Hacking Bicycles + DIY Laser Exploits + the National Public Data Breach

Speaker 1: The history of cheating in professional cycling is long and weird. It starts with the first Tour de France in nineteen o three, when the odds on favorite, a guy named Hippolyte Ocouturier, fell out of the race due to food poisoning. It was later figured out that he was the victim of a spiked bottle of lemonade that was handed to him by a spectator. Hippolyte was radicalized by the experience, came back the next year with a Looney Tunes scheme for his own cheating that concerned him being towed by a car by a string tied to a cork that he gripped between his teeth. Hibilette almost got away with it.

Speaker 2: Seems so ridiculous. I know.

Speaker 1: People have cheated at cycling using itching powder. They've done fake route signage to trick opponents. The modern era and the catchall term for putting performance enhancing drugs into the body of the cyclist is called doping. Most famous case of which was Lance Armstrong who managed to avoid testing positive for doping for the duration of his nineteen ninety nine to two thousand and five Tour de France reign. Now, by all accounts, since that giant public embarrassment for the sport, there has been an increased effort to stop doping. It's not perfect, but my sense of the general consensus is that it has gotten better. And as such, migration has occurred, at least in part from messing with the body of the biker to the body of the bike. This new chapter is called motor doping. And to put it bluntly, it's taking a bicycle and slamming a secret motor somewhere inside of it. The Union Sique List Internationale, the international governing body of cycling, puts that into its own whole category they call technological fraud, which is relevant in where this is going. Concerns started in 2010. There were some rumors in 2014 when a cyclist crashed and his wheel popped off and kept moving in a very suspicious way that may or may not have defied physics. But the first confirmed case was in 2016 at the Cyclocross World Championships when a cyclist named Femke Van Der Dreisz was, was caught. There's a great podcast about a cult ghost in the machine if you're interested in learning about that. But, where this is all going. If we pay attention to our history, the evolution of bike cheating has kind of gone, mucking with your opponent's body, to mucking with your body, to mucking with your bike. And for it to go all the way full circle, we kinda have to ask, what if you could muck with your opponent's bike? On this episode of Hacked, we are talking about a bunch of stuff, including an attack developed by two researchers in The US who figured out that the gear shifters of very high end bicycles, many of which are electronic, can be spoofed, and that with some pretty affordable equipment, they could remotely shift the gears of a target's bicycle, creating all sorts of potential trouble. We're talking about using off the shelf lasers to hack microchips, how AI in your email makes phishing even easier, and a very big, very good old fashioned data breach of a data broker with some very bad implications. All of that and more on this episode of hacked.

Speaker 2: Hey, Jordan. How are you doing?

Speaker 1: I'm doing good, man. I'm doing good. Okay. We're back. We're back on home turf.

Speaker 2: We're back.

Speaker 1: Post Vegas.

Speaker 2: Post Vegas. I I've got I think last night was my best night's sleep after getting back from Vegas. So I'm feeling fully recovered. I feel good, which is a nice feeling.

Speaker 1: Yes. It took a bit for me to recover as well. It was, like, partway through the week, I finally started feeling heat again.

Speaker 2: The I think there's an interesting thing you're gonna learn about me here is that Shoot. I'm kind of an obsessive fan about cycling.

Speaker 1: Hell, yes. Perfect.

Speaker 2: I don't know if you knew that about me. So so that so the intro story is gonna there's gonna be some interesting tidbits coming up from this one because I love cycling and I had love watching it. I love doing it. Yeah. It is it is one of my primary hobbies, if not my most primary hobby.

Speaker 1: I've I've I've seen some of your bikes. I I had a feeling that's where it was going. And I was curious. Do you happen to own any I wanna make sure I get this right. Shimano DI two wireless gear shifters?

Speaker 2: No. I do not own a Shimano DI two, but I do have a SRAM RED eTap, which is the one of the competitive products, which is very similar.

Speaker 1: There you go. Well, no one's hacking your bike yet. Maybe. We'll see.

Speaker 2: Only me. Only me.

Speaker 1: Only you by putting a motor in it.

Speaker 2: Yeah. Well, I have an e bike as well. So there's I I have paid money for a bike that has a motor in it, and they're amazing. I, I avoided getting a mountain bike e bike for a long time, and I picked one up last summer. And, oh my god. I have one of the super light ones, like not one of the big. They're the the full size e bikes are actually called full fat, which is hilarious because, you know, there's like a stereotype about the people that ride them being heavier. So it's like, it's kind of a weird name to give it, but but, I have a super light one and and just the ability to push a little button and get a little bit of motor assistance when you're, like, starting to burn out on a big climb or something like that is amazing. They're an amazing scientific evolution that has made cycling and long, like long duration cycling more accessible to the every person. It's I love it. I think it's great. I am very excited by the entire industry and where they're going, and I'm happy to see it. So

Speaker 1: Yeah. I'm I'm a prairie boy that moved to a hilly place, and I I go I shop for one, like, once a month. I just go clicking around, put one in a cart, never fully commit. Yeah. The reason we're talking about bikes is because two researchers, one from UC San Diego and one from Northeastern University, presented a technique at the Usenix workshop on offensive technologies. And the thrust of it is that they've developed an attack that allows for spoofing the signals of a Shimano Di two wireless gear shifter, which is used by top cycling teams, including in events like the Olympics and the Tour de France Mhmm. From up to 30 feet away. Using this attack, they could cause the targeted bike to shift gears unexpectedly or even lock into the wrong gear. In the context of a race, this would cause significant disruptions. It could cause a rider to lose time during a climb. It could even cause them to crash during a sprint. I'm not a massive cyclist, but even I can appreciate that having someone go whoopsie doodle on the gear that you're using at the exact wrong moment could be pretty devastating. In the same way that handing someone a bottle of spiked lemonade that gives them food poisoning would be pretty devastating.

Speaker 2: Well, the I don't know where we wanna start here because I got some great anecdotes about, like, classic Tour de France riders. So there there was the let's let's start there. Let's let's go back in time.

Speaker 1: Sure.

Speaker 2: So, allegedly, back in the day, the original, like, kind of I can't remember the exact days or years, but the smoking and drinking were, like, respectable things to do when you were a Tour de France rider. So you're on this, like, twenty one day, like, three to 4,000 kilometer, you know, stage race. And it's not uncommon to see photos of people, like, riding together, passing around bottles of wine, or, like, you know, they finish a race and they're smoking cigars. It's just such a shocking difference from today's, you know, pro cyclist. You see them and they're like

Speaker 1: Sure.

Speaker 2: Like like emaciated

Speaker 1: Physical properties. Yeah. Yeah.

Speaker 2: Like, they're like, their body is so configured to the sport. And, rumor has it that back in the day they would frequently take blends of heroin for the pain and cocaine for the energy as Part of their like daily supplements. It's like, hey. Wow. You know what? Yeah. Yeah. So aside from drinking and smoking, they were also doing cocaine and taking, you know, opioids to deal with the fact that their body did not like what they were up to. So it's a rumor has it.

Speaker 1: Yeah. Mixing uppers and downers is like a famously cool and healthy and survivable thing to do, and then making your heart go like a trillion miles per hour on a bike. Good lord.

Speaker 2: Well, so the, Lance Armstrong, obviously, one of the biggest, like, most well known cases just given his dominance in it. But one of two of Lance Armstrong's biggest rivals, Marco Pantani, Italian gentleman, and Jan Zuhldrick, German, both also subsequently charged by the UCI with doping. Marco Pantani actually died at, like, 34 from a cocaine overdose mixed with his with his doping thing, and he passed away sad. He's, like, an Italian legend in the sport of cycling. And and, but yeah. So it's it's I would say cheating and cycling go hand in hand.

Speaker 1: Yeah. That was my sense of it from just trying to even get up to speed on the whole thing. I thought, okay. I'm gonna start at Lance Armstrong and work my way forward, which brought me through motor doping, which is a big story right now. And then the second you look into that, you realize, oh, Lance Armstrong is part of a long and proud lineage of, caring a ton about cycling, but not so much that you don't cheat. It's fascinating.

Speaker 2: I I think it's it's like we talked about this in the video game cheating thing, but it's like if you start to believe that everybody else is cheating, the only way to be competitive is to cheat. And I feel like this is one of those sports that had this revolution early on. Like, there's just so many people, like, even this year, like, you know, they've been making huge strides and, you know, the Olympics just finished and there's so much speculation about the Chinese swim team and all the rest of this stuff And even known dopers, like Lance Armstrong, who has a podcast and talks about cycling, they're talking about the winner of this year's Tour de France and some of the ungodly feats that he managed to do, not to mention the fact that he'd had just won the Giro d'Italia, which is another major stage race just weeks before coming to the Tour de France. So normally, cyclists bodies wouldn't recover fast enough to do this. And he managed to come back and do all these feats, and they were just like, well, this starts to make you ask questions about, you know, what is possible and what is not possible. Like, how are how are how is he recovering so fast and and all this stuff. So there's there's even speculation in today's cycling that people are still, you know, enhancing. Yeah. I'm reading about Lance and how the, you know, RadioShack team, RadioShack, and and all of Lance's old teams, how they cheated is nuts. Like, they used to do full blood transfusions and stuff in the middle of the night. So they would replace worn out broken blood with ultra platelet rich thick blood, and their heartbeats would get or their, like, resting heart rates would get down so low that they would almost go into cardiac arrest that they'd have to be woken up in the middle of the night and get on a bike and sit on a trainer for an hour just to raise their heart rate enough that they wouldn't die. Jesus. Anyway, I can

Speaker 1: Lance, you were dead, but we need you to do a race really good right now.

Speaker 2: Well, even even actually the I watched a recent episode. Sorry. We're total tangent land here, but watched a recent episode

Speaker 1: of Lance. I I did this to us. It's fine.

Speaker 2: To us. The I've watched a recent episode of Lance's podcast, and he had his old team manager on or his old physical somebody that was involved in his doping. Yeah. And they were talking about how they would sit down and plan how how much performance he would show that day as a political thing to make people not assume he was doping because he had so much energy in the tank, and he has the ability to do everything. Sure. They would actually be like, hey, you have to lose today. Like, they would plan they would plan, like, you know, right down to the minutiae detail of, like, you should lose by, like, five to ten seconds today just to give the other team a stage win as well as like avoid being too dominant like we're cheating so well that you have the ability to win every day, but please don't win today because questions are already being asked, and we want to avoid speculation as much as possible.

Speaker 1: Yeah. It's suspicious if you win gold every single time, so let the guy pass you and, settle for a silver. Exactly. So the Shimano shifters that are in question here, that neither of us seem to have, are they used to be wired. They have shift to being wireless, and they use a radio connection.

Speaker 2: Correct.

Speaker 1: So to execute this attack, the hacker first has to intercept the target's gear shift signal. In order to do this, you can either use a about $1,500 software defined radio and an antenna and a laptop. However, the research project, revealed that a $350 HackRF, like a smaller compressed version of that, would do basically the same thing. The reason you would do that is because that hardware sub can be miniaturized and potentially just, like, hidden somewhere along a race sideline. Maybe it's in a team car. Could even potentially be on another rider with a little Raspberry Pi driving it, though that's a little bit more speculative. You can either use a replay attack, which involves intercepting and replaying the target's gear shift signal to control that bike's gears remotely, or you can just do, like, a big broad jamming attack, which is easier and involves broadcasting a jamming signal at the frequency used by all Shimano shifters, which would potentially disrupt multiple riders except for one specific one. That one seems easier to catch if it was actually used in context. So these researchers, they do this big project. They figure this out. They present it at the conference. They contact Shimano back in March of this year, and they started working with them to try and figure out a security patch before they presented this. And Shimano released a firmware update to professional cycling teams with a wider rollout expected later this month, and that's just sort of locking down the security of the wireless system in these DI two shifters. It's a fascinating story. We have analog bikes well, not entirely analog bikes, but largely analog bikes receiving, security updates to prevent hacking. I think that, like,

Speaker 2: wire like, wireless shifting is probably I don't know. I'm gonna ballpark this, but, like, eight years old, it started to come out.

Speaker 3: Okay.

Speaker 2: So they they saw it as largely, like, a process improvement. The the the systems now are way more advanced than they used to be before. It's like you used to pull a cable. Right? Like, I've I'm rebuilding a vintage Italian race bike right now and you the the derailleurs work by like You push on a lever it pulls a cable which literally physically pulls the derailleur and which causes the chain to move to a different ring like it's a very basic system Then they started to be like well, what happens if we make this a digital connection? So it's like I push a remote control and then that remote control causes the derailleur motor to be like oh I need to move up a gear and it it moves the derailleur the These systems have gotten much better over the last seven eight years like they actually will Auto align themselves, and they you know, they just do a bunch more functions that is amazing and they're great and they're very expensive which I should note like a Shimano group set of the top end or a red SRAM, group set. They're like 3,000 US dollars just for the derailleurs and brakes. Like, it's not even the full bike, and you're like, you know, three through over $3,000 in for a top end one of these systems. So they're literally on every professional's bike. Like, I don't think you would have seen a single bike at this year's Tour de France with a an analog derailleur system on it. I would almost guarantee that. Yeah. But at the end of the day, they are nothing more than a tiny little wireless remote control and a wireless like a transmitter and receiver. And it's like when I when you when I started to read about this hack, like, a week ago, all it makes me think is, like, old garage door openers. Because because old garage door openers that didn't have rolling codes in them the new ones do now and you have to like a lock Lock a transmitter into the receiver the the door opening unit, you know, there's a bit more security in them before but but years ago, it was literally a bunch of little, pin switches on the controller, and you would adjust the pin on the controller and the pin on the on the receiver, so the transmitter receiver. And that was all the security. So if you had a wireless radio device, you could listen for the signal and then burp it back, and it would pop the door again. So just just like they added rolling codes to those, I assume they've done rolling codes to this now. I assume the firmware update is adding some form of, you know, rolling code or code consistency or or, you know, serialization to make sure that whatever the transmitter is is sending the next, code in. So or the next shift in rather than allowing something to intercept it and do it itself, similar to a car key.

Speaker 1: Shimano has a, like, an a smartphone app essentially that they're distributing this out through. It's called Etube. But very briefly, before we move on, I do have a question. As a as a bike guy, like, what's the hypothetical here for a worst case situation? Just in terms of going up a hill versus down a hill, this gear versus this gear, what is if you had to imagine a worst case scenario, this situation shifting from this gear to this gear would cause the most potential harm. Yeah. What does that look like?

Speaker 2: Couple things to talk about here. One, most like, a single day stage or a single day classic. Lots of these races are won by seconds. Like a day like, the the entire Tour de France might be won by minutes, but, like, the in a specific day, it's usually won by seconds. So any kind of disruption causes, you know, could be very impactful. It's the same as like breaking a chain, like having a technical in a bike race, like blowing a tire or breaking a chain can be the difference between winning and losing. Right. The worst case scenario that I can think of for this, and I don't know if you've ever watched any bike racing, but a massive sprint finish where you've got Oh, sure. Fifty, sixty people hammering towards the finish line 200, 300 meters out. And if you were to drop someone's gears, like like, take them from a super high gear to a super low gear, it would essentially emulate

Speaker 1: Yeah. Right.

Speaker 2: Breaking a chain. And if you're putting out thirteen, fifteen hundred watts of power into your crank, and then all of a sudden your chain drops, you'd probably snap your derailleur off, honestly. And it would cause you to crash. So if you're at the front of a 50 person pack sprinting for a finish line and you go down, you could easily cause a collision, get run over by bikes. You'd probably cause twenty people to get serious injuries at that point because they're often going north of 70 kilometers an hour, like 50 miles an hour Jesus. 45 miles an hour. I don't I can't do the conversion that fast, but, but it would be substantial injuries would come into that. So worst case scenario for me would be somebody doing that in a major sprint finish and just, like, ending a big chunk of the field, putting them on the deck. So

Speaker 1: k. Final question on this story.

Speaker 3: K.

Speaker 1: Is it possible to hack someone's Gatorade to to give them gut rot so bad they poop themselves out of a win?

Speaker 2: I think the idea of riding like the Tour de France at twenty one day stage race probably gives you gut rot no matter what. If you're if you're burning

Speaker 3: Especially

Speaker 1: if you have baguettes and wine and heroin.

Speaker 2: If if you're burning 7,000 calories a day, the amount of food and carbs that you're consuming and salts just to to keep your body functioning, I assume comes with its own, you know, digestive challenges. But hacking someone's Gatorade?

Speaker 1: Go back to the beginning. You know what I mean? Like, take it back to the basics is what I'm proposing.

Speaker 2: Poison people.

Speaker 1: But with a new school spin. Yeah. Exactly. Just poison them. There's no good transition here. We should probably talk about the national public data breach because that's a big Yeah.

Speaker 2: That's a thing. That's the thing that happened. It's not our nation, but it is a nation, a big nation.

Speaker 1: I think there was Canadian stuff in it

Speaker 2: too. Really?

Speaker 1: Yeah. I'm not totally sure. I we we gotta we gotta dig into this. So National Public Data, NPD, is a Florida based consumer data broker.

Speaker 2: Mhmm. And

Speaker 1: over the last, like, couple weeks has come out that they experienced a significant data breach exposing the personal information of hundreds of millions of Americans, including Social Security numbers, addresses, phone numbers, and personal details. This breach goes back to December of last year, with the stolen data being sold online by a cybercriminal named USDOD in April of this year. And by July, the data had leaked publicly affecting the current number floating around is 272,000,000 people. Yeah. That's wild. This is a is a bad one.

Speaker 2: Here, wait. I'm just gonna go quick the population of The USA. It is 333,000,000. So that is only 50,000,000 off of or 60,000,000 off of the entire country.

Speaker 1: And to everyone who's egged on this, I say congratulations.

Speaker 2: The the one thing I will say is that apparently they've done a lot of research into it, and there are a lot of records for deceased people. So it's not 272,000,000 active SSNs, but it is probably still a substantial amount of active SSNs.

Speaker 1: The affected records include those of both living and deceased people. The average age of people, and this suggests these being somewhat older documents, the average age is 70 years old. There are records of people that are over 120, which to your point suggests not everyone in this leak is alive.

Speaker 2: I was gonna say it's bad. It's bad. It's not it's not great. In a in a world where having your identity stolen seems like it's just something that we expect and we're waiting for. Having a leak at this level with all of your personal information is just bad. Like they're I don't know. I don't know what to say about it besides it's scary and bad, and that is a lot of personal information with a lot of verifiable contact information and and things like that. So they did they did some spot checking, and I think they did 5,000 records, and it was all accurate. So bad.

Speaker 1: Speaks to, I think if we're looking for a theme here, I think it underscores the much larger issue of poor cybersecurity practices amongst data brokers, people who are collecting and selling vast amounts of extremely sensitive personal information with basically no oversight or protection. A sister site of NPD, involved with them, recordchecks.net, exposed usernames and passwords for its back end database in a file named members dot zip, which was accessible from its home page until August of, like until basically yesterday, the time of recording.

Speaker 2: Yeah. Yeah. It was actually yesterday. Yep. Correct.

Speaker 1: It was literally yesterday, and that file contained plain text usernames, passwords, and source code revealing that, like, they're they're storing this stuff in plain text in some cases.

Speaker 2: The breach for this is is wild because, yeah, MPD, you know, obviously, the data broker, they had a secondary site, recordscheck.net, that allowed people to, I think, run basic records checks against that data. And, yeah, somehow, some way, there was a members dot zip file that included creds, like a were some some things that I've read say that the admin credentials were inside of that zip file, which is mind blowing. But other things that I've other things that I've read is that they have a default password that they assigned to all user records. So somebody just brute forced it with this default password and Got a majority of the accounts because most people don't take the time to change the default password assuming that it probably is unique It was six characters long so they could have had they known, they could've easily just brooded it. But they didn't have to because it was given to them literally out of a zip file on their website, right off the home page, which is wild.

Speaker 1: The breach was so let's talk about some of the actors in this. USDOD was the one who originally sold the stolen data online. USDOD has claimed that the data has been circulating in underground markets since December 2023 as we discussed. Another hacker, SXUL, was also involved, but has since sort of vanished. It's unclear where the lines are between those two different actors. The, other big character in all this is a guy named Salvatore Verini, who is the, owner and founder of NPD. Mhmm. Salvatore is a retired sheriff's deputy from Broward County, Florida. He has a background in acting and producing. He has a couple other ventures, National Criminal Data LLC, Jericho Pictures, a film studio. The thing that sort of pinged for me was that when this story came out, MPD hasn't MPD has publicly acknowledged the breach. They haven't given any information, really, about what has occurred here. Salvatore, who owns these several other businesses, didn't really provide comments other than stating that the exposed archive archive was outdated and that he was just gonna immediately shut down recordscheck.net, in light of this whole thing, which really paints a picture of a of a of a business ecosystem, not to put it all on him, but where companies that deal in this data broker space are just being sort of spun up and shut down pretty loosely. And this doesn't really strike me as the kind of business that should be approached in that way. This isn't on him, but I'll say generally in this space, I don't think being a data broker should be a side hustle. I think this is a should be a pretty clear focused commitment and a business that you approach basically is like a cybersecurity first project.

Speaker 2: Yeah. It's all I I it it's the market. You know? I don't know what the answer is. Like, obviously, like, this this level of private data should only be held by, like you would hope, government bodies that that have a cybersecurity first kind of protocol. The fact that it's not, like and and this also applies to, like, credit score people. Like, I don't know if you've ever had to deal with the credit system. I recently, my phone number was attached to somebody else's credit profile, so I was getting collections calls for something that I had nothing to do with for somebody that I have nothing to do with. And I was just like, how I called these credit companies, and I was like, quit calling me, and they're like, we can't. Your number has been attached to this record. We get the records from the credit brokers. So if you wanna have your number removed, you have to call them. I called them and they don't have a process for this. So it's, again, private companies doing this, you know, level of work with personal information, and they they have no accountability to the people. They have no accountability to to their business practices. They can call and harass you perpetually. And I was just like, I have no idea how we've lost the handle of this so badly as a society. So this is the same thing. It's like, why does this random little company that gets their software built out of, like, Pakistan, have all of this personal information for all of these North Americans. And it's like and why are they allowed to just sell it to anybody who wants to buy it? Like, the hack the hack exposed it for free, but if you had money, they would have given it to you.

Speaker 1: They would have sold it

Speaker 2: to you.

Speaker 1: I think that's the really big part of this is that these companies are who knows where it's being purchased from. Some of it's public, but now that this has been stolen and and and and leaked, it's widely available on on cybercrime forums. It's gonna be used for identity theft and fraud for years, and it it's difficult to say what its genesis even was if it wasn't the same place it's ended up. This isn't the first of these incidents. There's the twenty nineteen breach of People Data Labs, 1,500,000,000 people around the world, twenty twenty three breach at people connect. This is an ongoing risk, in in a just a a a bummer business stream, for lack of a better word. Like, this is a tricky one, but it's an interesting story. We're gonna keep an eye on it.

Speaker 2: Yeah. For sure. For sure. Bad. Bad. Bad given the scale. Bad given the information. Bad given the impact that it's gonna have.

Speaker 1: Yeah.

Speaker 2: Like, even if you can imagine there's a 100,000,000 real records, like, hot live records in there. Yeah. That's a 100,000,000 people that are now on super high alert for identity theft. You know, they're gonna be and potentially will be have their identity stolen. And then the the fallout and of having to deal with that, resolve that, rebuild your credit rating, whatever whatever it looks like and how bad it gets. So terrible, terrible situation. Hate it. Not happy about it.

Speaker 1: You want to, kick it over to to some to some advertising oasis, and then when we come back, we can talk about using lasers to hack microchips?

Speaker 2: Yeah. Yeah. I'm in. You know I love the ad oasis.

Speaker 1: It's so Zen. After our time in the desert, I could use an oasis. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 3: Lots of places can expose you to identity theft. Oh, no. That's why LifeLock monitors hundreds of millions of data points a second for threats to your identity, which is way more than anyone can do on their own. If we find anything suspicious, like new loans or changes to your financial accounts, we alert you right away, all through text, phone, email, or the LifeLock app. Get the alerts that could make all the difference. Save up to 30% your first year at lifelock.com/podcast. Terms apply.

Speaker 1: So modern microchips, and and, boy is this more technical than I am, but I'm gonna try my best.

Speaker 2: I'm here for you.

Speaker 1: Modern microchips contain transistors that are so small that even a few stray photons can alter the electrical charges representing binary data stored on them, the zeros and the ones. Laser based hacking exploits, take advantage of this vulnerability by using a targeted and very, very, very precisely timed laser blast to intentionally disrupt a chip's programming. This technique is broadly called laser fault injection. In order to do this, you're looking at a tool that costs in and around a $150,000 US. The sort of there's there's some budget versions for certain types of more local law enforcement that run around $10. The sort of Rolls Royce, is the riskier laser station, which, as we said, costs about as much as a as a condo. At the upcoming, as a condo used to. At Black Hat, hackers Sam Beaumont and Larry Patchtrowel from NetSPI introduced this tool called Ray v lite. And the the goal of this is to take that technology, LFI, and to make it cheap and open source enough that people can do it relatively affordable, bringing this technique from large well funded entities to a, a much larger audience. Beaumont and Trowell built the Ravey Life for under $500 utilizing three d printing, components that are available kind of at commodity level scale, and some pretty wacky physics tricks. This whole thing has a real mad science quality to it, which is why I wanted to talk about it. And the goal of this project is to show that this this laser based exploit that was previously very inaccessible to most people is a lot more feasible than hardware designers and hackers used to think.

Speaker 2: Let's I think before we get into the madness

Speaker 1: Mhmm.

Speaker 2: Let's talk about maybe what this is can be used for because

Speaker 1: Great call.

Speaker 2: There's madness here, and it's highly ex like, it's madness that requires high levels of expertise and traditionally very expensive equipment. But it's like just what can it be used for and why would it be used? I think it's a great kickoff to this because it is madness.

Speaker 1: Good call.

Speaker 2: I'll jump and say that chips are just a bunch of binary gates. Right? That's all they do. They run zeros and ones. They run them through a bunch of logic operations, and they output zeros and ones, trues or falses. That's it. That's all a chip does. So interrupting a chip during an execution of some of this logic code, trues and falses running through through logical chains to to figure out whether it's true or false, typically would just cause a seg fault in in or, like, would typically cause just a program failure potentially or a gate to come back as false when it should have been true in, like, an if statement in the code or, you know, whatever. It's looking at adjusting the outcome of that true false check. So it really comes down to the use case of when you wanna use it. So, like, one of the things that they were talking about in their presentation, I think, was, Bitcoin secure keys and secure wallets. So when they do the verification check against, you know, whatever code you've typed in to unlock it, if they can hit it at the exact right time, which again requires high levels of precision, high levels of experience, it might be able to get it to send back a true when it should have been a false. So, like, is this the exact code? Here's the zeros and ones running through the chip. We hit it with the laser. All of a sudden, it returns true when it should have been false. So it's it's very unique use cases of essentially tricking and glitching a chip's process for a specific reason at a very specific time. Mhmm. Very complicated, but also used to be very hard to do and was very financially inaccessible. Now we can talk about the madness.

Speaker 1: I mean, you kinda covered a lot of the madness. Like, I think the interesting part of this is this this sort of history of taking really advanced hacking tools that are very, very inaccessible and things like the Chip Whisperer and the HackRF Mhmm. Which made electromagnetic and radio based hacking a lot cheaper and more accessible. Taking that same technology and almost as an experiment, like, figuring out what can be done using off the shelf parts, three d printable microso microscope models, and just sort of like mad science hacking the whole thing together. Mhmm. Is it necessarily a great thing that this specific type of technology is more accessible? TBD. But it is certainly fascinating that you can reproduce a lot of the functionality of a of a 6 figure item using off the shelf parts.

Speaker 2: Yeah. And the the other thing too is like the like the there are a few ways to glitch a chip. You know, you can there's a a I think one way is you can mess with the power or the clock of the the frequency of the power going into it, which will cause the chip to kind of glitch a bit. So that's one way. The other way is you mentioned was electromagnetic. So, you know, we we've seen that and, you know, Hollywood loves that one.

Speaker 1: Yep.

Speaker 2: And then, you can physically touch the chip. It's called body based faults injection, which essentially you're you're Reversing the bias on the chip substrate and it causes the the signal to to, like, flip. So there's a few different ways, and then there's laser fault injection. And and, again, all of these pretty much require insane levels of expertise and knowledge to what you're doing, especially given that these chips now, like modern chips you'd you'd mentioned in the intro to this, the the size of the transistors in them has gotten so small. Like, we're talking like, I think the modern production, like, if I'm not mistaken, I think the new Macs are using four Newton meters. Is that right? But, like, going up to, like, Intel who were still producing old school chips at, like, 10 and above Newton meters. So it's like the these transistors are so tiny that when you glitch them you probably have a higher likelihood of ruining the chip than you do at actually successfully executing the hack unless you know exactly what you're doing so I think this is again another barrier to entry of, like, not a lot of people do this because it might just destroy their chips. So it's like you wanna try and do this to a $100 Bitcoin wallet and destroys it, like, instantly.

Speaker 1: Yeah. I'm reminded of a a a year or two ago, we did an episode where we talked with Joe Grand. Mhmm. He's a hardware hacker who had been contacted by someone with a Bitcoin wallet with a bunch of money on it trying to get into it without the password. And he was dealing with that exact same thing, and it was, if I remember right, a bit flip based compromise he was going after, and the big sort of looming threat was that, like, I have the ability to just vanish millions of dollars if I do this wrong. Like, it's an extremely high stakes operation at that point. You do have the ability to circumvent sort of the final barrier of defense using this technique, but you also have the ability to fry the whole operation with it a bunch of money. Yep. The way that this you the thing that made the 150 k 1 expensive, a lot of it had to do with these industrial grade incredibly precise lasers.

Speaker 2: Mhmm.

Speaker 1: That was the sort of, like, the the heart of that whole thing, and the big innovation here was the use of a much lower cost laser, that they could get the same effect out of by operating it over a slightly long time interval, which is, like, media creators, I found fascinating because it sort of functioned a little bit like using a longer exposure in photography. Mhmm. Like, they just sort of mucked with how long the laser was on for and were able to reproduce a similar effect. So it's a very neat kind of project. You know, a $100 for this, like, raviolite, like, little lens that they're using, the FPGA chip for timing, and then a $68 Raspberry Pi. This is not something most people could or would ever build. It's a research project, but it's a fascinating little piece of hacked together DIY tech.

Speaker 2: Yeah. And, like, as a photographer, you'd know that, like, the cameras are actually almost the secondary cost. The lenses are what cost so much. That's the difference between a high quality and a low quality laser. You know, you can buy a laser pointer at the, you know, convenience store for, like, $6.99. But to to to get one that's got a good lens array that that causes it to be hyper precise and exactly in the the range that you want it. You know, that's where the money comes in. So the fact that they found a way to do that with essentially cheap consumer parts is amazing. Speaking of cheap ways to do things that you used to take a lot more money to do, let's talk about what AI is up to.

Speaker 1: Thank you for making that transition because I didn't know how to do it. I was lost in the sauce, of laser hacking. And now we should probably talk about Copilot. This was another thing that came out of Black Hat, the, the big security conference that precedes Defcon. So Copilot AI, which is integrated into Microsoft three sixty five, it's in Word, it's in Outlooks, it's in Teams chats, and very, very importantly, it's in your emails in the form of Outlook. And this project, by researcher Michael Barguri, was to sort of present five proof proof of concept attacks using Copilot. The the long and short of this basically is that if you manage to get a hold of someone's email running Copilot inside of it Mhmm. Copilot functions as like an accelerant on an automated spear phishing tool. This AI tool that can send out a bunch of emails, mimic the victim's writing, you mirror their emoji use, meme references. It it's so perfectly customized for sending out phishing emails to all of their contacts, which are again in the emails with malicious links at scale. It is not itself a compromise. It doesn't give a person a way into it, but it does mean that in a very short period of time with the account, the amount of harm a person could do with someone else's email is drastically accelerated.

Speaker 2: Yeah. AI is great at reading and replicating, so this is this is no this is no surprise.

Speaker 1: Microsoft did reply to this. Philip Meisner, the head of AI instant detection at Microsoft, like, in response to Bargary's, findings, has stated that Microsoft is working on a fix of some sort. Meissner emphasized that the the so the risks of AI abuse post compromise are similar to other post compromise techniques. At the end of the day, if someone gets into your email, they're gonna be able to do a lot of harm. All these tools really do is allow you to do harm a little bit faster in the exact same way that these tools allow you to do your job with your email a little bit faster. Whatever it is you're trying to do with someone's email account, yours or someone else's, these tools are just going to accelerate that. Yeah. This isn't necessarily a point against these tools, but it is an interesting shift in how we think about the amount of time someone has with someone else's account. Oh, they only had it for five minutes before I was able to get them out and switch the password. What can you do in five minutes and shift it just a little bit?

Speaker 2: The other thing too is, like, I I hate to say it, but I think people's natural defense against phishing attacks is language. Like when I receive an email that looks super credible, but the second I spot a a glaring flaw in the grammar and the word choice, It immediately raises a red flag for me. Yeah. It's like bing and then then I do the investigation. I dig into the email headers and I see, oh, this is actually a phishing attack. So like that some of the best phishing attacks I've ever gotten look and sound just like perfect regular emails. And yeah, this is one of those ways where they're gonna bypass people's inherent like this looks out of place, like that little checkpoint that we all have. And and and again, you can't fault AI for it. It's just doing the best job it can. But at the same time, it's like we almost need a solution. What this is gonna cause is is a is a innovation in the anti phishing space.

Speaker 1: I think that so many so many solutions to this, and I've been seeing people comment this every time they see, you know, a new real time deep fake technique, is that, wow, we're really gonna need to start shifting back to keyword based, like, interpersonal security, where it's just like, before I talk to you, you know that I'm gonna say the word butterfly, and that's our keyword. It's like a very it's like, wow. That's that's a really big shift in how we talk to one another. But I think that the first layer of defense is tonal. Before someone uses a word, the way they talk is their first line of defense. If you send me an email and it's weirdly formal and stilted, I'm gonna think about that a little differently than if it sounds like you. And these tools, as a matter of convenience, try to imitate tone. So it that that sort of first barrier that we all rely on, even if we don't realize we're doing it, doesn't totally work as well if a person can just sort of grab a handful of your correspondence and match your tone perfectly.

Speaker 2: You're not wrong. Yeah. The, great.

Speaker 1: Good stuff. I think we're pretty close to wrapping up. I had two little things that just came across my desk. They have nothing to do with our beats. Though the first one, there's some strenuous connections. Have you been following what's going on in chest cheating?

Speaker 2: Not since the whole anal beads thing. Is there is there more to know?

Speaker 1: Very, very briefly. This isn't a whole story. And and as far as I'm concerned, the whole, beads allegation turned chest cheating into a tech story. No. It was just that, a chess player was poisoned after so this is an alleged poisoning. Amina Apakorova, a Russian chess player, is in the middle of this, another cheating scandal and has been accused of attempting to poison her opponent, a guy named Uma Yagnat Osamnova, during a chess tournament, earlier this month. He started to feel unwell after playing at a specific board. However, Amina was able to, finish finish the game, and the allegation here is that she used mercury, put it on the opponent's pieces prior to the game, like, pulled from a, like, a broken thermometer. This was captured on video footage of someone, purportedly a dark haired woman like her, going up to the chessboard, tinkering with the chess pieces on the opponent's side, after which, during the game, the opponent who was touching the pieces on the contaminated board, started to feel unwell, got sick, and was found to have mercury poisoning. After the incident, the Russian chess federation took action. They temporarily suspend, suspended Apakorova from official competition. This is all pending further investigation. But just, like, I I just wanna know what the heck is going on in chess, cycling, all of this. Like, what what are we doing here? This is nuts. Mario speedruns, nothing is safe.

Speaker 2: Nothing is safe. Yeah. Minecraft, it's all over. That is that is not really hacking. That's just, like, attempted murder. No. The

Speaker 1: It's just poisoning people. Yeah. It has nothing to do with our beef.

Speaker 2: But the it does it does tie nicely back to the bicycle cling story, and we have talked about chess cheating in the past. So I I you know, I guess if if any, everybody's always looking for a way to win. People like winning, winning feels good. And as cycling has shown us, you know, essentially, the equivalent of organized crime can be organized cheating, large scale massive sophisticated cheating, be it through doping or whatever. And this, you know, cheating in video games cheating in real life games. This is, you know, if somebody tried to kill me while I was playing against them in an online multiplayer video game, I would be very shocked shocked. But the same goes where it's like I've been DDoS off the Internet. Like, there's been times where I'll be in the middle of a game and, like, winning an engagement and all of a sudden I get kicked off the Internet. Like Sure. The cheats are people love cheating. People love to feel like they're the best at something even when they're not. You know?

Speaker 1: Mhmm. And in a weird way, this story brings the episode full circle because we began in nineteen o three with someone being handed a spiked bottle of lemonade, and we arrive in 2024 with someone being handed a spiked pawn. There you go.

Speaker 2: There you go.

Speaker 1: We got back. This has been a fun one. This has been a strange one. I'm into it. We're back from Vegas. We're we're back in the hot seat.

Speaker 2: And on that, take care.

Speaker 1: And on that, take care, everyone. And we'll catch you in the next one.

Speaker 3: When I found out I was gonna be a parent, I immediately felt a lot of anxiety and worry. So I went on to BetterHelp to try to look for a therapist to help me with that.

Speaker 4: My relationship with my family and with my boyfriend and with myself were suffering. I really needed help. I was ruminating a lot. Really getting those thoughts out to a therapist and getting feedback was just life changing.

Speaker 1: Discover what BetterHelp online therapy can do for you. Visit betterhelp.com today.