It seems to me there is a large disconnect of how a hacker does their work. There are lot of youtube videos with hackers showing how they have hacked something. How can hackers seemingly get in complicated defenses? (not all hackers are criminal in nature)
The following shows some of the combinations within a type of garage door opener (shown in youtube snapshot below) Notice the bit switches (up and down where the combination can be set to 000000000000 up to 111111111111)
Samy has figured out that there are only 4096 combinations with 12 binary code digits in the garage door opener.
Here is https://twitter.com/samykamkar?lang=en his Twitter account
So what a garage door company thought is sophisticated enough some time ago… did not think about the combinations in the sense of alphanumerical digits or otherwise.
He also showed a 2 digit alphanumeric code would be 5184 combinations.
So a 2 digit alphanumeric is more sophisticated than a 12 digit binary.
Now you see another “trick” a mathematical trick which DeBruijin developed in 1946 after a German book of “Logic of Scientific Discovery” discusses this initial method in 1934 by Karl Popper.
So a mathematical trick creates a situation for only 3 digit codes there are 8 different codes
so now the reality is with more programmatic tricks like a bit shift register, and no wait for moving from one code combo to another (which is how the hardware accepts it).
So because of DeBruijin now we don’t even have to make a 24 bits combo to get all combinations (3*8) now we only need 10 bits.
He claims that the actual combinations for 12 digits is
which he multiplies again by 12 getting 98304 bits of all combinations( I dont think that seems right with probability combinations)
He then claims due to DeBruijin it is only 4107 bits that he needs to check. So if he programs the combinations correctly now he says he was able to cut the full combinations down to 10 seconds.
I.e. in 10 seconds the bad combination hardware(12bits in garage door) was hacked.
Watch the video yourself. https://youtu.be/iSSRaIU9_Vc
Samy used an old texting toy for kids called IM-me
He modified the hardware quite a bit, by reprogramming it by using contact connectors in the back where the battery is stored.
So this type of hacker has to have a wide variety of skills, besides some programming, hardware modifications and soldering are also useful.
Here is where i want to explain some of the dark hacker methods:
Now it does not take a genius to figure out that if one could sell this little trick to actual criminals (like in the Darknet)
No hacker skills needed to get in to garages.
Now it is easy to do it, just buy it from somebody who already built it. The problem is that if one can see this “exploit” on YouTube then others can recreate this hack easier than it took for Samy since he left a trail of breadcrumbs
It is true that an unsophisticated “lock” of 12 bits was used to ‘secure’ the garage door mechanism, this is a fault of the garage door manufacturers, but is it really a good idea to post the method of how to break it online?
So imagine the level of sophistication for hackers has increased exponentially, therefore the hacker is developing more sophisticated hacks and selling his inventions for more money to less scrupulous people. This is where we are today.
What happened in 2005? The criminal element in Russia was able to convert a few hackers into their workers, and from then on it was just more mayhem. If you remember spam was just annoying in the early 2000’s, whereas now it is downright dangerous with multiple phishing campaigns and APT (Advanced Persistent threats) campaigns.
The other side of the coin (the defense) is that some people are just not patching and performing IT functions properly. which of course makes the attackers job easier.
Performing IT functions everyday causes many things, including a sense of if it is not broken don’t touch it.
But in Security you may be liable with no upgrades even if the device “is not broken” and need to upgrade with a new Operating System, which may break your apps.
So Security is really counter intuitive from normal IT functions, this is why a lot of companies are not understanding fundamental security issues.
I am not sure if you got a better idea of the hacker mindset with the example above. Needless to say the criminal hacker has no ethics, they will attack you, work out technical problems and attack while you are asleep. the goal being to make more money (not to show you a new trick).
In fact the national news are consistently showing this with the Chinese hackers attacking our government without a response. The Chinese goal has nationalistic aspirations.
Although I must say the only definitive attributable attack to China was the Mandiant report:
Please contact me to further your understanding of the hacker culture in our world today and what you can do to counter it.