DEFCON Kids: Hacking roller coasters and the power grid with cell phones

When you think about hacking conferences with about 15,000 hackers attending, 8-year-old kids might not be your first thought. Yet Def Con Kids was so amazing that I cannot encourage you enough to enroll your kids next year.

During the “Top Secret Keynote,” NSA Chief General Keith Alexander, who called Def Con the “world’s best cybersecurity community,” congratulated the organizers of Def Con Kids for teaching future white hats. It wasn’t yawnsville for kids either; one parent told me that her 16-year-old son wasn’t too much of a geek, wasn’t sure he wanted to attend, but found then she couldn’t get him to take a break even for lunch.

Kids were taught how to find zero-day exploits, how to social engineer, lockpicking, about drones, hardware hacking and soldering, and analyzing digital forensics such as at the DoD crime scene investigation. Cory Doctorow delivered a talk about “hacking your school network;” no, it’s not about changing grades, but about finding vulnerabilities and other security risks that need to be reported and fixed. That’s just a tiny snapshot of what the kids did at Def Con; there was 3D printing as well as learning about the law and digital rights from the EFF. The kids also attended “field trips” to see Def Con 20 speakers, including balancing out the NSA talk with the ACLU’s “Bigger Monster, Weaker Chains: The NSA and the Constitution.”

I sat in on one very cool Def Con Kids presentation by security researcher Don Bailey. It was called “Hacking roller coasters and the power grid with cell phones.” And no, the intentions were not to make a coaster go off the tracks, but perhaps to manipulate the coaster to stop on the edge of a steep drop or maybe to hang upside during a loop.

“I hack cars, phones, GPS; I’ll hack anything,” he said. You might recall Bailey’s Black Hat 2010 Carmen San Diego Project [PDF] [video]. At Black Hat 2011, Bailey presented “War Texting: Identifying and Interacting with Devices on the Telephone Network,” [PDF] which told how he sent an SMS over the cell network to unlock a car and start the engine; basically he managed to steal a car with a text message.

Bailey explained to the kids, “The biggest issue is what you can do with this, it can fix problems, even save lives.” Machine-to-machine technology (M2M) is growing and building the Internet of Things. It involves “taking legacy security systems and putting an Internet controller on it and making it accessible from the net.”

He gave great advice to these young roller coaster hackers, wisdom for any security researcher. There are three questions, methodology, that you must ask yourself before starting any security project. 1) How are they made? 2) How are they managed? (Can they be remotely managed?) 3) What standards are in place? Are these engineering standards? Once you know how it has been standardized, then you can get a list of those standards and how things generally work . . . then that helps to think what weakness might be used to exploit this.

In the case of roller coasters, they are managed using sensors for monitoring, Programmable Logic Controllers (PLC) for control, a central panel for management, and computers for administration. In SCADA for the power grid, PLC is hardware managing hardware, interfaced with computers which run through a management unit.

Like all face-palm objects connected to the Internet, think chemical or nuclear plants, roller coasters are a part of the Internet of Things and are also hooked to the net. That means we don’t need to just worry about the operators running the coasters, but anyone can do it, even over cellular systems since they are online and accessible worldwide for Remote Management.

Bailey explained how to do the research, where to find information and “standardized” diagrams, datasheets that always define what protocol is used, and about real-time protocol Fieldbus devices connected online via the Ethernet. Although there are numerous different communication “languages” (CAN bus, MODBus, INTERBUS) they must all go through interoperability, meaning all they must go through one that talks all languages.

After explaining that the NSA was sponsoring “this event” about how to manipulate roller coasters via a smartphone, Bailey pointed out that this was exactly how, over a cell connection, he was able to interact with machines that talk to CAN bus and those talked to cars.

What kid, or kid at heart, wouldn’t want to know how to hack roller coasters and the power grid with cell phones? It was great! A wise person would bring their kids to Def Con next year.