Karsten Nohl, PhD can know where you are, who you’re talking to and what you’re saying… all from his office in Berlin. As the Chief Scientist at Security Research Labs, Nohl works to reveal society’s weakest links in cyber security and shine a light on our hidden vulnerabilities. So Penthouse invited the Doctor over for a house call and a digital security checkup.
What’s your favourite way to introduce yourself that always gets a good reaction?
I usually say “hacker” and see if people understand that there’s a positive element in there. Otherwise, they’re like Uh…and when were you jailed the last time? That’s a fun reaction.
So when were you in jail the last time?
I guess technically I’m breaking laws all the time because there are some ridiculous laws. For instance, owning a computer is illegal, if that computer can be used for hacking, but so far no prosecutors seem to mind that I, and I guess most people in my country, own a computer.
How’d you get started with hacking?
I started hacking based on the understanding that what I created as a cryptographer back in graduate school, other people would hack. It drove me crazy that I couldn’t create anything that other people couldn’t easily hack. Then I came to understand that there was value in that too — in breaking other people’s stuff to show them how to improve. So I was never good enough to actually create something that wasn’t hackable, but I just flipped sides: now I’m breaking other people ’s stuff to help them understand where their weaknesses are.
You earned your PhD in Computer Engineering at the University of Virginia. So that makes you Dr Cyber-Security?
Dr Hacker, actually
Ok, give it to me straight, Doc. How bad is it?
Security right now is much over-hyped. It was always pretty bad if you asked the question: what could happen to you? But nothing ever actually does happen to most people, right? So, a little bit like car crashes, you can imagine a million ways of dying in the car — accidental or of your own stupidity — but most people are still alive who drive cars. It’s similar on the internet; you can get hacked. Just by chance, most people haven’t been yet. There’s a big disconnect between what could happen and what does happen. Now, like in car traffic, the occasional person does die (again based on chance), and that’s really sad. And occasionally a person does get hacked on the internet, and even though that’s sad, it’s equally avoidable in a lot of occasions. That’s what a lot of our work focuses on: how to make it so that, not even by chance, you get hacked on the internet. Based on everybody being vulnerable, we want to make it so that only people who do get hacked, the hacker’s trying really, really hard and has a really, really good reason to hack someone — which may not be preventable in the end. The Average Joe should not get hacked based on chance, like they shouldn’t get run over by a car just by chance.
So while there’s always the chance, we don’t have to plan for anything that’s not likely to happen?
I think we should plan for things that are unlikely to happen if they have disastrous consequences. Right now in Germany, we have a few terrorist attacks. There are never more than 9 people who died, so it’s not like 9/11 or anything, and some people worry about this — somewhat irrationally I think — because nine people, that happens in road traffic every single day probably, in every major city. Still, people worry about it because they consider the consequences so dire; to be killed by some outside, malicious actor. Similarly, on the internet, we should make it so that it’s not the worst possible outcome. A good example: everybody has their password stolen a couple times in their lifetime. Either because you have a virus on your computer and you type in your password, or the more likely scenario: you go to some website, where you’re a customer, and they have their password database stolen, and yours is part of the bounty…the loot, so to speak. If you use the same password on every single website, your entire online life gets hacked. If you use a different password everywhere, only that particular website that got hacked — that was insecure anyway — now is insecure for one more reason. Damage containment is hugely important, even in a world where everything can get hacked.
Companies hire you so you can hack them before someone tries to do it maliciously.
Precisely. Usually, I get hired only after a real hack, so it takes extreme foresight to say, we haven’t been hacked in 20 years — I don’t know like nintendo for instance, not in a major way — and now something’s changed so fundamentally about our business that we should be more afraid, and we should have our security tested.Usually, only the evil hack rings the alarm bell and people wake up and hire myself.
I was very surprised how strong the offensive side of the NSA was, but then it suppresses the defensive side that they’re supposed to do.
You were able to ring that alarm bell a bit when you were on 60 Minutes and hacked the US Congressman’s cell phone.
Oh yah, that was fun.
What was the most interesting thing you found out about him?
With this guy in particular — and I’m super glad that he played along of course — but with this guy in particular, I was a little bit surprised about how surprised this guy was about what we can do. This guy sits on the House Oversight Committee for Intelligence Organisations, so he’s on the board of the NSA, you could say. And obviously the NSA is doing much more fancy stuff than we do, but the NSA is also supposedly there to protect America from attacks from the outside. So, stuff that we could possibly be; a threat actor that they should prevent. By us hacking the government, I was very surprised how strong the offensive side of the NSA was, but then it suppresses the defensive side that they’re supposed to do. Basically, the NSA’s ambition to hack everybody all the time seems to suppress their second agenda, where they should also protect everybody all the time — at least their own citizens. But through that, of course, everybody uses the same technology, so in the end, everybody. I was a little bit shocked that — at least through that interaction — I learned that the US government doesn’t do much to make technology better. They seem to almost intentionally keep it weak so that they can continue to hack everybody all the time. But then, so can everybody, else, now including some individuals in Berlin: myself and my team.
You also told 60 Minutes that even though the Congressman could be careful on his phone and do his best to prevent hacking, he’d still be vulnerable. But now, thanks to you, there’s an app for that. So how exactly does SnoopSnitch help the situation?
Exactly. The reason that this Congressman — and in fact a few months later, you guys down in Australia, your 60 Minutes had a Senator get hacked by us — all these different Congressmen, they don’t get hacked based on what they do on their phone, they get hacked based on the networks they’re on. These networks…in a lot of cases, they’re insecurely configured. They’ll let anyone in the world pull information to the point that they can reroute your calls, track your location, all of that. So, you would think that from the phone side, you can do something about it. In the end, you can’t prevent it. But, you can do the next best thing: you can notice that these attacks are happening. You can notice that someone is monitoring your location continuously, because any time someone pings your network asking, where’s this person? the network will find you and send you a little ping. And so these are observable, but they’re not observable through a normal app. This information is more deeply hidden inside the phone, and the SnoopSnitch app that we created is digging this information up and making it visible for people. And not the raw information only, it also generates alarms. It will say, oh wait a second, I think you’re being tracked by somebody, or we think you’re now connected to an IMSI catcher — a kind of spy device from the 90s, that’s still hugely popular with government — we think you’re connected to an IMSI catcher; you better not make an important phone call, or it will probably be intercepted. It’s a handy little app for everybody who thinks that they may be under surveillance. From 150,000 people who did install it — and who voluntarily submit some data — we see that in fact, people are being tracked all over the world. To a lesser degree than we thought, so it’s not everybody, all the time — like the NSA is doing passively — but these active attacks, they do happen, and they do happen everywhere. It doesn’t take the likes of the NSA to do it; if we can do it among a group of friends, then, of course, every government in the world will be able to get this skill.
At last year’s C23C, you spoke on payment security. So even with the implementations of pay wave and chip technology in our cards, we’re still at risk?
Absolutely. What we show over and over again is that there exists a simple principle that applies to basically every system that people use when it comes to security: the principle of the weakest link of the chain. Just because you have a fancy data centre at a bank, and you put very expensive chips in your payment card…if this is where you put your resources, there are other links in the chain involved that you may not pay too much attention too, that may be completely outside of the control of your governments. In the case of payment systems, what we’ve identified as the weakest link in the chain are the payment terminals that are sitting at the merchants. The little things that you stick your card in or swipe your card through, those are usually procured by the merchants, and they are certified by the banks. But of course, a merchant will pick whatever is cheapest, that just barely made it through the certification. What we found is that none of the ones that we used in the countries that we did test in Europe have even deserved the certification and are completely failing banking security, making it so that the entire chain bursts independently of how secure the other links of the chain are. This is a general theme in hacking: if a company claims, hey, we’ve improved this part of the system, now it’s hacking proof, you move away from there to another part of their system and hack them anyway. So companies are not usually very good. They have this end to end view, but they improve incrementally in silos, and every silo is very proud of what they achieve. Just a few things, like these payment terminals that I mentioned, were never assigned to a security guy, so there’s no improvement at all. It got stuck in this particular cave of early 90s security, when people first played around with computers, and were trying to make them secure. They never improved from there.
So what’s new and exciting that you’re working on?
The next group of systems that we’ve looked at and just found the very same patterns that we just discussed with payment systems, are cars. Again, cars exist…even a single car has numerous different systems that interact, and it’s typically understood by car manufactures that they have to do some kind of testing on the user-facing computer: basically your entertainment system, your push buttons or touch screen, installed software and whatnot. What they often forget is that the security of cars is equally determined by all the other components that have been in there for years that have never been security tested. Now all of these fancy electronics that have been added are connected to the internet, so we find that cars are at least a very ripe hacking target. What they aren’t yet is a very attractive hacking target. It’s not that valuable to know where people are; you can already get that from their phones very easily. So it’s unclear why they’d want to hack a car, but that’s changing quickly because people are amassing more and more private information that’s valuable.