Kevin Mitnick: Govt thought I could launch nuke just by whistling into phone
In a world in which everything is controlled by computers; binary code rules communications, energy, food and water. In such reality, what is a hacker? Are they all criminals looking to steal and to harm - or do some of them do it for just a thrill, for adventure in this digital world? We ask one such cyber-adventurer, a hacker who was once on the FBI’s most-wanted list and now works to protect companies from hacking. Kevin Mitnick is on Sophie&Co.
Sophie Shevardnadze: Kevin Mitnick, a renowned hacker, cyber-security specialist, welcome to the programme, it’s great to have you with us. Now, just recently Russian internet security company Kaspersky labs presented a report, suggesting it had uncovered U.S. spyware that can permanently penetrate computers, conduct surveillance. it can’t be detected by regular virus protection, and it’s been active since 2001 - so, why were they the only ones to uncover this?
Kevin Mitnick: They probably found some sort of weird infection going on, maybe, through their honeypots that are all over the Internet, or maybe that was at the client system, or whatever, whatever tipped them off that something was going on. They spent the time on the analysis and they developed this report. I haven’t had an opportunity to read the entire report, but I saw the news reports about it, and to me, when I read it, I was not really surprised, because I believe there’s lots of government-based malware out there on the Internet, and probably a lot of this malware hasn’t been identified yet. So I believe this is one of many.
SS: But are you alarmed? I mean, are you going to clean out your hard drive after this?
KM: Well, I use a Mac, and that particular malware was designed for Windows, so I feel safe.
SS: Okay, but the U.S. has built a multi-billion dollar cyber warfare capability, which, with the Cyber Command set back in 2010 - what big threat is it preparing for?
KM: Why would they be spending billions of dollars on cyber-security stuff? It’s because they want the best offensive position, to, basically, compromise any targets, especially foreign targets, and to defend, obviously, against the attacks on the U.S. infrastructures. So, it’s kind of a no-brainer in a common sense thing for me, because, basically, everything now, pretty much, is cyber, everything is controlled by computers, so he who controls the computers will win.
SS: Well defending infrastructure and territories is your speciality at this point, but in a recent interview President Obama said “there’s no clear line between offense and defense” when it comes to cyber operations - so how do you keep attacks from getting out of hand then? There are rules in regular warfare, should the same thing exist when it comes to cyber security?
KM: Well, we’re not dealing with government, when we’re dealing with regular hackers in the street that were breaking into businesses - there’s no rules of engagement. The only rule of engagement for the bad guy is try not to get detected, try not to get identified, caught and prosecuted - that’s the only rule of engagement.
SS: What is the scariest thing the hacker can in reality gain control over? You should know about it, you’re like the most famous hacker in your past life. We saw Stuxnet, believed to be U.S.-Israeli project, cause havoc on a nuclear plant in Iran. That’s pretty dangerous stuff, right? So, you can hack and cause something to go wrong at a military command center? How do you ensure a sensitive area like that is totally secure?
KM: You try to air gap it. You try to ensure that any system or just SCADA systems which are that control devices and hardware are air gapped from a network that’s available on the Internet. You know, or we can connect it through a corporate network. Unfortunately, what companies have done to manage their SCADA systems is they actually made a connection from their local area network to these other systems and there’s no air gap - so now, an attacker can get into these more sensitive systems through the corporate network. And, there’s USB attacks: if somebody, for example, infects a USB drive, and you have an engineer plug that into computer that’s on the SCADA network, then that obviously an attack that is viable and could be used; in fact, it was used in Stuxnet. That was the primary attack vector, infecting a USB stick. So you can have a rule, don’t plug in the USB.
SS: So going back to my question, what is the scariest thing a hacker can hack into or get hold of? Can anything be hacked in, eventually?
KM: I remember back in 80s and 90s, I pretty much compromised all the telecommunication systems in the U.S. I got full control of all the telephone switches in New York, California, Chicago and many other states, and you would think if I was a real bad guy, that would be pretty scary, because I could have brought those switches down and pretty much interfere with telecommunications as a kid. So now you can imagine fast-forward 20-25 years, what the capabilities are: financial capabilities of compromising large bank accounts for financial fraud type of attacks, and then you have critical infrastructure attacks: on energy, telecommunications and other stuff.
SS: Well, there are a lot of eye-openers that the general public got, regarding NSA lately. So, National Security Agency routinely receives and intercepts routers, servers, other computer network devices, destined for international customers, before they’re exported from the U.S. So, it installs surveillance tools and repackages these devices. My question is - do firms know the NSA is hampering with their devices, and can they do something about it?
KM: Now they do. They probably did, though, before… It’s kind of a common sense thing, we do that. When companies hire me to break into their systems, we’ll do the same thing - we’ll try to introduce booby-trapped hardware or malicious software into the network, by repackaging up devices and shipping it into the company that purports to come from the vendor, so if we do this in testing security for businesses, it’s a no-brainer that spy agencies are going to use the same tactics; but because of Snowden’s revelations it’s really been eye-opening about the capabilities of our NSA and how they have accessed everything, every phone-call, every email, and how they could access it, usingXKeyscorealmost like a Google-based user interface, and get access to everything. That’s actually pretty scary and I guess the Snowden revelations are actually the most scary hacker-based attacks that I’ve read about.
SS: We’re gonna talk about Snowden revelations in a little bit, but just to finish up these questions - are you saying the only way for countries to protect their products, is to start building their own computers?
KM: Well, in a military, when you’re dealing with defence, I’m sure that certain countries don’t trust other countries’ hardware. So I bet in China, they use Huawei - I believe that’s the company name - they probably used that type of hardware and they’re probably not going to be using Cisco or Juniper, right, because they don’t trust it, unless you could audit and look at all the firmware and actually audit everything - how can you really trust it? You can’t, because you never know what’s going to be in there. So, they’re going to have to build it themselves, or every device that get shipped, they’re going to have to verify, that the firmware matches a signature to ensure it hasn’t been tampered with, and that that firmware has been audited to identify any type of security holes that are implanted in that system.
SS: So, going back to Snowden that you brought up recently - his revelations say that U.S. and British spies hacked the largest manufacturer of sim cards, stealing encryption keys allowing them to spy on mobile communications across the world. Who needs all that information? Can you really find something if you don’t know what you’re looking for?
KM: Well, it makes sense to me, because, basically, they want access to everything and so then when they need an access to something, they can do it. It’s basically what they unfortunately do in the U.S., they pull in all of the communications, then they have computer algorithms analyze all the communications that were intercepted, which they shouldn’t be intercepting in the first place - and, then, anything that meets some sort of criteria, goes off to an NSA analyst. So, what the NSA and GCHQ wants, is they want the capability to monitor anyone in the world, right. One of the ways they did this was to get all of the crypto-keys, which makes sense. Now when we find out about this, it’s pretty shocking, and I would like to get a new sim-card, where my crypto-key isn’t compromised, but if they already have a target, they have other ways to. - and if it is using regular cell phone, they can actually get that information by hacking the provider, they don’t actually have to hack a person’s handset. So - it’s pretty eye-opening, but that’s how they work. It’s not like we have a target and we just gonna narrowly focus on that target - it’s “we want all communications in the world and then when we have a target, we’ll leverage that at that instance”. Which kind of makes sense to me.
SS: I’ll tell you what - it’s some scary stuff, scary stuff, Kevin.
SS: Now, let’s talk a bit about you. The FBI, the U.S. Marshall service, the Secret Service - they were all chasing after you. You were even called, like, “the computer terrorist” in the 90s. Were you really that dangerous, and if yes, then for whom? For general public or for the state?
KM: The government obviously labeled me with these terms, like “terrorist”, and they locked me up in solitary confinement because they said I could whistle into a telephone and launch nuclear weapons. Basically, I became the example, and they created this myth of Kevin Mitnick to scare the public. But if the truth be known, I was fascinated with technology and telephone systems, and I became a hacker more for the exploration, for the seduction of adventure and pursuit of knowledge. I was able to compromise a lot of stuff, like, for example, most of the telephone companies in the U.S. and stuff like that, but it wasn’t to do damage or to sell to a foreign power or anything like that; it was more for my intellectual curiosity - and I ended up getting in a lot of trouble for it, I ended up getting sent to prison for 5 years. Four of those years were without trial.
SS: ...I was going to say your intellectual curiosity actual you several times in prison - but why weren’t you able to hide your activities?...
KM: Curiosity killed the cat!
SS: Why were you always traced back, why couldn’t you hide your activity?
KM: Because you have informants. You have friends that you are hacking with and they inform on you and tell the government, because they get upset with you - and that’s how I was caught in 1988, for example, one of my hacker comrades, if you will, informed the FBI about what we were doing. They could not find us, they could not catch us, so no matter what you’re doing, no matter how smart of a hacker you are, and how clever you are, you could always get caught if somebody snitches on you. It doesn’t matter.
SS: So if you’re on your own, you’re operating on your own, then you’re safe?
KM: It depends. The more comfortable you get doing things, the more mistakes you could actually make. So the number one way how I was caught, for example, in my federal case, was because of the use of informants.
SS: So what was your biggest, coolest hack ever?
KM: My biggest, coolest hack was actually in McDonalds.
SS: Tell me about it.
KM: I figured out as a young boy how to take over the radio communications at their drive-up windows, so I could sit across the street and when a customer in drive up made an order, I would actually take over the system and I would be the guy inside the McDonalds, right, taking the order for the customer, and of course, you know, as a 16-teen year old, you could have a lot of fun doing that. So, customers placed their order, and I’d say “your order is absolutely free, please drive forward” and especially when the cops would drive up, I would say “hide the cocaine, hide the cocaine!”, and the manager inside this McDonalds was freaking out so much, he went out to the parking lot, looked around, he looked in the cars, he was looking all around, and he couldn’t see anything, and then he walks up to drive up window speaker, and he looks inside, as if there’s somebody hiding in there, and I key down my microphone “what the hell are you looking at?!” and this guy, like, flew back about 10 feet. So, hands down, that was my favourite hack.
SS: You sound like you had a lot of fun, but do hackers usually do this for fun and thrill like you, or are an exception?
KM: I was a prankster, I love pulling pranks, and why I got into hacking was my fascination with telephone system; kind of what Steve Jobs and Steve Wozniak had the same fascination back in 1975, fast forward to 1980, and I had the same fascination and I love pulling pranks, and what enabled me to be a great prankster is gaining control over phone company’s computer system to do things. I would change a friend’s home telephone to a payphone, so whenever he tried to make a call, it would say “please deposit 25 cents” - obviously there was no coin slot in his home phone, and I started in this pranksterism and that was what set me into this, kind of on this road into computer hacking, and then I got into a lot more sophisticated things, like I’ve been in quite a bit of trouble in 1999s.
SS: Now, when you’re hacking into the phone companies, you first had to call the workers, gain their trust - I mean, essentially, you really hack into people’s brains before you hacked into the machinery. Does it still work like that, nowadays?
KM: It works all the time, and it wasn’t just social engineering. What social engineering is, is when you use manipulation, deception and influence to get a target to comply with a request, release information, go to a particular website, or open up a document that’s been booby-trapped with malware. This is what we call “social engineering”, and I was extremely effective at compromising targets, using these attack method. To be really successful in hacking endeavours, you use both social engineering and you use technical means to break into the target, and when you combine these two, and it’s a hybrid attack - you’re pretty much unstoppable. In fact, every company that hires us to test our security, we have a 100% success rate - we always get in because we never give up, and what we do is we combine both social engineering and technical-based exploits to penetrate a target, and we do a lot of meticulous research and we’re very successful at it. So when I hear about companies like Sony or other, and these large companies being hacked, I kinda roll my eyes and go: “yeah, makes sense, it probably wasn’t too hard”.
SS: So, hacking in general, you’re saying it’s more about people than it is about technology.
KM: No, it’s both, but when you put both of them together, when you can manipulate people and you can manipulate technology and you have the intelligence to create a plan, to infuse both of them and attack a target, you’re likely going to win, you’re likely going to be able to break in. It’s not that one is better than the other, it’s actually a tool, and you take a tools that you have and you join it altogether, and you become very lethal. When we’re allowed to combine social engineering and technical-based attacks, and we’re testing our clients, we have 100% success rate, right. So, it doesn’t surprise me, when I hear about all these attacks in the companies, like that process credit cards and companies like Sony, that was recently hacked, it’s not a surprise to myself, and it’s not a surprise to other people that are security experts, because we realise it’s so easy, it’s not hard at all. What’s hard is defending yourself against these attacks.
SS: Well, actually, that was going to be my other question - tell me something, if someone who knows social engineering, and the computers and technology as well as you - could they hack into your computer if they wanted to, or do you know how to protect yourself?
KM: Want to hear something funny? About 30 minutes before I had to come to the studio to this interview...no, about an hour and 30 minutes, I apologise - I received a phone call from this guy with an Indian accent and he’s saying he’s from the Windows support center and he’s telling me first that my computer is sending reports that it’s infected, and this guy wants to help me over the phone to fix these “infection” - but what he’s trying to do, is to compromise my computer. And, he has no idea I’m Kevin Mitnick, so I’ve recorded this call, I’m going to edit it and publish it later, but it was actually pretty hilarious, because this guy, from India, was trying to social engineer me into installing his malware onto my computer, not realising whom he’s taking to.
SS: So, now, you operate a computer security lab….
KM: Not a lab, a company.
SS: A company, okay. What would you tell our viewers to do if they don’t want to be spied on through their devices?
KM: Well, okay, so you’re probably suggesting about the NSA capabilities and other spy agencies. That’s really hard, but what I would suggest is you never use a landline phone. I mean, If you have to do a sensitive call. If you’re calling to order pizza - who cares, right? But if you want to protect the contents of your communications whether it’s instant message, text message, or voice communications, you have to use secure voice-apps over the Internet. You have to use tools like, for Android there’s RedPhone, for Iphone there is Silent - there are different applications that do what we call end-to-end encryption, and you can do it for voice, you can do it for text, and if you use these applications properly - please, note the word “properly”, because there is a technique called “man-in-the-middle attack” where the bad guy inserts himself into the middle of the conversation and tries to fool each side - well, to prevent these “man-in-the-middle” attacks, these application put some sort of code or some sort of word, and you have to confirm on both sides that that’s what both parties see, right, and if you use these applications right, it makes it really-really hard for anyone, including intelligence agencies, to intercept those communications. So if you use, again, these applications - that will protect you. If you use regular cell-phone, or you’re using Imessage or whatever - forget it! Because you don’t manage those keys, those crypto-keys, there are other big companies that manage those, and you never know if they are being forced to cooperate against you.
SS: Also the latest smartphone trend is finger-print ID - it’s being created as an easy and fast way to pay online, verify your id, protect your information - what’s stopping hackers from stopping your fingerprint if it’s encrypted into your phone?
KM: I don’t know about fingerprint being encrypted, but that’s already has been compromised. If you’re talking about Touch ID, when it first came out, there was a group of security researchers that compromised it - but it’s actually dangerous when you’re crossing borders, and especially in the U.S., because you can be forced by a judge to press your finger across the phone to unlock it, and you can’t be forced to reveal the passcode, right, you can’t be forced to give testimonial type information about yourself, right. So, if you cross the border, and you, for example, have an Iphone, the smartest thing to do is you reboot the Iphone - you turn it off and you turn it on, and you don’t put in your passcode at first, because if you don’t put it in, your Touch ID doesn't work, you always have to put in your passcode first on the boot - so, if you don’t do that, then when you cross the border, if they try to force you to unlock your phone by touching your thumb or your fingers on the phone, it’s not going to work, right, because that’s the risk, having a foreign government get access to your communications because you’re crossing the border, and they’re allowed to force you to use your fingerprints or thumbprints.
SS: Kevin, thank you very much, you just gave us so many useful tips, especially for those who are just about to go to prison or being tried. Thanks a lot for this great insight into the world of hacking and protecting your cyberspace. Kevin Mitnick, cybersecurity professional, notorious hacker, thank you very much for joining us. That’s it for this edition of Sophie&Co, and I will see you next time.