Samy Kamkar

Samy Kamkar
Born December 10, 1985
Occupation Privacy and security researcher, computer hacker, whistleblower and entrepreneur
Known for Releasing the Samy worm, Evercookie, SkyJack, and iPhone, Android and Windows Mobile phone tracking research
Website
samy.pl

Samy Kamkar (born December 10, 1985)[1] is a privacy and security researcher, computer hacker, whistleblower and entrepreneur. At the age of 17, he co-founded Fonality, a unified communications company, which raised over $46 million in private funding.[2] He is possibly best known for creating and releasing the fastest spreading virus of all time,[3] the MySpace worm Samy, and being subsequently raided for it by the United States Secret Service, under the Patriot Act.[4] He is also known for creating SkyJack, a custom drone which hacks into any nearby Parrot drones allowing them to be controlled by its operator,[5] and for creating the Evercookie, which appeared in a top-secret NSA document[6] revealed by Edward Snowden and on the front page of The New York Times.[7] He is also known for his work with The Wall Street Journal and his discovery of the illicit mobile phone tracking where the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies. His mobile research led to a series of class-action lawsuits against the companies and a privacy hearing on Capitol Hill.[8]

Work

Samy worm

In 2005, Kamkar released the Samy worm, the first self-propagating cross-site scripting worm, onto MySpace.[9] The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile and cause the victim to unknowingly send a friend request to Kamkar. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours[10] of its October 4, 2005 release, over one million users had run the payload,[11] making Samy the fastest spreading virus of all time.[3] The MySpace team temporarily shut down MySpace to fix the problem that allowed the worm to operate.

In 2006, Kamkar was raided by the United States Secret Service and Electronic Crimes Task Force, expanded from the Patriot Act, for releasing the worm.[4] Kamkar pled guilty to a felony charge of computer hacking in Los Angeles Superior Court, and was prohibited from using a computer for three years. Since 2008, Kamkar has been doing independent computer security and privacy research and consulting.[12]

Notable works

In 2008, after Kamkar's restriction from computers was lifted, he demonstrated weaknesses in Visa, MasterCard and Europay credit cards with Near field communication (NFC) and Radio-frequency identification (RFID) chips built in and released software demonstrating the ability to steal credit card information, including name, credit card number, and expiration date, wirelessly from these cards.[13][14] He also released code demonstrating Wireless identity theft of physical access control cards, including that of HID Global cards, using RFID with the use of only a credit card sized device, removing the need for any computer to be connected.[15][16]

In 2010, Kamkar traveled to more than a dozen countries speaking about his mobile security research and weaknesses he discovered from his cryptanalysis of the PHP programming language, including speaking at some of the largest annual hacker conventions in the world such as DEF CON, Black Hat Briefings and ToorCon.[17][18][19]

In late 2010, Kamkar traveled to Bratislava to attend Fair-Play Hack Day to help expose political and corporate corruption within Slovakia's government.[20]

In early 2011, Kamkar joined the Board of Directors of Brave New Software,[21] a non-profit organization originally funded by a multimillion dollar U.S. State Department grant.[22] The nonprofit is responsible for creating uProxy with the University of Washington and Google Ideas, a browser extension intended to allow users in repressive regimes access the Internet without being monitored. The nonprofit also created Lantern, a network designed to circumvent Internet censorship and defeat the suppression of digital information and freedom of speech.[23]

In addition to releasing the Evercookie as free and open source software, and exposing the surreptitious collection of data by Apple, Google and Microsoft,[24] in 2011 Kamkar also exposed KISSmetrics and Hulu as recreating tracking cookies after consumers deleted them by storing the unique tracking identifiers in Flash cookies and HTML5 Local Storage, which were not automatically deleted when consumers cleared their browser cookies.[25][26] Several companies identified as performing cookie respawning were subsequently sued by class-action lawyers. In January 2013, KISSmetrics, an online advertising network, settled its cookie respawning related lawsuit for $500,000.[27]

Flaw in PHP

In early 2010, Kamkar discovered a major flaw in all versions of the PHP programming language, specifically in the pseudorandom number generator, which allowed an attacker to hijack the session ID of a user and take over their session.[28] Kamkar released a patch[29] and once fixed, released exploit code demonstrating the attack which was possible on major banks, social networks, and forums.[30][31][32]

Evercookie

Main article: Evercookie

In 2010, Kamkar released Evercookie, a cookie that "apparently cannot be deleted", which subsequently was documented on the front page of The New York Times.[7][33][34] In 2013, a top-secret NSA document was leaked[6] by Edward Snowden citing Evercookie as a method of tracking Tor users.

Mobile research

Main article: Mobile phone tracking

In 2011, Kamkar discovered the iPhone, Android and Windows Phone mobile devices were continuously sending GPS coordinates, correlated to Wi-Fi MAC addresses, back to Apple, Google and Microsoft respectively, and released his research through several front page The Wall Street Journal articles.[24][35][36] The iPhone would continue to send location data "even when the location services were turned off".[35] The Windows Phone would also continue to send location data "even when the user has not given the app permission to do so". He discovered that some of this data was exposed by Google and he released Androidmap, a tool exposing Google's database of Wi-Fi MAC addresses correlated to the physical coordinates populated by Android phones.[37]

Parrot AR Drone research

Main article: SkyJack

In 2013, Kamkar created SkyJack, a combination of open source software and hardware to run on an unmanned aerial vehicle which was "engineered to autonomously seek out, hack, and wirelessly take over other Parrot drones within wifi distance, creating an army of zombie drones".[5][38] The entire software and hardware specification was released as open source and detailed on his website.[38][39] The software was released one day after Amazon.com announced Amazon Prime Air, a possible future delivery service using drones to deliver small packages in as early as 2015.[40]

References

  1. "Twitter / samykamkar". Twitter.
  2. "Fonality - CrunchBase Profile". CrunchBase.
  3. 3.0 3.1 http://net-security.org/dl/articles/WHXSSThreats.pdf
  4. 4.0 4.1 http://lists.owasp.org/pipermail/owasp-losangeles/2008-December/000037.html
  5. 5.0 5.1 Goodin, Dan (2013-12-08). "Flying hacker contraption hunts other drones, turns them into zombies". Ars Technica.
  6. 6.0 6.1 "'Tor Stinks' presentation". The Guardian.
  7. 7.0 7.1 "New Web Code Draws Concern Over Privacy Risks". The New York Times. October 10, 2010. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  8. "Google and Apple on Capitol Hill for high-tech privacy hearing". CNN.
  9. "Cross-Site Scripting Worm Hits MySpace". Betanews. October 13, 2005.
  10. MySpace Worm Explanation
  11. "Cross-Site Scripting Worm Floods MySpace". Slashdot.
  12. "Background Data". The Wall Street Journal. April 22, 2011.
  13. "chap.py".
  14. "RFIDiot Documentation".
  15. "SpiderLabs - Getting in with the Proxmark3".
  16. "Proxmark3 Code".
  17. "Samy Kamkar Talks". Retrieved 2013-04-28.
  18. "DEF CON 18 Speakers". Retrieved 2013-04-28.
  19. "Black Hat USA 2010 Speakers". Retrieved 2013-04-28.
  20. "Fair-play Hack Day". Retrieved 2013-04-28.
  21. "Brave New Software".
  22. "Brave New Software".
  23. "Lantern".
  24. 24.0 24.1 "Apple, Google Collect User Data". The Wall Street Journal. April 22, 2011. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  25. "Respawn Redux by Ashkan Soltani".
  26. "Samy Kamkar KISSmetrics Research" (PDF).
  27. Davis, Wendy (2013-01-23). "KISSmetrics Finalizes Supercookies Settlement". MediaPost New. Retrieved 2013-01-18.
  28. "PHP blunders with random numbers".
  29. "PHP 5.3.2 Release Announcement".
  30. Baldoni, Roberto; Chockler, Gregory (2012). Collaborative Financial Infrastructure Protection.
  31. "Attack on PHP sessions and random numbers".
  32. "Advisory: Weak RNG in PHP session ID generation leads to session hijacking".
  33. "'Evercookie' is one cookie you don't want to bite". MSNBC. September 22, 2010. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  34. "Q&A: Evercookie Creator Samy Kamkar".
  35. 35.0 35.1 "Jobs Tries to Calm iPhone Imbroglio". The Wall Street Journal. April 28, 2011. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  36. "Microsoft collects phone location data without permission". CNET Networks. September 2, 2011. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  37. "Google's Wi-Fi Database May Know Your Router's Physical Location". Huffington Post. April 25, 2011. Retrieved ~~~~~. Check date values in: |accessdate= (help)
  38. 38.0 38.1 "Samy Kamkar - SkyJack".
  39. "SkyJack source code". 2013-12-08. Retrieved 2013-12-08.
  40. Strange, Adario. "Amazon Unveils Flying Delivery Drones on '60 Minutes'". Mashable. Retrieved 2013-12-01.

External links