Hacked - Hacking Bicycles + DIY Laser Exploits + the National Public Data Breach
Episode Date: August 24, 2024You can do lot of damage by changing someone's bike gear at the wrong time. A collection of stories including a DIY laser mad science project that aims to replicate a $150,000 piece of equipment, and ...one of the largest leaks of US Social Security Numbers. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
The history of cheating in professional cycling is long and weird.
It starts with the first tour to France in 1903, when the odds-on favorite, a guy named Hippolyte Okouturier, fell out of the race due to food poisoning.
It was later figured out that he was the victim of a spiked bottle of lemonade that was handed to him by a spectator.
Hippolyte was radicalized by the experience, came back the next year with a loony-tune scheme for his own cheating.
that concerned him being towed by a car by a string tied to a cork that he gripped between his teeth.
Hippolyt almost got away with it.
Seems so ridiculous.
People have cheated at cycling using itching powder.
They've done fake root signage to trick opponents.
The modern era and the catch-all term for putting performance-enhancing drugs into the body of the cyclist is called doping.
Most famous case of which was Lance Armstrong, who managed to avoid test.
positive for doping for the duration of his 1999 to 2005 Tour to France reign.
Now, by all accounts, since that giant public embarrassment for the sport, there has been an
increased effort to stop doping. It's not perfect, but my sense of the general consensus is that
it has gotten better. And as such, a migration has occurred, at least in part, from messing with
the body of the biker to the body of the biker.
bike. This new chapter is called motor doping. And to put it bluntly, it's taking a bicycle and
slamming a secret motor somewhere inside of it. The Union Cyclist Internationale, the international
governing body of cycling, puts that into its own whole category they call technological fraud,
which is relevant in where this is going. Concerns started in 2010. There were some rumors in
2014 when a cyclist crashed and his wheel popped off and kept moving in a very suspicious way
that may or may not have defied physics. But the first confirmed case was in 2016 at the
cyclocross World Championships when a cyclist named Femke van der Dresch was caught. There's a great
podcast about a cult ghost in the machine if you're interested in learning about that. But
where this is all going. If we pay attention to our history, the evolution of bike cheating has
kind of gone, mucking with your opponent's body to mucking with your body to mucking with your
bike. And for it to go all the way full circle, we kind of have to ask, what if you could muck
with your opponent's bike? On this episode of Hacked, we are talking about a bunch of stuff,
including an attack developed by two researchers in the U.S. who figured out that the gear shifters
of very high-end bicycles, many of which are electronic, can be spoofed.
and it was some pretty affordable equipment they could remotely shift the gears of a target's bicycle
creating all sorts of potential trouble.
We're talking about using off-the-shelf lasers to hack microchips, how AI in your email
makes fishing even easier, and a very big, very good old-fashioned data breach of a data broker
with some very bad implications.
All of that and more on this episode of hacked.
Hey, Jordan, how are you doing?
I'm doing kid, man.
I'm doing good.
Okay.
We're back.
We're back on home turf.
We're back.
Post Vegas.
Post Vegas.
I've got, I think last night was my best night's sleep after getting back from Vegas.
So I'm feeling fully recovered.
I feel good, which is a nice feeling.
Yes.
It took a bit for me to recover as well.
It was like partway through the week.
I finally started feeling he again.
I think there's an interesting thing you're going to learn about me here is that I'm kind of,
an obsessive fan about cycling.
Hell yes.
I don't know if you knew that about me.
So the intro story is going to,
there's going to be some interesting tidbits coming up from this one
because I love cycling and I love watching it.
I love doing it.
Yeah.
It is one of my primary hobbies, if not my most primary hobby.
I've seen some of your bikes.
I had a feeling that's where it was going.
And I was curious, do you happen to own any,
I want to make sure I get this right,
Shimano,
D-I-2
wireless gear shifters.
No, I do not
only Shamano
DIY2,
but I do have
a sham-red
E-tap,
which is one of
the competitive products,
which is very similar.
There you go.
Well, no one's hacking
your bike yet,
maybe.
We'll see.
Only me.
Only me.
Only you.
By putting a motor in it.
I have an e-bike as well.
So I have paid money
for a bike that has a motor
in it,
and they're amazing.
I avoided getting a mountain bike e-bike for a long time, and I picked one up last summer.
And, oh, my God, I have one of the super light ones, like, not one of the big.
The full-size e-bikes are actually called full-fat, which is hilarious because, you know,
there's like a stereotype about the people that ride them being heavier.
So it's like, it's kind of a weird name to give it.
But I have a super light one.
And just the ability to push a little button and get a little bit of motor assistance,
when you're like starting to burn out on a big climb or something like that is amazing.
They're an amazing scientific evolution that has made cycling and long,
like long duration cycling more accessible to the every person.
It's, I love it.
I think it's great.
I am very excited by the entire industry and where they're going and I'm happy to see it.
Yeah, I'm a prairie boy that moved to a hilly place and I go, I shop for one like
once a month.
I just go clicking around, put one in a cart, never fully commit.
The reason we're talking about bikes is because two researchers, one from UC San Diego and one from
Northeastern University, presented a technique at the Eucenics workshop on offensive technologies.
And the thrust of it is that they've developed an attack that allows for spoofing the signals
of a Shimano, Di2 wireless gear shifter, which is used by top cycling teams, including in
events like the Olympics and the Tour de France, from up to 30 feet away.
using this attack, they could cause the targeted bike to shift gears unexpectedly or even lock into the wrong gear.
In the context of a race, this would cause significant disruptions.
It could cause a rider to lose time during a climb.
It could even cause them to crash during a sprint.
I'm not a massive cyclist, but even I can appreciate that having someone go whoopsie-doodle on the gear that you're using at the exact wrong moment could be pretty devastating.
In the same way that handing someone a bottle of spiked lemonade,
that gives them food poisoning would be pretty devastating.
Well, the, I don't know where we want to start here because I got some great anecdotes about
like classic Tour to France riders.
So there was the, let's start there.
Let's go back in time.
Sure.
So allegedly, back in the day, the original like kind of, I can't remember the exact days or years,
but the smoking and drinking were like respectable things to do when you were a Tour de France
rider.
So you're on this like 21 day, like three to four thousand.
kilometer, you know, stage race. And it's not uncommon to see photos of people like riding together
passing around bottles of wine or like, you know, they finish a race and they're smoking cigars.
It just such a shocking difference from today's, you know, pro cyclist. You see them and they're like
sure, like, like emaciated physical specimens. Yeah, yeah. Like their body is so configured to the
sport. And, uh, rumor has it that, uh,
Back in the day, they would frequently take blends of heroin for the pain and cocaine for the energy as part of their daily supplements.
It's like, hey.
Wow.
You know how to.
Yeah.
Yeah.
So aside from drinking and smoking, they were also doing cocaine and taking, you know, opioids to deal with the fact that their body did not like what they were up to.
So rumor has it.
Yeah.
Mixing uppers and downers is like a famously cool.
cool and healthy and survivable thing to do.
And then making your heart go like a trillion miles per hour on a bike.
Good Lord.
So Lance Armstrong,
obviously one of the biggest, like most well-known cases,
just given his dominance in it.
But one of two of Lance Armstrong's biggest rivals,
Marco Pantani, Italian gentleman,
and Jan's Uldrich, German,
both also subsequently charged by the UCI with doping.
Marco Pantani actually died at like 34 from a cocaine overdose mixed with his
with his doping thing and he passed away sad.
He's like an Italian legend in the sport of cycling.
But yeah, so it's, I would say cheating and cycling go hand in hand.
Yeah, that was my sense of it from just trying to even get up to speed on the whole thing.
I thought, okay, I'm going to start at Lance Armstrong and work my way forward.
which brought me through motor doping, which is a big story right now.
And then the second you look into that, you realize,
oh, Lance Armstrong is part of a long and proud lineage of caring a ton about cycling,
but not so much that you don't cheat.
It's fascinating.
I think it's like we talked about this in the video game cheating thing,
but it's like if you start to believe that everybody else is cheating,
the only way to be competitive is to cheat.
And I feel like this is one of those sports that had this revolution early
on. Like there's just so many people, like even this year, like, you know, they've been making huge
strides and, you know, the Olympics just finished and there's so much speculation about the
Chinese swim team and all the rest of this stuff. And even known dopers like Lance Armstrong,
who has a podcast and talks about cycling, they're talking about the winner of this year's
tour to France and some of the ungodly feats that he managed to do, not to mention the fact that
he had just won the Giro de Italia,
which is another major stage race,
just weeks before coming to the Tour de France.
So normally cyclist's bodies wouldn't recover fast enough to do this.
And he managed to come back and do all these feats.
And they were just like,
well,
this starts to make you ask questions about,
you know,
what is possible and what is not possible?
Like how are he recovering so fast and all the stuff?
So there's even speculation in today's cycling
that people are still,
know, enhancing.
Yeah.
I'm reading about Lance and how, you know, Radio Shack team Radio Shack and all of Lance's
old teams, how they cheated is nuts.
Like they used to do full blood transfusions and stuff in the middle of the night.
So they would replace worn out broken blood with ultra platelet rich thick blood.
And their heartbeats would get, or their like resting heart rates would get down so low
that they would almost go into cardiac arrest that they'd have to be woken up in the
middle of the night and get on a bike and sit on a trainer for an hour just to raise their heart rate
enough that they wouldn't die. Jesus.
Anyway, I can.
Lance, you were dead, but we need you to do a race really good right now.
Well, even, even actually, I watched a recent episode, sorry, we're total tangent land here,
but I watched a recent episode of, I did this to us. It's fine.
I watched a recent episode of Lance's podcast, and he had his old team manager on or his old
physical, somebody that was involved in his doping.
Yeah.
And they were talking about how they would sit down and plan how much performance he would
show that day as a political thing to make people not assume he was doping because
he had so much energy in the tank and he had the ability to do everything.
Sure.
That they would actually be like, hey, you have to lose today.
Like they would plan, they would plan like, you know, right down to the minutia detail of
like, you should lose by like,
five to ten seconds today just to give the other team a stage win as well as like avoid being too
dominant like we're cheating so well that you have the ability to win every day but please don't win
today because questions are already being asked and we want to avoid speculation as much as possible
yeah it's suspicious if you win gold every single time so let the guy pass you and uh
settle for a silver exactly so the shamano shifters that are in question
that neither of us seem to have,
are, they used to be wired,
they have shift to being wireless,
and they use a radio connection.
Correct.
So to execute this attack,
the hacker first has to intercept the target's gear shift signal.
In order to do this,
you can either use a about $1,500 software-defined radio
and an antenna and a laptop.
However, the research project revealed that a $350 hack RF,
like a smaller compressed version of that,
would do basically the same thing.
The reason you would do that is because that hardware sub can be miniaturized and potentially
just like hidden somewhere along a race sideline.
Maybe it's in a team car.
Could even potentially be on another rider with a little Raspberry Pi driving it.
That's a little bit more speculative.
You can either use a replay attack, which involves intercepting and replaying the target's
gear shift signal to control that bike's gears remotely.
Or you can just do like a big, broad jamming attack, which is easy.
and involves broadcasting a jamming signal at the frequency used by all Shimano shifters,
which would potentially disrupt multiple riders except for one specific one.
That one seems easier to catch if it was actually used in context.
So these researchers, they do this big project.
They figure this out.
They presented to the conference.
They contact Shimano back in March of this year,
and they started working with them to try and figure out a security patch before they presented this.
And Shimano released a firmware update to professional
cycling teams with a wider rollout expected later this month.
And that's just sort of locking down the security of the wireless system in these
DI2 shifters.
It's a fascinating story.
We have analog bikes, well, not entirely analog bikes, but largely analog bikes receiving
security updates to prevent that.
I think that like wireless shifting is probably, I don't know, I'm going to ballpark this,
but like eight years old it started to come out.
Okay.
So they saw it as largely like a process improvement.
The systems now are way more advanced than they used to be.
It's like you used to pull a cable, right?
Like I'm rebuilding a vintage Italian race bike right now.
And the derailers work by like you push on a lever.
It pulls a cable which literally physically pulls the derailer
which causes the chain to move to a different ring.
Like it's a very basic system.
then they started to be like, well, what happens if we make this a digital connection?
So it's like I push a remote control and then that remote control causes the derailer motor to be like,
oh, I need to move up at gear and it moves the derailer.
These systems have gotten much better over the last seven, eight years.
Like they actually will auto-align themselves and they, you know, they just do a bunch more functions that is amazing and they're great.
And they're very expensive, which I should note, like as Shamano.
group set of the top end or a red Schram group set. They're like $3,000 U.S. dollars just for the
derailers and brakes. Like it's not even the full bike and you're like, you know,
over $3,000 in for a top end one of these systems. So they're literally on every
professional's bike. Like I don't think you would have seen a single bike at this year's
tour of France with an analog derailer system on it. I would almost guarantee that.
Yeah. But at the end of the day, they are nothing more than a tiny little wireless remote control and a wireless, like a transmitter and receiver.
And it's like when I started to read about this hack like a week ago, all it makes me think is like old garage door openers.
Because old garage door openers that didn't have rolling codes in them, the new ones do now.
And you have to lock a transmitter into the receiver, the door opening unit.
You know, there's a bit more security in them before.
But years ago, it was literally a bunch of little pin switches on the controller.
And you would adjust the pin on the controller and the pin on the receiver, so the transmitter receiver.
And that was all the security.
So if you had a wireless radio device, you could listen for the signal and then just burp it back.
And it would pop the door again.
So just like they added rolling codes to those, I assume they've done rolling codes to this now.
I assume the firmware update is adding some form of rolling code or code consistency or, you know, serialization to make sure that whatever the transmitter is is sending the next code in or the next shift in rather than allowing something to intercept it and do it itself, similar to a car key.
Shimano has a like a smartphone app essentially that they're distributing this out through.
It's called E-tube.
But very briefly, before we move on, I do have a question.
As a bike guy, what's the hypothetical here for a worst-case situation?
Just in terms of going up a hill versus down a hill, this gear versus this gear.
What is, if you had to imagine a worst-case scenario, this situation shifting from this gear to this gear would cause the most potential harm?
Yeah.
What does that look like?
A couple things to talk about here.
One, most, like a single day stage or a single day classic, lots of these races are won by seconds.
Like a day, like the entire tour de France might be won by minutes, but like the in a specific day, it's usually one by seconds.
So any kind of disruption causes, you know, could be very impactful.
It's the same as like breaking a chain, like having a technical in a bike race, like blowing a tire,
breaking a chain can be the difference between winning and losing.
Right.
The worst case scenario that I can think of for this,
and I don't know if you've ever watched any bike racing,
but a massive sprint finish where you've got...
Oh, sure.
50, 60 people hammering towards the finish line, 200, 300 meters out.
And if you were to drop someone's gears,
like take them from a super high gear to a super low gear,
essentially emulate breaking a chain. And if you're putting out 13,500 watts of power into your
crank and then all of a sudden your chain drops, you'd probably snap your derailer off, honestly.
And it would cause you to crash. So if you're at the front of a 50 person pack sprinting for a
finish line and you go down, you could easily cause a collision, get run over by bikes.
You'd probably cause 20 people to get serious injuries at that point. Because they're often going
north of 70 kilometers an hour, like 50 miles an hour,
45 miles an hour.
I can't do the conversion that fast,
but it would be substantial injuries would come into that.
So worst case scenario for me would be somebody doing that in a major sprint finish
and just like ending a big chunk of the field, putting them on the deck.
Okay, final question on this story.
Is it possible to hack someone's Gatorade to give them gut rot so bad they poop themselves out of a win?
I think the idea of riding like the Tour de France, a 21-day stage race probably gives you gut rot no matter what.
This is true.
Especially if you have baguettes and wine and heroin.
If you're burning 7,000 calories a day, the amount of food and carbs that you're consuming and salt just to keep your body functioning, I assume comes with its own, you know, digestive challenges.
but hacking someone's Gatorade.
Go back to the beginning, you know what I mean?
Like take it back to the basics is what I'm proposing.
Poison people.
But with a new school spin.
Yeah, exactly.
Just poison them.
There's no good transition here.
We should probably talk about the national public data breach because that's a big one.
Yeah, that's a thing.
That's the thing that happened.
It's not our nation, but it is a nation, a big nation.
I think there was Canadian stuff in it, too.
Really?
Yeah, I'm not totally sure.
We got to dig in.
of this. So national public data, NPD, is a Florida-based consumer data broker. And over the last
a couple of weeks has come out that they experienced a significant data breach exposing the personal
information of hundreds of millions of Americans, including social security numbers, addresses,
phone numbers, and personal details. This breach goes back to December of last year with the stolen
data being sold online by a cybercriminal named USDOD in April of this year. And by July, the data had
leaked publicly affecting the current number floating around is 272 million people yeah that's wild
is a is a bad one here wait i'm just going to go quick the population of the u.s.a it is 333 million
so that is only 50 million off of or 60 million off of the entire country and to everyone who
zagged on this i say congratulations the one thing i will say is that apparently they've done a lot of
research into it and there are a lot of records for deceased people
it's not 272 million active SSNs, but it is probably still a substantial amount of active SSNs.
Yes. The affected records include those of both living and deceased people. The average age of people,
and this suggests these being somewhat older documents, the average age is 70 years old.
There are records of people that are over 120, which to your point suggests not everyone in this leak is a lot.
I was going to say it's bad. It's bad. It's not great. In a world where,
having our identity stolen seems like it's just something that we expect and we're waiting for
having a leak at this level with all of your personal information is just bad like they're
I don't know I don't know what to say about it besides it's scary and bad and that is a lot
of personal information with a lot of verifiable contact information and and things like that
so they did they did some spot checking and I think they did 5,000 records and it was all
accurate. So bad. It speaks to, I think, if we're looking for a theme here, I think it underscores the
much larger issue of poor cybersecurity practices amongst data brokers, people who are collecting
and selling vast amounts of extremely sensitive personal information with basically no oversight or
protection. A sister site of NPD, of all of them, record checks.net, exposed usernames and
passwords for its backend database in a file named members.zip, which was accessible from its
homepage until August of like, until basically yesterday, the time of recording.
Yeah, yeah.
It was actually yesterday.
Yeah, correct.
It was literally yesterday.
And that file contained plaintext, usernames, passwords, and source code revealing that,
like, they're storing this stuff in plain text in some cases.
The breach for this is, is wild because, yeah, MPD, you know, obviously the data broker, they had a
secondary site, records check.net, that allowed people to, I think, run basic records checks
against that data. And yeah, somehow, some way there was a members. Zip file that included
creeds. Some things that I've read say that the admin credentials were inside of that zip file,
which is mind-blowing. But other things that I've read is that they have a default password that
they assigned to all-user records. So somebody just brute forced it with this
default password and got a majority of the accounts because most people don't take the time to
change the default password, assuming that it probably is unique. It was six characters long,
so they could have, had they known, they could have easily just brooded it, but they didn't have
to because it was given to them literally out of a zip file on their website, right off the homepage,
which is wild. The breach was, so let's talk about some of the actors in this. USDOD was the one
who originally sold the stolen data online.
USDA has claimed that the data has been circulating in underground markets since December of
2023, as we discussed.
Another hacker, SXUL, was also involved, but has since sort of vanished.
It's unclear where the lines are between those two different actors.
The other big character in all this is a guy named Salvatore Verini, who is the owner
and founder of NPD.
Salvatore is a retired sheriff's deputy from Broward County, Florida.
He has a background in acting and producing.
He has a couple other ventures, national criminal data LLC, Jericho, pictures, a film studio.
The thing that sort of pinged from me was that when this story came out, MPD hasn't,
MPD has publicly acknowledged the breach.
They haven't given any information, really, about what has occurred here.
Salvatore, who owns these several other businesses, didn't really provide comments other
than stating that the exposed archive was outdated and that he was just going to immediately
shut down records check.net in light of this whole thing, which really paints a picture of a
business ecosystem, not to put it all on him, but where companies that deal in this data broker
space are just being sort of spun up and shut down pretty loosely. And this doesn't really
strike me as the kind of business that should be approached in that way. This isn't on him,
but I'll say generally in this space. I don't think being a data broker should be a side hustle.
I think this should be a pretty clear focused commitment and a business that you approach basically as like a cybersecurity first project.
Yeah.
It's all it.
I it's the market, you know, I don't know what the answer is.
Like obviously like this this level of private data should only be held by like you'd hope government bodies that have a cybersecurity first kind of protocol.
the fact that it's not.
And this also applies to like credit score people.
Like I don't know if you've ever had to deal with the credit system.
I recently,
my phone number was attached to somebody else's credit profile.
So I was getting collections calls for something that I had nothing to do with,
for somebody that I have nothing to do with.
And I was just like,
how I called these credit companies and I was like,
quit calling me.
And they're like, we can't.
Your number has been attached to this record.
We get the records from the credit brokers.
So if you want to have your number removed, you have to call them.
I called them and they don't have a process for this.
So it's, again, private companies doing this level of work with personal information.
And they have no accountability to the people.
They have no accountability to their business practices.
They can call and harass you perpetually.
And I was just like, I have no idea how we've lost the handle of this so badly as a society.
So this is the same thing.
It's like, why does this random little company that gets their software built out of, like, Pakistan have all of this personal information for all of these North Americans?
And it's like, and why are they allowed to just sell it to anybody who wants to buy it?
Like, the hack exposed it for free, but if you had money, they would have given it to you.
They would have sold it to you.
I think that's the really big part of this is that these companies are, who knows where it's being purchased from, some of it's public.
but now that this has been stolen and leaked,
it's widely available on cybercrime forums.
It's going to be used for identity theft and fraud for years.
And it's difficult to say what is Genesis even if it wasn't the same place it's ended up.
This isn't the first of these incidents.
There's the 2019 breach of people data labs,
1.5 billion people around the world,
2023 breach of people connect.
This is an ongoing risk in a just,
a bummer business stream for lack of a better word like this is a tricky one but it's an
interesting story we're going to keep an eye on it yeah for sure for sure bad bad bad given the
scale bad given the information bad given the impact that it's going to have like even if you can
imagine there's a hundred million real records like hot live records in there yeah that's a hundred
million people that are now on super high alert for identity theft you know they're going to be
and potentially will be have their identity stolen and then the fallout and of having to deal with
that resolve that rebuild your credit rating whatever whatever it looks like and how bad it gets
so it terrible terrible situation hate it not happy about it you want to kick it over to
some to some advertising oasis and then when we come back we can talk about using lasers to
hack microchips yeah yeah I'm in you know I love the ad oasis it says
Zan. After our time in the desert, I could use no way.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just
couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations
from the ground up for a world where attackers are already using AI. They created the Aurora
Superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
and the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking,
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks to turn
defenses on their head. Organizations around the world saw headlines they never expected and
cybersecurity teams were tested like never before, but here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to
walk away with real insights in how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fear mongering. It's
practical, actionable, intelligence from experts in the trenches. Register now at arcticwolf.com
slash hacked. So modern microchips, and boy is this more technical than I am, but I'm going to try my
best. I'm here for you. Modern microchips contain transistors that are so small that even a few
stray photons can alter the electrical charges representing binary data stored on them, the zeros and
the ones. Laser-based hacking exploits take advantage of this vulnerability by using a targeted
and very, very, very precisely timed laser glass to intentionally disrupt a chips programming.
This technique is broadly called laser fault injection. In order to do this,
You're looking at a tool that costs in and around $150,000 a US.
There's some budget versions for certain types of more local law enforcement that run around 10 grand.
The sort of Rolls-Royce is the riskier laser station, which, as we said, costs about as much as a cond.
At the upcoming, as a condo used to.
At Black Hat, hackers Sam Beaumont and Lundon,
Larry Patch Trowell from NetSPI introduced this tool called RayV Lite.
And the goal of this is to take that technology, LFI, and to make it cheap and open source
enough that people can do it relatively affordable, bringing this technique from large well-funded
entities to a much larger audience.
Beaumont and Trowell built the RayV Light for under $500, utilizing 3D printing, components that are
available kind of at commodity level scale.
and some pretty wacky physics tricks.
This whole thing has a real mad science quality to it,
which is why I wanted to talk about it.
And the goal of this project is to show that this laser-based exploit
that was previously very inaccessible to most people
is a lot more feasible than hardware designers and hackers used to think.
Let's, I think before we get into the madness,
let's talk about maybe what this can be used for
because there's madness here.
and it's highly, like, it's madness that requires high levels of expertise and traditionally
very expensive equipment. But it's like just what can it be used for and why would it be used?
I think it's a great kickoff to this because it is madness. I'll jump and say that chips
are just a bunch of binary gates, right? That's all they do. They run zeros and ones. They run
them through a bunch of logic operations and they output zeros and ones. Truths or falsees. That's it.
That's all the chip does.
So interrupting a chip during an execution of some of this logic code,
truths and false is running through logical chains to figure out whether it's true or false.
Typically would just cause a SAG fault or like would typically cause just a program failure potentially
or a gate to come back as false when it should have been true in like an if statement in the code or, you know, whatever.
it's looking at adjusting the outcome of that true false check.
So it really comes down to the use case of when you want to use it.
So like one of the things that they were talking about in their presentation, I think, was Bitcoin secure keys and secure wallets.
So when they do the verification check against, you know, whatever code you've typed in to unlock it,
if they can hit it at the exact right time, which again requires high levels of precision, high levels of experience,
is it might be able to get it to send back a true
when it should have been a false.
So like, is this the exact code?
Here's the zeros and ones running through the chip.
We hit it with the laser.
All of a sudden it returns true
when it should have been false.
So it's very unique use cases
of essentially tricking and glitching a chip's process
for a specific reason at a very specific time.
Very complicated, but also used to be.
be very hard to do and was very financially inaccessible. Now we can talk about the madness.
I mean, you kind of covered a lot of the madness. I think the interesting part of this is this
sort of history of taking really advanced hacking tools that are very, very inaccessible.
And things like the chip whisper and the hack RF, which made electromagnetic and radio based
hacking a lot cheaper and more accessible, taking that same technology and almost as an experiment,
like figuring out what can be done using off the shelf parts.
3D printable microscope models and just sort of like mad science hacking the whole thing together.
Is it necessarily a great thing that this specific type of technology is more accessible?
TBD.
But it is certainly fascinating that you can reproduce a lot of the functionality of a six-figure item using off-the-shelf parts.
Yeah.
And the other thing too is like the, like there are a few ways to glitch a chip.
You know, you can there's a, I think one way is you can,
mess with the power, the clock of the frequency of the power going into it, which will cause
the chip to kind of glitch a bit. So that's one way. The other way, as you mentioned, was
electromagnetic. So, you know, we've seen that and, you know, Hollywood loves that one. Yep. And then
you can physically touch the chip. It's called body-based false injection, which essentially
you're reversing the bias on the chip substrate and it causes the signal to like flip. So
there's a few different ways, and then there's laser fault injection. And again, all of these
pretty much require insane levels of expertise and knowledge to what you're doing,
especially given that these chips now, like modern chips, you'd mentioned it in the intro to this,
the size of the transistors in them has gotten so small. Like we're talking, like I think the modern
production, like if I'm not mistaken, I think the new max are using four Newton meters, is that right?
but like going up to like Intel who are still producing old school chips at like 10 and above Newton meters.
So it's like the these transistors are so tiny that when you glitch them,
you probably have a higher likelihood of ruining the chip than you do at actually successfully executing the hack
unless you know exactly what you're doing.
So I think this is again another barrier to entry of like not a lot.
lot of people do this because it might just destroy their chips. So it's like you want to try and do
this to a hundred dollar Bitcoin wallet and destroys it like instantly. Yeah. I'm reminded of a year or two
ago we did an episode where we talked with Joe Grant. It was a hardware hacker who had been
contacted by someone with a Bitcoin wallet with a bunch of money on it trying to get into it
without the password. And he was dealing with that exact same thing. And it was if I remember right,
a bit flip-based compromise he was going after.
And the big sort of looming threat was that, like,
I have the ability to just vanish millions of dollars if I do this wrong.
Like, it's an extremely high-stakes operation at that point.
You do have the ability to circumvent sort of the final barrier of defense using this technique,
but you also have the ability to fry the whole operation with it a bunch of money.
Yeah.
The way that this, the thing that made the 150K1 expensive,
a lot of it had to do with these industrial grade incredibly precise lasers.
That was the sort of like the heart of that whole thing.
And the big innovation here was the use of a much lower cost laser that they could get the same effect out of by operating it over a slightly long time interval,
which as like media creators I found fascinating because it sort of functioned a little bit like using a longer exposure in photography.
Like they just sort of mucked with how long the laser was on for and were able to reproduce a similar effect.
So it's a very neat kind of project.
You know, $100 for this like ravey light, like little lens that they're using,
the FPGA chip for timing and then a $68 raspberry pie.
This is not something most people could or would ever build.
It's a research project, but it's a fascinating little piece of hack together, DIY tech.
Yeah, and like as a photographer, you'd know that like the cameras are actually almost the secondary cost.
The lenses are what costs so much.
That's the difference between a high quality and a low quality laser.
You can buy a laser pointer at the convenience store for like $6.99.
But to get one that's got a good lens array that causes it to be hyper-precise
and exactly in the range that you want it, that's where the money comes in.
So the fact that they found a way to do that with essentially cheap consumer parts is amazing.
Speaking of cheap ways to do things that you used to take a lot more money to do,
Let's talk about what AI is up to.
Thank you for making that transition because I didn't know how to do it.
I was lost in the sauce of laser hacking.
And now we should probably talk about co-pilot.
This is another thing that came out of Black Hat, the big security conference that precedes
DefCon.
So co-pilot AI, which is integrated into Microsoft 365, it's in Word, it's in Outlooks,
it's in Teams chats.
And very, very importantly, it's in your emails in the form of Outlook.
And this project by researcher Michael Barguri was to sort of present five proof of concept attacks using copilot.
The long and short of this basically is that if you manage to get a hold of someone's email running co-pilot inside of it,
co-pilot functions as like an accelerant on an automated spearfishing tool.
This AI tool that can send out a bunch of emails, mimic the victims writing,
mirror their emoji use, meme references.
It's so perfectly customized for sending out phishing emails to all of their contacts,
which are again in the emails with malicious links at scale.
It is not itself a compromise.
It doesn't give a person a way into it.
But it does mean that in a very short period of time with the account,
the amount of harm a person could do with someone else's email is drastically accelerated.
Yeah, AI is great at reading and replicating.
So this is no surprise.
Microsoft did reply to this.
Philip Meisner, the head of AI instant detection at Microsoft,
like in response to Bargerie's findings,
has stated that Microsoft is working on a fix of some sort.
Meisner emphasized that the risks of AI abuse post-compromise
are similar to other post-compromise techniques.
At the end of the day, if someone gets into your email,
they're going to be able to do a lot of harm.
All these tools really do is allow you to do harm a little bit faster in the exact same way
that these tools allow you to do your job with your email a little bit faster.
Whatever it is you're trying to do with someone's email account, yours or someone else's,
these tools are just going to accelerate that.
Yeah.
This isn't necessarily a point against these tools, but it is an interesting shift in how we
think about the amount of time someone has with someone else's account.
Oh, they only had it for five minutes before I was able to get that.
them out and switch the password.
What can you do in five minutes and shift it just a little bit?
The other thing, too, is like, I hate to say it, but I think people's natural defense
against fishing attacks is language.
Like when I receive an email that looks super credible, but the second I spot a glaring
flaw in the grammar and the word choice, it immediately raises a red flag for me.
Yeah, it's like, bing.
And then I do the investigation.
I dig into the email headers.
see, oh, this is actually a fishing attack. So like some of the best fishing attacks I've ever
gotten look and sound just like perfect regular emails. And yeah, this is one of those ways
where they're going to bypass people's inherent, like this looks out of place, like that little
checkpoint that we all have. And again, you can't fault AI for it. It's just doing the best job it can.
but at the same time it's like we almost need a solution.
What this is going to cause is a innovation in the anti-fishing space.
I think that so many solutions to this,
and I've been seeing people comment this every time they see, you know,
a new real-time deep fake technique is that,
wow, we're really going to need to start shifting back to keyword-based,
like interpersonal securing,
where it's just like before I talk to you,
you know that I'm going to say the word butterfly.
And that's our keyword.
It's like a very, it's like, wow, that's a really big shift in how we talk to one another.
But I think that the first layer defense is tonal.
Before someone uses the word, the way they talk is their first line of defense.
If you send me an email and it's weirdly formal and stilted, I'm going to think about that a little differently than if it sounds like you.
And these tools, as a matter of convenience, try to imitate tone.
So that sort of first barrier that we all rely on, even if we don't realize we're doing it, doesn't totally work as well if a person can just sort of grab a handful of your correspondence and match your tone perfectly.
You're not wrong.
Yeah.
The great.
Good stuff.
I think we're pretty close to wrapping up.
I had two little things that just came across my desk.
They have nothing to do with our beat.
Though the first one is, there's some strenuous connections.
Have you been following what's going on in chess cheating?
Not since the whole anal beads thing.
Is there more to know?
Very, very briefly.
This isn't a whole story.
And as far as I'm concerned, the whole beads allegation turned chest cheating into a tech story.
No, it was just that a chess player was poisoned.
After, so this is an alleged poisoning.
Amina Apokorova, a Russian chess player, is in the middle of this another cheating scandal and has been accused of attempting to poison her opponent, a guy named Uma Yagnat Osamnova, during a chess tournament earlier this month.
He started to feel unwell after playing at a specific board.
However, Amina was able to finish the game.
and the allegation here is that she used mercury,
put it on the opponent's pieces prior to the game,
pulled from a broken thermometer.
This was captured on video footage of someone,
purportedly a dark-heard woman like her,
going up to the chessboard,
tinkering with the chess pieces on the opponent's side,
after which during the game,
the opponent who was touching the pieces,
on the contaminated board started to feel unwell,
got sick,
mercury poisoning.
After the incident, the Russian Chess Federation took action.
They temporarily suspended Apokorova from official competition.
This is all pending further investigation.
But just like, I just want to know what the heck is going on in chess, cycling, all
of the, like, what are we doing here?
This is nuts.
Mario speed runs.
Nothing is safe.
Nothing is safe.
Yeah, Minecraft.
It's all over.
That is not really hacking.
just like attempted murder.
Nope.
It's just poisoning people.
It has nothing to do with our beat.
But it does tie
nicely back to the bicycling story
and we have talked about chest cheating in the past.
So I guess if
everybody's always looking for a way
to win, people like winning.
Winning feels good.
And as cycling has shown us,
you know, essentially the equivalent
of organized crime can be organized cheating
large scale massive sophisticated cheating
be it through doping or whatever
and this
you know cheating in video games
cheating in real life games this is
you know if somebody tried to kill me
while I was playing against them in an online multiplayer
video game I would be very shocked
but the same goes where it's like I've been
dedossed off the internet
like there's been times or I'll be in the middle of a game
and like winning an engagement
And all of a sudden, I get kicked off the internet.
Like, sure.
The cheats are, people love cheating.
People love to feel like they're the best at something, even when they're not, you know?
And in a weird way, this story brings the episode full circle.
Because we began in 1903 with someone being handed a spiked bottle of lemonade.
And we arrive in 2024 with someone being handed a spiked pawn.
There you go.
There you go.
We got back.
This has been a fun one.
It's been a strange one.
I'm into it.
We're back from Vegas.
We're back in the hot sea.
And on that, take care.
And on that, take care, everyone, and we'll catch you in the next one.