Today 2017 - Cyber Crime Biography
(Organized Criminals)
5. Hacker Breaks Down 26 Hacking Scenes From Movies & TV | WIRED
(WIRED)
6. hacker:HUNTER - Wannacry: The Marcus Hutchins Story - All 3 Chapters
(Tomorrow Unlocked)
Top Articles
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated: 12/30/2022

Views: 6456

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.