All Tech Considered
5:44 pm
Tue August 13, 2013

Hacking Real Things Becomes Child's Play At This Camp

Originally published on Wed August 14, 2013 8:56 am

At r00tz, a camp that takes place each year during the Def Con convention in Las Vegas, children learn to pick locks, hack smart TVs and, most important, how to take apart and understand the technology that surrounds them.

The scene inside the camp a couple weeks ago was a bit of a madhouse — controlled chaos. Little kids everywhere. Brendan Herman was trying to program a machine to draw pictures on ping-pong balls, wearing a tinfoil hat.

"To protect me from aliens," he said.

And Herman, an elementary school student, fit right in. His counselors were adults covered in tattoos, explaining circuits and simple switches. Some campers milled around watching others, like tag team programmers.

"I am just messing around with it trying to figure out stuff," said Owen Chilcoat, who sat hunched over a tablet, scrolling through code. "I'm trying to break it."

On the other side of the room was Mark Risher, who created a website called SaaSCrack, dedicated to teaching kids to hack.

"We [originally] built SaaSCrack ... for the Def Con kids event," Risher explained. The site teaches kids — or adults — how to poke around in online software and websites looking for vulnerabilities. It works like a game.

"This guy here is already on the leader board with 300 points," said Risher, pointing at Tye Harmer. Tye barely glanced up.

If your target audience is 8- to 13-year-old kids, a name like SaaSCrack gets attention — but I wondered if the kids got the joke.

When I pried Tye away from his screen and asked, he just smirked, and pointed at his tablet. But when I asked if he knows what SaaS stands for I was greeted with a blank stare.

SaaS — which stands for Software as a Service — is really just any software you subscribe to online. It's becoming ubiquitous, but it isn't always as secure as we might hope. Think about all those websites we sign into every day — all those services, from mobile banking apps to email. Risher says figuring out how SaaS can be cracked could help these kids avoid hundreds of headaches later in life.

Hacking The Internet Of Things

But hacking software on websites, computers and apps is just the beginning at r00tz. Today, all sorts of devices and physical things are being connected to the Internet.

"Everything that could possibly be connected will be connected," said Marc Rogers, a security expert at Lookout. "We have watches that can be connected. We have televisions that can be connected. We have radios that can be connected. My stereo system calls Japan on a regular basis."

But that means all these things can now be hacked. Even thermostats are connected to the Internet and run software.

"The flip side is by changing things like this we change their value for a bad guy," Rogers said.

Hack a connected thermostat, and a burglar could figure out when you are out of town. Hack a million connected thermostats and you can attack the electrical grid.

And Rogers says the security in many so-called smart things is so lax that hacking into them is child's play.

Back at r00tz, 13-year-old Neal Delosruyes decided he'd try to hack a smart TV at camp.

"Just for the fun of it — I just wanted to try it out," Delosruyes said. "And this is my first year so I just wanted to try some new things."

To be fair, Delosruyes had some accomplished teachers. Aaron Grattafiori and Josh Yavor work at the security firm iSEC Partners. A couple of months ago, they figured out how to hack into Samsung's smart TVs.

"We could hijack the TV and see the camera remotely," said Grattafiori. They were able to turn the camera on, take pictures and record video without the owner's knowledge.

Bug Bounty Hunters

Samsung made some fixes but other little bugs remained, like those in the Facebook app built by Samsung for its TVs. Then, Grattafiori and Yavor had an idea — why not teach kids how to find those bugs? Grattafiori ran it by Facebook.

"They were definitely game with the idea of having the kids find bugs. They thought that was cool," he said. After all, finding bugs and fixing them helps Facebook. "It's their name so they don't want their users at risk — so hopefully we can have a 10-year-old do it."

Both Facebook and Samsung have something called a bug bounty program. That means these companies will pay hackers real money if they find security holes in their products and report them. These bounties can sometimes be worth thousands of dollars per bug. And within just a few hours, the kids at this camp found three bugs.

"I knew it was a minimum of $1,000," said one girl, who goes by the hacking handle Cy-Fi. But Cy-Fi doesn't plan to keep all the cash for herself.

"I get a third of it," she said. "Then another third goes to my education and then another third goes to my favorite nonprofit."

In Cy-Fi's case, her favorite nonprofit is the Electronic Frontier Foundation. She's 13. She's been the victim of identity theft and she doesn't think kids should use their real names online. She said EFF defends privacy rights online and stands up for hacker rights.

Neal Delosruyes found a bug too. And Neal is going to give some of his cash bounty to his church to help underprivileged children in Africa. Talk about a white hat hacker.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

AUDIE CORNISH, HOST:

When it comes to summer camps, there's something for every kind of kid. There are soccer camps, theater camps, circus camps. But a camp devoted to breaking stuff, well, that may seem a bit odd but it exists and it's called r00tz. It takes place at the annual hacking convention, Def-con. And as NPR's Steve Henn reports, it's goal is to teach children to pick locks, hack Smart TVs and, most importantly, take a part and understand the technology that surrounds them.

STEVE HENN, BYLINE: The scene inside r00tz a couple weeks ago was a bit of a madhouse - controlled chaos, little kids everywhere. Brendan Herman was trying to program a machine to draw pictures on ping pong balls. Can you describe your hat for me?

BRENDAN HERMAN: It's a tin foil...

HENN: You're wearing a tin foil hat?

HERMAN: Yes.

HENN: So why?

HERMAN: To protect me from aliens.

HENN: Adults covered in tattoos, explained circuits and simple switches. Some kids milled around watching. Others, like Owen Chilcoat, sat hunched over their tablets, scrolling through code.

OWEN CHILCOAT: I am just messing around with it trying to figure out stuff and trying to break it.

TED RISHER: More often than not, we have to wipe the tablet and start again. But he's having fun at it and I think that's important.

HENN: That was Owen's dad, Ted. On the other side of the room, Mark Risher created a website dedicated to teaching kids to hack.

MARK RISHER: We built SaaSCrack for the r00tz, for the Def-Con kids event.

HENN: The site teaches kids how to poke around in online software and websites looking for vulnerabilities. And it works like a game.

RISHER: This guy here is already on the leader board with 300 points.

HENN: If your target audience is 18 to 13-year-olds, a name like SaaSCrack gets attention, but I wondered - now do you get both of the jokes? There are two jokes, I think. I'm quizzing Tye Harmer, a 13-year-old. He just smirks. Okay. He said he knew what one was and pointed. But do you know what SaaS is?

Software as a Service? Oh, yeah, yeah. SaaS, which is really just software you subscribe to online, isn't always as secure as we might hope. Think about all those websites we sign into every day, that we bank with and buy things from. Figuring out how SaaS can be cracked could help these kids avoid hundreds of headaches later in life.

But hacking computers, tablets and apps is just the beginning. All sorts of things are now connected to the Net.

MARC ROGERS: I think it's going to be everywhere. Everything that could possibly be connected will be connected.

HENN: Marc Rogers is a security expert at Lookout, a firm that searches Smartphones for malware.

ROGERS: We have watches that can be connected. You have televisions that are connected. You have radios that are connected. My stereo system calls Japan on a regular basis.

HENN: Even thermostats are connected to the Net and run software.

ROGERS: The flip side is by changing things like this, we also change their value for a bad guy.

HERMAN: Hack one connected thermostat and a burglar could figure out when you are out of town. Hack a million connected thermostats and you can attack the electrical grid. And Rogers says the security in many so-called smart things is so lax, hacking into them is child's play.

NEAL DELOSRUYES: Just for the fun of it, I just wanted to try it out.

HENN: Back at r00tz, 13-year-old Neal Delosruyes decided that he'd like to try to hack a smart TV at camp.

DELOSRUYES: And this is my first year so I just wanted to try some new things.

HENN: Now to be fair, Delosruyes had some fairly accomplished teachers. Aaron Grattafiori and Josh Yavor work at the security firm iSEC Partners. A couple of months ago, they figured out how to hack into Samsung's smart TVs.

AARON GRATTAFIORI: We could, you know, hijack a TV and see the camera remotely.

HENN: They could turn the camera on, take pictures, record video and the owners would never know. Makes you rethink the whole TV in the bedroom thing. But Aaron and Josh told Samsung about the problems and Samsung made some fixes. Still, a lot of other little bugs remained.

GRATTAFIORI: I know that there are at least a couple of bugs in the Facebook app.

HENN: Aaron talked to some friends at Facebook and it turns out that Facebook app was actually built by Samsung for its own TVs. Then, Aaron and Josh had an idea, why not teach kids how to find those bugs? He ran it by Facebook.

GRATTAFIORI: They were definitely game with the idea of having the kids find bugs. They definitely thought that was cool.

HENN: I mean, it helps them out, right?

GRATTAFIORI: Yeah, exactly.

HENN: Not good for Facebook to have an app that...

GRATTAFIORI: It's their name so they don't want their users at risk, so hopefully they can have a, you know, 10-year-old do it.

HENN: Both Facebook and Samsung have something called a bug bounty program. That means these companies will pay hackers real money if they find security holes in their products and report them. These bounties can be worth thousands per bug. And within just a few hours, the kids at this camp found three bugs.

They don't know yet how much the bugs are worth, but...

CY-FI: I knew it was a minimum of a thousand dollars.

HENN: That's Cy-Fi. Now, do you get to keep all the cash or how is it going to work?

CY-FI: I get a third of it. Then another third goes to my education and then another third goes to my favorite nonprofit.

HENN: Cy-Fi is giving that third to the Electronic Frontier Foundation. She's 13. She's been the victim of identity theft and she doesn't think kids should use their real names online. Her friend, Neal Delosruyes, found a bug, too. But he's going to give some of his cash to his church to help underprivileged children in Africa. Talk about a white hat hacker. Steve Henn, NPR News. Transcript provided by NPR, Copyright NPR.

Related program: