Institute For The Future

Hacking Security at Toorcamp

You might expect that a hacker camp, like Toorcamp, is full of shady individuals who want to break into your computer and steal your data. Often times, people consider “hacking” to be a negative venture. In my experience this is not the case.

So, what is a hack? How does one end up identifying with this community? Each person who you ask this question of will probably give you a different answer, and this is rightly so. My interpretation of a hacker/maker is someone who enjoys experimentation and the creation of novel tools, leading to further interconnection and innovation. A hacker is one who tinkers with culture and tests vulnerabilities, in technology and elsewhere,  with the goal of making a more robust, resilient human community.

One of the workshops here at Toorcamp teaches you how to test the vulnerabilities of a ubiquitous physical security system: the pin and tumbler lock. A style of lock that has a long and tried history, but even so is vulnerable. Everyone reading this most likely possesses a key that opens a lock of this type. But what most people don't know is these locks are surprisingly easy to open with simplest of tools. By simplest I mean any piece of metal that fits in the lock, whether its a hair pin, bike spoke or windshield wiper clip.

The first time I picked a lock it took about 15 minutes and two hair pins, seriously. Opening that first lock gave a tremendous feeling of accomplishment, and it provided one of those moments of sudden realization. That realization being that this is a technology that everyone trusts to ensure their safety and their security over their possessions. Locks are only a deterrent, providing the illusion of security, an illusion that is easily broken.

This physical security lock has proven to be a useful analogy, it has helped me to better understand digital security. Hackers are constantly looking for vulnerabilities in the codes they create. Your email account, your online banking, your dropbox or google.doc account, they are constantly being tested for vulnerabilities. Sometimes the chinks in the armor are exploited maliciously. Sometimes they are used for political activism to inspire discourse surrounding vulnerabilities in larger systems. More often than not, software vulnerabilities are openly published in an effort to fix the problem at hand and create a more robust system, also known as making the world better.

At a recent security conference in Las Vegas, Mozilla software developer Cody Brocious shared a hack that can be used to open the keycard locks that are found on around four million hotel doors, or more, I haven’t actually sat down to calculate how many doors in hotels are effected by this. This hack was done using an inexpensive Arduino micro controller and some code that Cody plans on publishing soon. At first glance you might think this guy is a criminal, but please, leave the conspiracies at home. Sure we know, breaking and entering is illegal. The best part about this is that Cody didn't steal anything, he merely shed light on an vulnerability. In an interview with Forbes, Cody said,“…With how stupidly simple this [key card entry] is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments.” The keycard entry system is flawed, especially when people have access to the level of technology that is openly available today. This isn’t to say that having more knowledge about these systems is inherently bad in some way. I suggest that we become more aware of the current technologies and find their vulnerabilities’ sooner, so that we may be capable of creating more secure and robust systems in the future.

It has been said that locks are used to keep honest people out. What happens when honest people think of hacking security as a fun challenge to be explored? One common response is to make this type of activity illegal, on this point I have to disagree. Preventing people from owning lock picks or hairpins, and forbidding the accumulation of knowledge about the inherent insecurity that exists before their very eyes may increase the theft, because a thief is safe from another thief in jail. What about you? This approach, being “Keep everyone in the dark about the insecurity that exists,” doesn't actually address the fact that most locks, whether digital or physical, are prone to vulnerability. It is a natural human tendency to tinker with things like locks or codes in search of different methods for solving the puzzle. Robust security, I am sure, we can get behind, you really don’t want folks breaking into your hotel room, right? When Cody Brocious shared how to open a hotel door with a non-standard keycard, he brought accountability to a flawed technology and is provided the opportunity to strengthen the system.Openly sharing hacks is commonplace within the hacker community, like Toorcamp and spaces similar to it, but current politics, and the media, often stigmatize these activities.Rather than pushing this activity underground, we ought to be encouraging this effort to create a more resilient society.