Interview: Samy Kamkar, Security & Privacy Researcher

Today, we're talking with my good friend, Samy Kamkar. Samy is a security and privacy researcher, computer hacker, whistleblower, entrepreneur. At the age of 17, he co-founded Fonality. It's a unified communications company which ended up raising $24 million in private funding. And ever since, he's been doing amazing security research.

Samy is probably most recently famous for creating SkyJack, a custom drone which hacks into any nearby Parrot drones allowing them to be controlled by the operator. We discuss what led Samy to create SkyJack, his continual work on RFID security, and the implications of XSS ten years after the "Samy Worm."

The following is a brief excerpt of our interview. 

Jeff Williams: I know you've done a bunch of work in RFID, and this is interesting and maybe more personal to people because everybody has RFID stuff all over them now. What are you doing there?

Samy Kamkar: RFID is pretty cool, right, it allows near field communication for security badges. Let's say you have an HID badge that allows you to get into a corporate building or a garage. This technology is also now in credit cards. I'd say a bunch of credit cards now have RFID chips in them and what's really interesting about this is most people who have an RFID credit card don't even know. We don't have too many places that have point-of-sale systems that actually accept RFID, but the nice thing about those RFID cards is you don't have to swipe the back stripe. All you have to do is pass it or get it close enough to the point-of-sale system.

So immediately, when I found out about that, and probably it's been at least five years, I started looking into it. So, I started looking first at the access control systems, specifically HID and a few others, and looking at their sort of basic technology...believe me these HID tags were actually very simple. Essentially, an access reader sending out energy that turns on when we pass and these tags receive that energy wirelessly, they'll send back a unique identifier, and that's it. We're talking about a string of digits or a sting of binary and that's the only protection. It's essentially a password, but the problem with that password is that it can be set by anyone. You don't have to press a button. You don't have to turn it on. You simple have to be in range. Call it a few inches with a traditional pad reader and you can read that information.

Jeff Williams: Well, what's the range with a non-traditional RFID reader?

Samy Kamkar: I have seen some non-traditional RFID readers that go at least many meters. I've heard some, I believe there's a DEF CON talk around reading e-passwords from even further, but I don't have the numbers on that. I know people have done some work in long-range RFID reading, which is super interesting because now you're talking about just being able to steal information, essentially steal keys to buildings, I mean corporate buildings from far away.

Jeff Williams: Right.

Samy Kamkar: And what's beautiful about the exploitation of what's possible now was one of the things I created on one of the developers on the Proxmark system. Proxmark is a hardware penetration tool for RFID, and originally, you always needed to connect it to a computer or laptop. The device itself is credit card size. One of the things I had built into it is a little software that allows all the technology to live on the Proxmark device. So now using my firmware, you can actually just walk around without a laptop, with just this credit card sized Proxmark device, have a little antenna about the size of a credit card, it could be in your sleeve, or it could be in your pocket, and just walk around in Times Square and you'll just start picking up people's IDs.

Jeff Williams: That's just crazy.

Samy Kamkar: Yeah, it's absolutely crazy. Obviously, this is interesting in a targeted attack, if you want to go and, say, target a certain in the building or corporation.

Jeff Williams: No, what I do I care? I just go to a football game and just walk around and gather everybody's credit card numbers.

Samy Kamkar: Yeah, yeah. And so for credit card numbers there is some encryption that is on there, but the nicest thing about that is that because there are so many of these point-of-systems that actually are able to do the decryption, the decryption happens on the point-the-sale system and then is authorized. So you can actually just a buy a point-of-sale system from one of these companies and they were these small USB-based point-of-sale system, not much larger than a credit card, you can probably buy it for $50 to $100 brand new, you could probably get it cheaper used, and, again, connect that to something like a Raspberry Pi computer, have it in your pocket, and, like you said, walk around a ballgame.

Jeff Williams: Amazing. So are there any defenses against that? What should people do? I don't get the sense that people are outraged about this.

Samy Kamkar: People aren't outraged because I don't think enough people know about it. It's not that big. A lot of the work that I did was many years ago and hasn't been demonstrated recently. I think a nice, fun public demonstration might in order soon to see how easy it is, how trivial it is. And, again, once people understand how easy it is and, partially, that's using getting that software away. Right? Making it, just like you said, with Firesheep. Sort of allowing anyone to download something and be able to do this sort of malicious thing really puts onus on everyone to sort of jump and down and say, "Okay, we can't have this. Like this is unacceptable. We need to change the system immediately."

Jeff Williams: It's been years since you've been banned from touching computers. So, actually, tell me a little bit about that. We're coming up on the 10-year anniversary of the "Samy Worm". It's the first self-propagating XSS worm and I'm wondering, from your perspective, it's been 10 years. Why do you think XSS is still so prevalent in software development?

Samy Kamkar: Oh, man, that's a really good question. I'd say, for one, it's probably the easiest error to make. Taking input from the user is one of biggest things, besides actually displaying content, is pretty much the second largest thing I'd assume, that you're doing on website and actually sanitizing them, to put it properly, sometimes it can be a challenge. There are frameworks that exist that help and there are systems that look for these types of attacks. I'd say that security is just typically not the primary focus of companies or businesses when they're building products. I can understand that driving product is their first priority. And it's sort of like any of the, let's say, interesting projects that I work on, most people don't really know what happens until you show them in a big way.

Jeff Williams: Stopping XSS is still really tricky. You've got to really understand the context that you're writing that data out into. And you can follow the framework all you want, but there's always going to be those corner cases when you need to put some untrusted data into a chunk of JavaScript or something and you just don't escape it right.

Samy Kamkar: Right.

To hear the entire interview, learn more about the creation of SkyJack, and Samy's thoughts on software development and security in an era where so many organizations are moving towards agile and dev ops processes, please download the complete interview from iTunes.

Photo By Jock Fistick