IN AN AGE when hackers hire themselves out to organized crime schemes and sell secret intrusion techniques to spy agencies, Samy Kamkar takes a more fun-loving approach to dropping zero-day exploits: YouTube.
Kamkar is the one-man production team and star of a video series he calls Applied Hacking, a YouTube channel that has grown into a tour-de-force display of the 30-year-old coder’s prolific digital mischief. At his peak output, he teaches his more than 50,000 subscribers new security tricks on an almost weekly basis. No household item is safe from his curiosity: He’s tweaked a kid’s toy to open garage doors, 3D-printed a Masterlock-cracking robot,devised a fake charger that can sniff keystrokes, pranked a friend with a doorbell-ringing text message attack, and built a flying drone that can seek out and wirelessly hijack other victim drones.
“I just assume everything is vulnerable,” Kamkar says. “It’s a pretty safe bet.”
For Kamkar, 2015 has been an especially productive year. At the Black Hat and Defcon hacker conferences in August, Kamkar presented OwnStar, a device that could be planted on a GM car to intercept communications from its owner’s OnStar smartphone app. The device then sent those credentials to the hacker, who could use them to geolocate the car, unlock it, and even start its engine. After developing the device for GM vehicles, Kamkar soondiscovered the trick worked on BMW and Mercedes Benz vehicles, too. Kamkar alerted all three companies, and they rushed out security updates.
At the same two security conferences, Kamkar released another gadget designed to show the vulnerability of “rolling code” wireless key fobs. His device, which he called Rolljam, can be built for $32 and uses a clever technique to hijack and replay the codes sent by the fobs to effortlessly break into cars or open garage doors. “This is throwing the gauntlet down and saying, ‘here’s proof this is a problem,’” Kamkar told WIRED at the time. “My own car is fully susceptible to this attack. I don’t think that’s right when we know this is solvable.”
That same month, Kamkar lost his American Express card and the company sent him a replacement. He noticed a pattern in the last four digits of the two cards, and after surveying his friends’ AmEx cards, too, found that the same pattern applied to every replacement. By November, he had not only written software that could predict the number of the replacement for any AmEx card, but also designed a tiny $10 device he called MagSpoof that could impersonate a credit card with a stolen number when the device is held up to a card reader. If the card is reported stolen, the MagSpoof device can instantly generate the replacement card’s number, ready to use for another round of fraud.
“In terms of consistently cool work, Samy is one of the most, if not the most, prolific researchers” in the security community, says Jeremiah Grossman, a well-known web-focused hacker and founder of WhiteHat Security. But beyond productivity, Grossman says what sets Kamkar apart is accessibility: His YouTube videos demonstrate hacks that affect widely used products. “Not a lot of regular people know how vulnerable their devices are, and what you can do with them. When you make that approachable to a lay audience, that’s groundbreaking,” Grossman says.
Kamkar was introduced to hacking—from the victim’s end at least—on his very first day online. As a 10-year-old growing up in a Pittsburgh home with a single mom working two jobs, his mother bought him a Windows 95 machine to keep him busy one summer. He got on the internet, found an IRC chatroom, and was immediately told by someone in the channel to get out. When he didn’t, his computer crashed into a blue screen of death. He unplugged the machine in a panic. “My mom had spent everything she had on it, and I thought I would be grounded until I was 18,” says Kamkar. “I was in fight or flight mode, but I was also thinking ‘how can I do that.’ I went down the rabbit hole.”
Soon he was reading hacker forums and writing his own cheat programs for Counterstrike, reverse engineering the game’s code to see through walls and aim automatically. An executive at a gaming firm in San Diego spotted his work and asked him to join the company. By the age of 16, Kamkar had dropped out of school and moved into his own place, supporting his mother off and on through her periods of unemployment. He forged both a work permit and a letter showing his emancipation from his mother to allow him to work at a domain and web-hosting company and live in his own apartment. By 17, he’d co-founded his own VoIP firm, called Fonality, which today has more than 200 employees.
Kamkar would first rise to hacker notoriety at the age of 19, when he started fiddling with a so-called “cross-site scripting” flaw he discovered in Myspace pages that let him inject his own text onto the site. One night, he used that bug to launch what came to be known as the Samy worm, a piece of viral code that added unwitting users as his Myspace friend and displayed the text “Samy is my hero” on their profiles. It worked better than Kamkar had ever imagined, ripping through the site and giving him a million new friends in 24 hours. Soon after, he got a visit from some very unfriendly Secret Service agents. Kamkar pleaded guilty to computer fraud and was banned from using computers for three years.
Kamkar actually credits that period with giving him a healthier perspective than he had in his digitally obsessed teens. He continued to keep his position at Fonality, working at a single unconnected computer the company set up for him as part of his probation terms. In his off-hours, he started going to bars and meeting more non-tech friends. “Going from being on a computer every second of my life to actually going out and talking to people was really good for my social life,” he says. Those analog years, Kamkar says, helped him to better tailor his work to hacking that the average person cares about, rather than just technical feats to impress fellow hackers. “I’m always thinking, ‘What can I do that shows off all the infosec stuff I like and also makes it interesting to my friends, who aren’t even tech people?’”
Post-Samy-Worm, Kamkar’s first return to the hacking community spotlight was a piece of code he released in 2010 called “evercookie,” a user-tracking browser cookie designed to store itself in so many obscure places on a computer that it’s nearly impossible to fully erase the identifier. More recently, he’s turned his attention to hardware hacking, using Arduino- and radio-based attacks to display the myriad vulnerabilities in the digital interfaces of everyday devices like garage doors and cars that have never had proper security scrutiny. “I usually look at something I personally use, something my friend or my mom has that I think will be fun to hack,” Kamkar says. “A lot of what I focus on is low-hanging fruit. And there’s a ton of low-hanging fruit out there.”
After his legal ordeal, Kamkar carefully separates his security research from his paid work. He alerts companies to their products’ vulnerabilities, but—aside from some small YouTube advertising payments—avoids any profit from his hacks. Lately, he refuses to even accept security consulting work for fear of a conflict of interest. “I want to do what I ultimately think is right,” he says. “That’s hard when someone’s paying you.”
Instead, he takes his reward from his modest fame—3.3 million YouTube views and counting—and the thrill of solving the puzzles he finds in virtually everything he touches. “When you can unlock a car and other people can’t, that feels like a superpower. It’s intoxicating,” Kamkar says. “When I can exploit something in a way no one has done before, it’s probably one of the greatest feelings in the world. I’m always chasing that feeling.”