Hackers Hacking Hackers
In this episode, host Paul Roberts chats with independent security researcher and ethical hacker Sam Curry about his own experience being hacked via the Internet of Things, and how it led to a shocking discovery regarding modem security. More broadly, the conversation touches on how APIs can leave consumers vulnerable, the increasing popularity of IoT attacks, and how to mitigate such risks.
EPISODE TRANSCRIPT
PAUL ROBERTS: Hey there everybody and welcome back to another episode of the ConversingLabs podcast. I'm your host Paul Roberts. I'm the director of editorial and content here at ReversingLabs and the host of ConversingLabs podcast. I'm really thrilled to be back in the studio with our guest this week, Sam Curry.
Sam is a staff engineer at Yuga Labs. He's also a renowned security researcher who has looked at everything from the cybersecurity of automotive telematic systems to more recently, the security or lack thereof of passenger screening systems that are used in airports. In fact, Sam's joining us from DC where he's actually attending a hearing on aviation safety and cybersecurity.
Sam. Welcome to ConversingLabs podcast. Great to see you.
SAM CURRY: Hello. Hello. Yeah, great to be here.
PAUL ROBERTS: It's great to have you. So for our viewers, listeners who don't know about you, just give us a sort of Sam Curry origin story and talk just a little bit about the work you do at Yugo.
SAM CURRY: Yeah, sure. That's a little tricky. Spent like a bunch of time on the internet since I was like 11 or 12, but got really into web security. We're like old video game hacking days when there's like flame wars between like forums and stuff. And yeah, ever since then, just like deep diving web security.
I got pulled into like bug bounty and that whole ecosystem for a while. And then the very traditional like pen test to security engineer pipeline, but like on the side of it, the work that I really enjoy doing is like security research blog posts and just fun things to talk about so I've been doing like a little security blog for the last five or six years and gotten to explore some fun stuff.
PAUL ROBERTS: Which we will share on the chat and everybody should subscribe to. Your LinkedIn profile says you lived in Omaha, did you grow up in Nebraska?
SAM CURRY: Yeah, I grew up in Omaha I think when I was probably like four or five my family moved over there and I've just been there since. Everybody's located there. It's really tricky, right?
Being, I had a conversation the other day with somebody. It's oh, like, why don't you move to Seattle or San Francisco or wherever and do, we're all on the internet, so I'd rather have a house.
PAUL ROBERTS: It doesn't really matter anymore. That's very interesting.
Growing up there as a kid and a teenager too, it's just it must've been a really interesting experience to have this kind of like online life that where you're connecting with these people all over the place.
SAM CURRY: Yeah. And it was really funny because I think the first like conversation I ever had in person with a computer security person was when like I hacked my school and I got brought into the IT office and then, they fetched the one employee who did the whole districts IT and it was like, that was like my first conversation with someone who did computer stuff.
And I was probably like 15.
PAUL ROBERTS: Wow. That has a real War Games feel to it, Sam.
SAM CURRY: Yeah, definitely. It was a really fun conversation. I think it was a similar issue to the one in the TSA, it was like a sequel injection or something, and I was like, they were gonna expel me or whatever, and I was like, oh no here's how you fix it, here's what it is, no harm.
PAUL ROBERTS: Yes. They didn't have the password written on a little thing on the desk, like in War Games? No.
SAM CURRY: No, it was like a third party they used for like sports management. Yeah, some funny-
PAUL ROBERTS: Yeah, really common. Yeah. And we're going to talk about SQL, however many years later, we're going to talk about SQL injection today too. So the more things have changed, the more they've stayed the same.
SAM CURRY: Exactly. Yeah.
PAUL ROBERTS: This really interesting blog post you put out back in June, I think, investigating a compromise of your own broadband router in your home.
Talk just a little bit about that and it's really cool actually, you're a very good writer. I would say there's a very, when you read your blog posts, there's a kind of page turning quality about them, even though there are no pages to turn, but it's actually a really interesting account.
We'll link to it as well, but just talk a little bit about how you stumbled upon that. It's a really interesting story.
SAM CURRY: Yeah, sure. So I do most of my work from home and I think I was on like a pen test from a home and I was just I had to spin up this web server for the pen test because I had to log HP requests coming in and I spun up that web server and to test that web server was alive I sent like an own, my own request from my home network to that server and I waited a few seconds and finally I saw the log pop up and I was like okay cool, web server's alive, we're good to go.
But then I like alt tabbed around and a few seconds later, I noticed in the corner of the screen, like the console popped up one more time, except there was a random IP address I'd never seen before that had replayed the exact same HP request I'd sent. And at that point it's my computer must be hacked, right?
Like somebody has pwned my computer. So I ran to the other room and like the first device I found was like my Amazon fire stick or my iPhone or something. And I like loaded the URL in the browser of that web server and the exact same thing happened, every device in my network. It was just the same issue request being replayed and it kicked off this long investigation. That was the origin of it.
PAUL ROBERTS: It's really interesting. Cause initially you were like, first of all, natural first question, where did this hack happen? Is this an AWS hack? Is my ISP get hacked or much more likely my broadband router got hacked? But you're a security researcher you're interacting with your broadband router a lot more than most people I'm guessing.
But what did you find when you looked into kind of who or what was behind this compromise?
SAM CURRY: So I investigated it and the first assumption is okay, my modem got hacked through some, some router exploit or something because it constantly happens.
Yeah. Really common. But I was really curious about it and I investigated it and I, I couldn't find any like evidence that there is like some one off vulnerability that had happened in my modem, like some 0-day that got published for broadband XYZ, but it got me really curious because it's okay, if I were to compromise a modem and I wanted to target somebody, assuming that, maybe I was targeted, which is a little like specific, right?
Most of the time it's just a very broad attack or whatever, but just for fun, like assuming that you got individually targeted, like how would you go about targeting someone's device? So it kicked off this investigation where I was like, okay, does my ISP have the capability to remotely manage my device?
And the answer is yes. There's that protocol, TR 69, which is used for like remote device management. And I was wondering, as like a web security guy, it's is there some panel like admin panel that has access to everybody's device? And the answer was yes.
And through their vulnerabilities and like another component of the ISP, you were able to actually traverse to this internal API. And that API was capable of sending remote device commands, querying customers by name, and it would have allowed you basically to individually target somebody and compromise their device, right?
And it's a really fascinating kind of deep dive because it's even though that wasn't how I had been hacked, it's you could have used that to hack somebody else. And it opens the question of these ISPs have full management capability and it creates this like single point of failure for millions and millions of devices.
PAUL ROBERTS: And we understand why they need that remote management capability. We've all probably had, Hey, my router is not responding. Oh yeah, we'll reboot it. And so there's a reason, but of course that capability has a dark side to it as well.
So that raises the bar on the ISP. To secure that infrastructure to be monitoring for, unauthorized behavior and stuff like that seems to me like that's where they're dropping the ball. But it's interesting because when you read your blog post about who was behind this, you dug up so going just based on the IP address for the server that was, basically, parroting all the traffic to your home router.
You have contacts, obviously, in the threat intelligence world. They are able to give you a whole list of domains that have been pointing at this IP address over the past few years. And it was a real kind of dogs dinner of different, what looked to be malicious phishing domains, but with interesting targets including Adidas, I think.
SAM CURRY: Yeah it was really fascinating. Yeah. Trying to decide that from I'm a web security guy. I don't have like too much threat Intel experience. So I leaned on a lot of people, like you said, who are in that world, work at CrowdStrike and these different companies and it's like, Hey, I got popped, this is the IP what's going on here.
And we dug up this really extensive, it's been used for like individual phishing campaigns. And then it was also used for CNC for my modem. Because that was the IP that was actually replaying my traffic, but was also serving, these different phishing websites and doing all these different, yeah, probably different companies.
And one of them was a security company. So that, that IP was actually hosting infrastructure for a deep phishing website for an actual cybersecurity company and based in Latin America. So yeah, it's tricky because it's this was two years past since the hack had happened.
So you're relying on all this old data and you have to like correlate and make assumptions. So there's not really a definitive, like who's who.
PAUL ROBERTS: So they're targeting a cybersecurity company in South America, and then they're targeting this kind of well known cybersecurity researcher in North America.
SAM CURRY: Yeah. It's a little... it, I think normally, like for the most part, people would say Oh, you're being paranoid. But I had a really close friend who was targeted by the North Korean APT, like directly on Twitter. And like at that point you you have these assumptions, right?
We're like, okay, it won't happen to me, but then it does. And I had that experience too. Like at the airport one time where I was like falsely accused of committing a crime and it subpoenaed me and issued, like they had warrants, to go through my Gmail and stuff. And it's at that point it's you can be targeted and it does happen.
PAUL ROBERTS: Was this in the United States, or was it?
SAM CURRY: Yeah, I can clarify a little bit there. It's a funny story. I was flying from like Japan to Washington, DC same place I'm at right now. But when I arrived, they had Oh, there's going to be this routine secondary inspection because, we just randomly selected or whatever.
And I'm having this conversation with a cop as I go, and it's the nicest cop in the world. He is so nice to me. I'm like, wow, this is just a, he must do this, as a therapist or something, right? But finally I get to secondary and they're like, Hey, these two people want to talk to you from the DHS and IRS CI.
And at that point it was clear I had a court summons to go to New York but on suspicion of committing like wire fraud and stuff. But we looked into it a lot and we're basically able to clear that like my IP had shown up as a malicious person and that was all I needed to issue these things.
And they, yeah, which is, everything was cleared, obviously, like it was just a false thing that it happened, but like from at that moment, it's they got all your gear, they got all your stuff, they're going through it. Yep. Yeah.
PAUL ROBERTS: This is one of the things that security researchers, our laws are not clear enough around, validating the work that security researchers independent or not independent do right? So there is this kind of gray area of, pen testing. Which, frankly, in my opinion, we need to really clear up as a country because the work that people like you do is so vital.
And if there's always this Hey, I'm going to get harassed at the airport. I'm going to get subpoenaed or whatever. Then that's a discouragement to do the important work you do. I'm sorry. I'm editorializing. So you discover this API, Cox was the ISP that you use, but you discovered this API that basically gave you God mode control or over all these modems. But you said that wasn't actually the specific means that was used to compromise your router? How did that happen?
SAM CURRY: Yeah. So I actually worked really close with the Cox ISP and they were super, super friendly and forthcoming about their investigation as well. And I presented Hey, I was hacked on this date and they basically had confirmed, like they said, Hey, the thing you'd found the vulnerability in wasn't actually updated until two years ago.
Or after the time that I had found the vulnerability, or been hacked, so they, the two times just didn't make sense. Yeah the API itself is really fascinating, right? Because there's -
PAUL ROBERTS: They had compromised that prior to it being patched, but that was like two years before you found it?
SAM CURRY: Yeah, exactly. It was, I'd been hacked and then a few months later they'd built this software that I'd found the vulnerability in.
PAUL ROBERTS: Did you find any evidence that others had come across the Cox API? Or are there ways for Cox to look and see, has this been abused within our client base?
SAM CURRY: Yeah they researched it.
They looked through it, they investigated all the logs and they confirmed that there wasn't abuse and that's like relying on their word of mouth, which is always interesting. Like I'm not saying, I'm not suggesting it was compromised, but it's funny like working in security, because-
PAUL ROBERTS: Thinking like a journalist, yes, yeah.
SAM CURRY: Exactly. There's been some times in bug bounty where it's funny where we'll go through, we'll find a vulnerability and we'll enumerate something and then report it. And it's a very, we don't go like deep. We're not trying to like exfiltrate user data, but we will poke around a tiny bit after like finding a vulnerability. And then sometimes they'll come back and I'll say, we found no history of abuse. It's but I expanded on a little bit, obviously it wasn't being malicious, but it's like there was like user data that was accessed, so it's like kind of an unclear-
PAUL ROBERTS: Yeah.
SAM CURRY: These investments. Yeah. Very interesting.
PAUL ROBERTS: This compromise that you're talking about is not an isolated incident. So Black Lotus Labs has done a number of, which is associated with an ISP, has done a number of reports on widespread nation state campaigns, largely, not all, but mostly targeting either end of life broadband routers or just, vulnerable broadband routers that they're using to in botnets or in some cases, which may be the case with you using to actually monitor the home network that the broadband routers fronting. Do you feel like this was that what happened to you may have been part of a larger campaign like that? Or was it more targeted or maybe it was just opportunistic?
SAM CURRY: Yeah, I'm not sure. So the only, I was really curious about this in particular and I had done like a thing on Twitter where I was like, Hey, you guys can actually check if you've been compromised by the same malware or if you're getting the same behavior and a bunch of people went through and tested their DNS to see if it was leaking, like mine had.
And the only person who got back to me about it was a security researcher in Qatar who was experiencing the exact same behavior where they're, yeah, it was really interesting and I asked like more about what they do and it was clear they worked like this they didn't really give much detail about it, but some company in Qatar, which from just like a sniff test is like an interesting role.
PAUL ROBERTS: You've got a big social media following so presumably if this were a widespread attack I mean you're connected to a lot of security researchers and I'm guessing a lot of them you know took the challenge to see why would you not right?
SAM CURRY: Yeah
PAUL ROBERTS: So the fact that only one turned up would seem to suggest that this was not a widespread campaign.
SAM CURRY: Yeah, and I do think there's I always try to lean more on the like the assumption of what the easiest thing or the most common-
PAUL ROBERTS: The occam's razor approach, yes.
SAM CURRY: Exactly and I spoke to a lot of people that have the same modem.
I tried to find any similar behavior. And I reached out to DigitalOcean. They didn't respond. I reached out to the ISP. The ISP confirmed this IP is like, it's not ours, not related to us in any means.
PAUL ROBERTS: DigitalOcean was the company hosting the IP address?
SAM CURRY: Yeah. And of course you can't really be like, hey, DigitalOcean, what is running on this box?
Because it's private, but yeah, I do think there's a lot of value in the widespread malware campaigns because it's getting to a point where a residential IP in the United States, like really valuable for tons of stuff. If you want to be a legitimate social media user, if you want to do, I have friends who pay a ton of money for residential proxies so they can browse, have that built API and stuff to scrape the internet.
So clearly there's value, but yeah, it's, it definitely felt more targeted.
PAUL ROBERTS: Yeah. One of the things that- I was just reading this on LinkedIn. I can't remember who wrote it. I've just read it. But one of the things hadn't even occurred to me about the value of domestic IP addresses and routers is that, guess who can't go poking around domestic IP and routers, right?
The CIA and the NSA, right? The country's two main kind of cybersecurity agencies in terms of, nation state actors, right? These are off limits to them because of U.S. law, which, many of us support that, the spirit of that law, but the reality is if you're a nation state actor and you own a residential IP address, you don't have to worry too much about, five eyes coming in, snooping around and figuring out that you're there and what you're doing, you're under, you're off their radar, which is hugely valuable for them.
No, then it falls to the FBI, and the FBI, ain't the NSA.
SAM CURRY: Yeah. A hundred percent. It's really like the, that's one thing I have a lot of respect for. And the kind of the threat intel world is like the piecing out who's doing an attack because it's like, it's the internet, like you can hop through a billion different places and end up, on some IP in Nebraska and that's who you look like. So how do you attribute that?
PAUL ROBERTS: And we know from Microsoft and Black Lotus and stuff that these residential IP addresses in some cases are being used around like brute force attacks, right? Like just, we're just going to rotate around to a bunch of residential IP addresses, it's going to look, tame or legitimate to the company. This is, some guy in residential Virginia. But we also know in some cases again, that there, and again, Black Lotus on this again, found evidence of compromises where the attackers seemed very interested in what was going on within the actual network that the router was fronting.
So that seems more Oh, okay. You work in Langley, Virginia. Oh, interesting. But anyway, so this raises a bunch of really big, hairy questions that you have raised with your research in other areas as well, automotive among others. You did a really amazing webhackers versus the auto industry report looking at across- man, I think it was like 16 different automakers and suppliers found just a wide range of pretty serious security problems in the systems that they manage and that they use to manage, connected vehicles.
This raises some really thorny questions about just the backbone of our. Both consumer and business internet in this country, which is, ISPs, local routers, who's responsible for managing, maintaining, and monitoring them if you can't count on your average homeowner to be, flipping through DNS logs, which we can't, like that is not going to happen.
So how do we get our hands around this problem?
SAM CURRY: Yeah. It's like really fascinating, right? Because There exists like this whole ecosystem and like typically, if you're like, let's say I want to hack like Facebook, you have the entity of Facebook, it runs Facebook and there's a direct relationship where there's a security disclosure page and all these rules about disclosing them, but Facebook is supported by all these different other companies and those companies may have just as much access as Facebook to your user data, like you have something Analytica, I forget the name of the company, but has all the access to the Facebook user data, things like that.
And there's no direct line to these companies, but for the end user, right? Yeah, if you're the ISP and, or for instance, in T-Mobile, like T-Mobile used, I think it's called Snowball or Snowflake. There's too many companies. Yeah, Snowflake. The line between, I'm a researcher who wants to hack T-Mobile and like report vulnerabilities.
There's not really a direct line to Snowflake, it creates like these kind of gray areas around the whole internet for infrastructure, for companies, for everything, where it's like they exist and they handle so much sensitive data and so much information that, but there's not really a way to go about and approach them.
And a lot of the research I think we've done recently, it's less about we're going super deep at AppSec research. Like we're going to find like a new attack methodology, James Kettle style, break HP. But instead it's Hey, this is an entire TLD, or this is an entire infrastructure that's supported by this one single point of failure that is ran by this company, which is contracted by the government, which is, nobody knows about, nobody's heard of them, but they, it's like the mean, where it's-
PAUL ROBERTS: Black box, right? Like black box software.
SAM CURRY: Yeah. And you'll find it's like a single Pearl script from like 2007, which is just and it's super vulnerable, right? And if I'm like a nation state attacker, I'm looking for those single points of failure, because it's like, why would I pop one router, if I can attack all of them.
PAUL ROBERTS: I'm like a broken record with this, but it's I always think about like the Eclipsium thing on Ivanti Pulse Secure, and what they found when they dug into the Pulse Secure firmware, which was a lot of serious vulnerabilities and a lot of really old code, like end of life operating system, version of CentOS.
If Eclipsium has the resources to, break through their encrypted binaries, like their encrypted firmware, then, a nation state actor does, and that they're doing, we can't rely on security through obscurity. We can't assume, we can't leave it to China, Volt Typhoon to pen test us.
SAM CURRY: Yeah. It's a little cheesy. I love Casey John Ellis to death, but it's a little cheesy quote, but it's like, Casey John Ellis with Bug Crowd, he has this quote about how there's two kind of waging wars for every security program where it's like you have good guys and bad guys and they're clashing.
But for these undiscovered softwares, it's like the good guy is completely gone and it's just, it's only the bad guy, because who is, there's not a lot of people who are individually going out to identify these and if they do, they're in like a special committee or work with another government or some special-
PAUL ROBERTS: And there is a public health dynamic to this. So it's if you're doing work in secret and it's classified, that doesn't help the rest of us. There's this whole public health dynamic to all of this of if you find something like we need to know about it, like CVEs are the classic example, like we focus on CVEs. But, your company has a CVE, you're already like way ahead of 99% of the companies who don't even fricking bother look or report them when they find them.
I think the other interesting thing just with the broadband router problem, is like who has a stake in it.
And I think this as the IOT grows, and these smart connected devices proliferate in homes and businesses and so on. There is this real question of who is responsible for the security of those? And even if we could all say morally, this person should be, or this organization should be responsible for it.
If they don't want to take responsibility for it, somebody has to, right? So it's like with the broadband router, I hate to say it, but there are a lot of people who, even if they, even if you went to them and be, Hey, do you know your broadband router is hacked? They'd be like, okay, like fine. Like I can stream Netflix, I'm getting email and, and playing games. So if some hacker group wants to hang out on it, okay. They might not see the need to address that issue.
SAM CURRY: Yeah. And it's tricky. Like a lot of the like smart TV things where Oh, you can play like pinball on your smart TV, but if you play pinball on your smart TV, it turns into a residential proxy for a nation state or somebody, and they'll just agree to it because it's ah, or the free VPN software, it's a good deal.
But yeah it's a really interesting conversation because, kind of circle back to everything. There was a point in time, right, where, what had happened was Tesla had released the smart summon feature. And to me, that was a really huge moment because that is a internet connected way to drive a car.
There's like location checks and things like that to make sure you're there. But like at the end of the day, you press a button on your phone and the car moves, right? And then you have people like Charlie Miller, who absolutely owned like the car side of things, right? And we did some cool car security research, but the thing with Charlie Miller is like he went he and this collaborator, they went that whole extra mile just like what it was probably years of research to figure out how exactly you go from point A which is that remote access to the actual point B of like can bus commands like full ownage, right? And with the modem hacking we demonstrated access to the actual, here's what you can access.
But the part B of that is like this really clever backdoor or like passive access forever. And when you do things like that, the part B, it turns problems. You have things like smart meters and homes or gas valves and remote connected things like pipelines. And that part B is like that real nation state, like second level, you've got like a principal engineer on that for a year and then eventually you get the exploit, right?
PAUL ROBERTS: Interesting.
SAM CURRY: Yeah.
PAUL ROBERTS: Let's talk about why you're in DC right now, a few weeks ago you published- you and a fellow researcher published, Ian Carroll, published Bypassing Airport Security via SQL Injection, which is another blog post, we will share that link as well. And it's really interesting, like a lot of the work you do is you almost stumble upon it oh, I'm just, like going through my life, I'm living my life here.
And I wonder about, like with the car thing, this was another, it could tell the story about how airport security screening systems came onto your radar.
SAM CURRY: Yeah, sure. So Ian and I traveled together a lot, like the last two years. He runs a travel company called Seats That Arrow, and we're always like in airports together.
And Ian's fascinated with these like access control systems, like Idemia and airport security. And he'll wiggle doors when he sees a locked door type of person. And I think he literally just installed, God bless him. It, oh, absolutely. Yeah, love him to death. He just installed like a fingerprint reader for his house, just for fun, cause he wanted to reverse engineer it and like just that type of person.
But whenever we go through airport security you have to stand in line and you're like, who are you, show your ID, blah, and then you see the pilots and they're in their full suits and they just easy, scan the badge, straight in, right? And it's I want that, you can get TSA pre check, you can get-
PAUL ROBERTS: It's like catch me if you can. Yeah.
SAM CURRY: Absolutely. Yeah. And you see it and you're like the pilot got in, but how'd they get in? There's a little laptop. What is that laptop doing that validates the pilot can get in, right? Yeah. And you ask that question, and it opens up this huge can of worms, which is these companies like Collins Aerospace and there's a billion more which are like these huge, contractor companies like that provision and build out this infrastructure for airport security.
But what it came down to after investigating it is we found there's 70 different airlines around that each have supervision pilots to access that. When they scan their barcode, it pings back to a valid pilot's license and their passport is like cleared to go through. And there's 70 different airlines that need to right pilots or delete pilots from that system. And they all use kind of these systems to modify access to who those pilots are. All of that aside, what it turned out is there's a company called Flycast and Flycast had built this kind of technology, which was used to add and remove pilots for specific airlines to that system. Which is, they scan their barcode. It comes back as green and they're allowed to enter the security checkpoint. And what we found is that, by compromising flycasts and accessing that system, you could add, edit and read passport numbers of pilots. And, you click like one of them, it's got their photo and their passport ID and all that stuff.
And you can basically add yourself to that system. So when you do present your passport and the agent types in your like ID, it'll ping back to you as a valid pilot. And you're allowed to access that checkpoint. And that checkpoint is really interesting because like it, it opens a can of worms where it's there are pilots who are authorized to have firearms and their pilots who are, authorized to access jump seats and planes.
And when you bypass that one component, you remove It opens up a lot of other exploits where it's if you do get a valid ticket to access the jump seat, you can get in there and it's it's a really interesting issue.
PAUL ROBERTS: Touches on this cyber physical, like at the end of the day, okay, you got a application with a sequel injection flaw, incredibly common, sadly.
But the consequences of that, what follows from that is, yeah, literally you could be putting somebody in the cockpit in a jump seat, who has no right to be there. And we can all imagine what the consequences that could be. So you would think that the intense importance of that physical security would work its way back up the software supply chain in terms of the types of scrutiny and resources and attention it gets but your research would seem to suggest not so much.
SAM CURRY: Yeah. And like the effort was like hugely led by Ian Carroll and we discovered quickly that yeah, that single point of failure would allow you to actually access that. But when we reported it, the TSA and DHS, they go to this a little bit. And then they were making claims to reporters that it wasn't actually possible, but we dispute that because on their website, they had suggested- they have a secondary component to it, but you can see the pilots going in using that method. And they had actually removed like a statement from their website after we had emailed them about how the full context being when you go and you scan or you go and you present your passport, if you forget your barcode, you can present like a pilot's ID and they'll just type in the number manually and it'll ping back and be green.
And there's like other methods as well. We could edit an existing barcode and just scan an existing barcode. And TSA was basically like, Oh, it's not actually exploitable or there's secondary means, but like we disputed that. So we came down to DC because there is a hearing on aviation security, cybersecurity.
And they actually mentioned the research a few times and there weren't any comments about it. Nobody seemed to be aware of it or didn't want to comment on it. So we just had a chat with some of the staffers.
PAUL ROBERTS: I think one of the, one of the patterns that pops up as I look at the work that you do from industry to industry and from context to context is, often you have these connected systems, so we got a physical security screening system, but it's being powered and informed by some cloud base, database of, authorized people and so on, credentials. And that infrastructure is just not particularly well vetted and secured. And there is this kind of sense of who's going to go looking for this, screening database. It's not on Google. It's not searchable, but of course, really just not an awareness of how resourceful a security researcher like yourself, whether it's a white hat or a black hat is in terms of uncovering that back end infrastructure, probing it for vulnerabilities and exploiting what they find. And that was the case in the auto industry as well.
You found all these domains that were specific to the automakers or the suppliers that you were able to pretty quickly, just, have your way with and get access to these really sensitive environments.
SAM CURRY: Yeah, I think it is a lot easier than you'd think to find these systems. But like when we approach vulnerability research we approach it from like an impact perspective. It's we want to find these like single points of failure or like these areas where it's we can accomplish a specific goal. And with car hacking, it's okay, we want to be able to like access vehicles, like the most number of vehicles we can through vulnerabilities.
And it leads you down this rabbit hole, which eventually leads to Sirius XM connected vehicle services, which is like a single point of failure for six or seven different car companies where you pop this one specific component and you can literally just type in someone's license plate number for six or seven different car brands and it'll remotely unlock, track everything.
And I think often the case with a lot of vulnerability research is like, you want to hack a specific company. You want to hack a specific product that you want to have, but if you take a step back and you approach it from like an impact perspective where you're like, my goal is to, fix this bug, which affects hundreds of millions of people.
Then you can identify these systems which are those little tiny toothpicks which support the whole ecosystem, right?
PAUL ROBERTS: It's like the, yeah, it's like the cartoon, right?
SAM CURRY: Yeah.
PAUL ROBERTS: That we all saw with Log4j. There seems, I think there's also just a- I don't know if it's a cultural issue or whatever, but when you say, okay, we found a really trivial SQL injection flaw in this application so that to me that communicates, okay, the company that developed this application probably did not have robust, security testing, because this one slipped through and it was a pretty, if you read the blog post, pretty trivial SQL injection. And second of all, that the downstream consumers or customers also were not mindful of security, were not saying, before we license this, we're going to do a pen test. We want to see an SBOM.
All that stuff. It just seems like there is just a culture of, I don't know? Insecurity, taking everybody at their word. Oh, they seem like legit company. I'm sure the software is good, but we're not going to bother looking. We can sell this without really putting too much money into security and software integrity. And hopefully we won't get caught.
PAUL ROBERTS: Like talking about boiling the ocean, man. I don't know what you say in DC. I mean this is...
SAM CURRY: Yeah, I'd like to imagine like that, with all these different companies and all these different people, there's like kind of this limited pool of security people on the blue screen side.
PAUL ROBERTS: Talent.
SAM CURRY: And when you are a business person who's starting a company, you're going through everything else, security's there, but you have to do hiring and build the company and set it up and explore, sales and all this stuff. And security somewhere in the distance and you're like, okay, that's, we do have to do that.
We have to check that box. And, as a vendor, people will have to check our box. But at the end of the day, like you can't mass validate, like security is going to be a problem because it's just so distributed, disconnected, there's all these different components. And for a company like Flight Pass, they host like this one specific feature for these three or four different airlines. And when you compromise those, it allows you to like access all of, you know Airport security stuff. It's like you said they're not expecting people to be targeting them or things like that but when you really dissect it and you find that company and you're like why does this exist and what do they do?
PAUL ROBERTS: And the notion that our adversaries are not saying, okay we need into the aviation sector, we need into manufacturing, we need into energy distribution. All right, let's put some people on this project to figure out, who the main suppliers are to those industries, what platforms are using, what their security posture is.
Right? I mean, you know, that they're doing it, because we're probably doing it to other countries too. We know they're thinking that way. We know they're acting that way. We've seen plenty of evidence of it. So shouldn't our defenses reflect that, right? Shouldn't our efforts and our expenditures and our attention and energy be directed in that way. But it's not really. It's folks like you coming along and be like, Hey, I tripped over this dead body, like a little help.
SAM CURRY: Yeah.
PAUL ROBERTS: Which is not encouraging.
SAM CURRY: No, and I guess I get it. Cause if you're a company and you work at a company as a software engineer and you want to deploy some software, you'll realize you got to go through a PM and all these hoops.
And eventually, like after a few months, you'll publish the software. But as an individual if you want to publish the same software, it takes you five seconds. But for security research it's interesting because it's like, if you work for a company, if you get approval and all these things.
But as an individual, as a random person, you have so much power, like you have more power than companies and like teams of security researchers, because as an individual, you're able to like, actually do what you want, find the issues you want. And, it's an absurd amount of impact. You don't realize how privileged and how good a position you are as an individual, like researcher.
And that's one thing that's really interesting to me is because people see like this research, but at the end of the day, it is a trivial SQL injection, and if you're a 17 year old hacker and you haven't really done a lot of this stuff, it's like you have a significant impact and you should absolutely be delving into whatever you're interested in. Because more often than not, you're going to discover, that you've impacted millions of people and you make it more than it is. And you think like things are more secure than they are, but you realize quickly, it's not.
PAUL ROBERTS: The emperor has no clothes, so to speak.
SAM CURRY: Absolutely.
PAUL ROBERTS: Okay. So final two questions. And one is from the sort of software producer side and one is from the consumer side. So from the software producer side I guess my question is, what would you- because obviously just, the trends in terms of software development and deployment are what they are, and they're not going to slow down.
Greater use of APIs, greater use of, cloud infrastructure and obviously open source and so on. How can they channel their internal Sam Curry as they're developing these, next generation applications, very API dependent to address some of the problems that you found, for example, with your home router, also in the auto sector. The risks and vulnerabilities that come along with that. Interoperability.
SAM CURRY: Yeah. It's tricky because each company is different in the way they deploy software and all this stuff, but like in a general sense, being able to restrict these APIs, log APIs, and approach it from the angle of people will target us, like more often than not things we've been looking at, people assume they're just not going to be looked at.
Like for instance, I'm sure whoever built the internal API for the ISP assume it's going to be internal. Like we're not really worried about like people. But at the end of the day, like one broken proxy and you're there and you can access that API.
If companies have logging and like actionable logging where it's like, this is a very sensitive API. Like this API is capable of doing a lot, right? If they see my traffic or if they see unusual traffic and it's being accessed in a weird way, which is not supposed to do I think logging should immediately alert, like this is really bad and we should take this down. Related to the airline industry, there's a company we work with called points.com, right? And we were testing points.com, which is the provider for every single rewards program, basically for airlines. So if you ever use like United Rewards, Delta, they all use points.com, right? And while we were hacking on points.com, we found a really similar issue where we could traverse an API and access like this internal API to call all transactions.
So we can retrieve like the PII of all users and all this stuff and it's really a really bad bug. But within 15 minutes of us testing, they realized how unusual our API calls were and they just shut the whole thing down. It was just taken off the internet. And I think before we even sent the email, they had just shut it down, and it's at that point, it's that is a really actionable team.
I wish, yeah, I wish there was a 20 second snippet I could give for here's how to protect, but it's such a complicated-
PAUL ROBERTS: Not that type of question, yeah.
SAM CURRY: Yeah.
PAUL ROBERTS: Okay, so final question is on the consumer side, and this is looking specifically at the stuff you did in June. All of us have broadband routers in our basements.
A lot of people who are watching this who are live streaming it are probably like, Oh man, what if my routers got hacked? What are there easy ways to figure out if somebody is on your router that you don't know about?
SAM CURRY: Yeah, I think the first thing you can do is removing the backdoor from the ISP, right?
Because right now, even if you're not hacked, the ISP does have TR 69 that they're off and can send commands to your device. So your threat model currently is like- yeah, you can disable it or switch to a modem that isn't managed for the ISP who doesn't have that permission. And once you do that, you've removed like a good majority of people who will be able to access your device.
The second thing obviously is like traditional, don't open random ports, blah, blah, blah. But guess like the third thing, it's just like monitoring traffic, right? Like I switched to a ubiquity unify. I think it's called some gateway modem. But it's beautiful because I can open my phone and it's secures every single thing you're sending traffic to, and these devices are using this traffic and I love that little device.
So yeah, as a consumer, it's like watching that, if your Netflix is loading slow check, you're not being backdoored as a residential proxy.
PAUL ROBERTS: Right. Potentially either, alter the configuration of your existing router or even better, get off the ISP's hardware and bring in your own hardware.
And then, of course, after that stay on top of security updates, make sure, check in with that router every so often and make sure that everything looks kosher.
SAM CURRY: Absolutely. Yeah, pretty much exactly.
PAUL ROBERTS: Hey Sam, is there anything that I didn't ask you that you wanted to say?
SAM CURRY: I don't think so. I think just continuing to try to hack random stuff, and publish stuff, that's pretty much all. Yeah.
PAUL ROBERTS: And again, you're doing incredibly important work and we'll be sure to have you on again. It's been a pleasure and thanks. Good luck down there in DC. I hope their ears are open and they're listening to what you have to say.
SAM CURRY: Absolutely. Cheers. Thank you again, Paul. I really appreciate you having me.
PAUL ROBERTS: Sam Curry. Thanks for coming on ConversingLabs. We'll do it again.