Good Fellows

I met up with 8bit at our usual spot in Arlington center, at the municipal lot where the bike trail crosses Massachusetts Avenue. I’d ridden over from my nearby apartment, while he’d driven out from his place in Cambridge.

“Hey, 8bit!” I shouted, once I spotted him doing his pre-run stretches on the grass.

“Yo Marcus!” he replied, firmly clasping my hand and pounding my shoulder. “What’s new?”

“Saving the world from crappy computer security, as always” I smiled. “How about you? Causing problems?”

“What are you working on at Dark Matters?” Classic 8bit, deflecting my question. “Still digging into Bluetooth vulnerabilities?” I nodded, as we headed north up the bike trail with him jogging alongside my bike. He was in far better physical shape than me, and we’d long ago worked out that this was the best way for us to exercise together.

“Yep, and it’s been very satisfying, actually. The Bluetooth connection establishment protocol is badly designed and poorly implemented pretty much everywhere. We’ve found four vulnerabilities that we’ve reported, and got two more pending validation by the vendor.” 8bit nodded at me.

“Cool. That’d make for a great Bluetooth marketing slogan: Badly designed and poorly implemented”

“Yeah, or an off-putting Tinder profile” I replied. 8bit laughed, even though my comment didn’t make much sense. “How about you?” He looked over at me as if he were making a decision. “What?” I asked. “You know I don’t judge.” He laughed out loud.

“You totally judge, Marcus, and you know it. It’s your puritanical nature.” I ignored the dig, smiling back at him before responding.

“And you can’t help but boast about your latest exploits to me”.` He frowned and nodded, agreeing, and quickly looked around to ensure no one else was in earshot.

“I’m saving the world from crappy computer security, too. I hacked the Burlington Marriott’s HVAC system. Actually, it wasn’t even a hack, they left the default password unchanged, so I just logged in this morning and set the lobby AC to 62 degrees. Then I wrote a bot to do this every 2 hours until they wise up and change their damn password.”

“Alan, that’s not cool.” I said sharply, using his real name.

“Oh, stop, I’m not hurting anyone or anything. I’m just teaching them a lesson through a minor inconvenience. Then they’ll take security more seriously. The only way organizations like this learn is if you inflict some pain on them, I’m sorry.”

“So the ends justify the means, 8bit?”

“These ends justify these means! Remember Demosthenes from high school philosophy? Consequentialism?” I didn’t say anything, just increased my speed and watched him struggle a bit to keep pace. After a few long moments of silence, he spoke up again. “Do you remember the movie Goodfellas?”

“Yeah, of course” I replied, flatly.

“Remember when they intimidated the mailman into not delivering school absence notices to Henry’s house? And then they beat the crap out of him so he knew they were serious?”

“Yeah…but where are you going with this? You’re the mafia? You’re the psychotic hacker equivalent of Joe Pesci?”

“No, you’re missing my point! I’m NOT the mafia. I’m NOT beating the crap out of anybody.” 8bit was talking quickly now, a sure sign that I’d put him into a rhetorical corner and made him feel defensive. “They didn’t have to beat up the mailman, but they did anyway. I’ve got the moral high ground…I’m not harming anything, the AC can handle 62 degrees without a problem — I checked the spec. I’m not doing this to a hospital system, I’m not breaking anything, man, or destroying data. I’m just making sure they change their damn password so a really malicious hacker won’t get in there!’ He finally paused and looked over at me. I wasn’t letting up.

“8bit, this crosses a line…it just doesn’t feel right to me”

“Marcus, it’s all shades of gray, man. Almost any action can be ethically justified in the right circumstances. That was our consensus in Dr. Ashman’s Ethics class. We all agreed that you can kill someone in self-defense, right?” I had to nod. He paused, looked upward briefly, then smiled and laughed. “Hey, remember when I came up with justifiable reasons to violate each of the Ten Commandments?” I laughed with him, despite my anger.

“Yeah, and I’m still amazed that you managed to rationalize committing adultery.”

“Ha ha! even impressed myself with that one!” Tension defused, we resumed our trek up the bike trail in silence for a few minutes. “Look, Marcus, I know you don’t agree with everything I do, but I’m not evil. I’m really trying to help people. I’m Chaotic Good, man!” I had to smile at the Dungeons & Dragons reference, but shook my head at the same time.

“I know you’re not evil, Alan, but…this isn’t a game. These are real actions with real legal consequences”

“I’m careful, Marcus, and I’m not stupid. I may be accessing a system without permission, but I’m not doing anything destructive. Same as you…right?” I hesitated, unsure what to say. “Look Marcus, this is just you and me talking. I know you’re not a pure-as-driven-snow white hat hacker, even now. How many conversations have we had about the limits of gray hat? Hell, we even did some minor black-hat work back in the day. And you enjoyed it!”
 “I did”, I admitted, “But we were just two teenage boys experimenting…”

“And remember when your Mom got super mad at us for hacking the school?” I cringed.

“I think she would have been less mad if she’d caught us experimenting with drugs, or with homosexuality! And the worst part was, it was my own damn fault we got caught. I just can’t lie to her!”

“Marcus, you can’t lie to anybody. You’re damn lucky you’re a Lawful Good!”

“Shut up and kiss my Lawful Good ass, 8bit” I shouted as I pedaled hard and pulled ahead, more annoyed than amused.

That afternoon I took the T into Cambridge, picking up my favorite vegan sandwich (“The Medusa”) at the new Pressed Cafe on my way into Dark Matters. I wanted to check on 8bit’s Marriott hack claim, and needed to do this from the secure “Gray Room” at the office. Even though all of us used specialized security software, called Tor, to encrypt and anonymize our network access, our CEO Victor nonetheless required that for our work access we use the Gray Room network, which had additional security precautions.

I walked into the Gray Room with my sandwich, ignoring the cheery “No Food Allowed!” sign, and sat down at one of the five workstations. The rest were empty, except for Sergey, at his usual spot in the corner with his headphones on. He look up, gave me a wave and a smile, and turned his attention back to his computer.

I quickly found the Burlington Marriott’s exposed HVAC system using Shodan, a searchable online database of Internet services, and brought up the login page in my web browser. “Belair HVAC Control System, version 3.2.4.” Forty seconds later, I’d found the administrator’s manual online, and the default credentials: admin/password.

I paused, and looked over at Sergey. He was busy, and not paying attention to me at all. Besides, the room was deliberately set up so that workstation screens weren’t visible to one another. I got up, threw away the trash from my meal, then went to the restroom to wash my face while I thought about this.

This was absolutely going to be a small violation of the rules. Damn 8bit. I didn’t have permission to access the HVAC system, and technically I shouldn’t do this. But on the other hand, I knew that 8bit was already in there, messing around with their settings. Locking him out was a good thing — and would also prevent other attackers from gaining access. I’d be doing them a favor — like closing your neighbor’s garage door when they were out of town.

Feeling mostly justified in these actions, I sat down, and entered the credentials. I was excited but a little disappointed that they worked, and the main HVAC control system appeared in my browser. I quickly chose Configuration…Security…Password, and changed the password from its default, to something more secure, generated with a random password app: xH5e8#pMb9. Then I used an anonymous emailer to send a quick note to the hotel, telling them that I’d changed the password because I’d “learned on the Dark Web” that their system was open. I thought this would put a little bit of fear into them, and hopefully make them take it seriously. I closed by urging them to change the password again, and to do a security audit of the rest of their systems.

Finally, I spent a few minutes and logged this activity in my personal encrypted notebook. This was a small risk — documenting a technically illegal activity — but I’d found, time and again, that my detailed notes had saved me tremendous amounts of work.

After saying a quick goodbye to Sergey, I drove home through the warm afternoon sunshine, windows down and music playing loud: “Into the Great Wide Open”

8bit messaged me during my drive home, and at my next red light I picked up my phone to see.

> Yo, my bot login failed. Looks like they got smart and changed the password. My plan worked! Have a nice day. Love, your chaotic good friend

I shook my head and started to laugh, when it hit me mid-chuckle; a small wave of fear. I’d forgotten to change the AC settings. Was the hotel still set to 62 degrees? Had the right person gotten my email? I was near enough to Burlington that I decided to just drive over to the hotel to assess the situation — this would be faster than going back into the office.

A few minutes later I walked into the Marriott, more nervous than I’d anticipated. The lobby was without a doubt cold, unpleasantly cold. There were five people behind the reception desk, talking animatedly with guests, and someone, presumably the manager, was having a loud conversation on the phone. Even from across the lobby, I could hear him.

“…we can’t change the temperature, we’re locked out of the system!…Yes, we’ve retried the bloody password! Admin and P-A-S-S-W-O-R-D. It just stopped working this afternoon!!”

Even in this, a mess at least partially of my own making, I couldn’t help but laugh, putting my hand over my mouth in a valiant attempt at camouflage. “Look, I have to deal with some unhappy customers. Just send a tech over here ASAP, okay”? The manager hung up with a loud sigh, and ran his fingers through his sweaty, thinning hair.

I paused for a moment, thinking it through, then made a decision. I could fix this situation. These people needed help.

I walked up to the manager, and nodded hello.

“Hi, I’m sorry to bother you, but I couldn’t help overhearing. Do you have a problem with your computer? I work in cybersecurity and maybe I can help?”

He looked up at me, with suspicion and perhaps a gleam of hope in his eyes.

“What’s your name? Who are you with?” I dug out a business card, and handed it him.

“I’m Marcus Schmidt with Dark Matters Security. We’re a local cybersecurity consulting company. What’s the problem?” The manager looked at the card for a few long moments, angling it back and forth in his fingers while gently chewing on his lower lip. At last, he decided.

“We’ve been hacked. At least, I think so, We can’t access our HVAC system. HVAC is the air conditioning…that’s why it’s so cold. The hacker must have changed the temperature. And the password, he changed the password so we can’t log in.”

“Where’s the system? Many of our customers are, uh, we can help by looking up information online…” Steady, you can do this. I started again. “We help companies recover from incidents just like this, all the time” He nodded at me, apparently convinced.

“Come on back. I’m Len”, offering his hand. Len led me through a doorway, into a small office area behind reception. His computer browser was open, displaying what I now recognized as the hotel HVAC control system login page. I decided to show some expertise to build confidence. Leaning forward, I pretended to study the screen for a moment.

“Oh, is that one of the Belair Systems HVACs? Maybe the B5000 controller?” Len turned and looked up at me quizzically, his mouth slightly ajar. Maybe I’d gone too far. “Oh, we secure ICSs — industrial control systems — for our customers all the time. Belair uses the same admin system and controller across their entire product line. With that same bright blue color scheme. Belair blue. We hate it.” OK, I was adding in too much detail. A too-obvious sign of a liar.

Len apparently didn’t notice, and turned back to the screen to fiddle with the mouse.

“So how do you reset the password?”

“Give me a few minutes, and I’ll find the admin guide. Most of these systems have a documented reset procedure of some sort.”

“You need another computer?” he asked.

“No, I can just use this browser here” I replied. “Give me 5 minutes and I’ll let you know.” Trying, hopefully not too obviously, to get him to leave me alone. I’d remembered that Belair was the name of the HVAC system, but had no idea if any other part of my spiel was correct. And I didn’t want him to watch me Google it.

“OK”, he replied, sat down heavily in the chair next to me, and leaned back. Well alrighty then. I’d just have to bull my way through this. I quickly found the Belair technical installation guide online, and located an appropriately complex-looking page on network configuration. I also launched a command-line window on the computer, and ran “ping”, the world’s simplest network connection testing program, solely to impress Len.

> ping -t
Reply from bytes=32 time=1ms TTL=64
Reply from bytes=32 time=7ms TTL=64
Reply from bytes=32 time=1ms TTL=64

Leaving ping running, I launched Notepad, carefully typed in the HVAC password I’d looked up in my phone, copied it to the Windows clipboard, and exited Notepad. I was ready.

“Len, I think we can do this” I suddenly exclaimed. He sat forward, quickly. “Look here…see the network configuration section of the manual?” He nodded, and I continued, speaking quickly. “See where they talk about IPv4? What that means is by sending the right kind of Ethernet packet — a 1500-byte datagram — with the right IP address — that it’ll temporarily reset the password.” Lordy, I was spewing complete bullshit, but I was counting on it sounding legit to Len’s ears.

“OK…?” he replied, definitely sounding unsure.

“So now I have this network security tool running here” — pointing at the ping program — “which is sending those special packets. And if I switch over to the login screen, I should be able to get in.” I brought up the browser window, pasted the password, and…success!

“Hallelujah!” Len shouted. “You did it!!” I smiled, genuinely happy for him. But I had one more important step — extricating myself from this situation. After Len quickly adjusted the AC setting back to a comfortable 72, I instructed him to change the password — he settled on Burl1ingtonM! — which he promptly wrote on a sticky note pasted onto his desk. I restrained myself from saying anything — it was all about the threat model, and 8bit sure wasn’t going to be in this office to see the sticky note. Len looked up, looking relaxed at last.

“Marcus, I can’t thank you enough! Can I pay you for your time?”

“No, Len…no charge. I’m happy I could help out. I’m really glad it worked.”

“OK…” He picked up my business card one more time, looking at it. “I tell you what…I’ll hire your company to do a complete security audit of my hotel. I want to make sure nothing like this happens again” I forced a smile at this unwelcome news. The last thing I wanted was to get Victor involved in this situation.

“Oh, okay Len…sure. Give me a call. I’ll see what we can do.”

“That’s great, Marcus. I’ll call you Monday! Thanks again!” I nodded, shook his hand one last time, and quickly left the hotel. I only looked back over my shoulder twice on the way to the car.

Victor and I were both early risers, so we had a quiet office at 7:30 on Monday morning when we sat down to talk over coffee and donuts. I’d stopped at Davis Square Donuts on the way to work and bought a dozen for the office. Victor selected a Butternut Crunch, took a large bite, and slowly chewed it with a look of contentment.

“What’s up, Marcus? What’s wrong?” I was a bit taken aback.

“What do you mean? Who said anything is wrong?” Victor smiled at me

“This isn’t going to be a conversation about Bluetooth, I can tell.” I looked down sheepishly.

“Did the donuts give it away?” Victor didn’t reply, but just waited. I took a deep breath, and stepped into the void. “OK. I made a mistake. I accidentally hacked the Burlington Marriott, and think I have to resign.”

Victor sat silently as I told him the story, smiling as he selected another donut (chocolate frosted) but not otherwise showing much of a reaction. When I finished, he leaned back in his chair and gave me a crooked grin.

“Well, I need to give you a demerit for weak Operational Security, Marcus — at least use a fake name and business card next time.” I raised my eyebrows and stared at him. “And no, you’re not resigning.”

Later that morning we got the phone with Len.

“…and I can’t thank you enough, Victor — your guy Marcus was a superhero here! As I told him, I’d like to hire you guys to do a security audit”

“Sure thing” replied Victor, glancing at me, with a smirk.

“So how much do these typically cost?” Len asked

“It depends, of course, but an audit usually starts at $25,000.” I laughed silently with relief at Victor’s comment. That was a very inflated price point.

“Oh…wow…” Len stammered a bit, and then recovered. “OK, well, that’s above my discretionary budget. The guy from IT security is coming by this afternoon to upgrade the system, and I’ll ask him about it. Let me get back to you on that.”

“No problem!” Victor replied with unnecessary enthusiasm.

“Thanks again!” responded Len, with authentic enthusiasm. “Marcus really saved my bacon!”

“You’re welcome, Len! Have a great day!” I added, as we hung up. Victor smiled at me, as he leaned back in his chair.

“Look, Marcus, believe it or not, you did the right thing in a difficult situation here. Yes, you made a small mistake, but this hotel was being attacked and you actively defended them. I give you a lot of credit for doing that.” I smiled, but protested.

“Yeah, but I made things worse! Then I had to go there in person and bring you into it to get it sorted out”

“It’s OK, Marcus. I’m glad to help. Even if I did have to lie about how expensive our security audits are.”

That evening, I was at home cooking dinner (Asian stir-fry with tofu and lots of vegetables) when 8bit messaged me (on Signal, of course, since it was more secure than text messaging, and he refused to use iMessage on general principle).

> Marcus

> Hey Marcus

I was still kind of peeved with him, so I decided to not to reply.

> What an awesome day! Saving the world from bad security, indeed!

> I’m SO happy that the Marriott changed their HVAC password!

> In fact I found another hotel with that same system in Minneapolis.

> I did the same thing, and they changed their password in less than 2 hours! This is cool!

I sighed and picked up my phone. I couldn’t take it anymore, and in any case I was done cooking the stir fry and just waiting on the rice. Brown rice always took longer than I anticipated to cook.

< So are you happy with yourself? You’re harassing these people!

< Plus, it’s illegal!

> Oh, so you *are* there!

> Damn right I’m happy! Making the world a more secure place, one step at a time

> Fact: These hotels now BOTH have demonstrably better security. This is an inarguably positive outcome

< But at what cost?

> A minor headache for them.

< 8bit, this isn’t cool. I’m done talking to you about this

> Hey, in my gray-hat worldview, this *is* cool. No one gets hurt, nothing gets damaged, and they end up with better security.

I grumbled, and exited the messaging app. The rice maker was beeping, and it was time to eat.

After dinner, I checked the Marriott’s system, just to verify that things were still OK. Sure enough, the HVAC login page showed that it’d been upgraded to a newer version (3.3), and the default credentials didn’t work. Good. Just for kicks, I tried a port scan, which, in a non-destructive way, determines the set of network-accessible services running on that system.

The scan showed me that port 443 was open, as expected — this was how I loaded the login page into the browser. But the scan also showed that unlike before, port 22 — used for the administrative access tool, SSH — was open. With a minor feeling of concern, I launched Tor, then connected an SSH client to the hotel server. It prompted me for a username, and I frowned. SSH was more secure when configured to require a key file, rather than just a username/password. I groaned, and tried the default credentials: admin/password.

Sadly, it worked.

/home/admin> $

I was logged in as the root user, with full admin privileges. I sighed, disconnected from the hotel system and shut down my Tor client. The hotel system was now less secure than when I’d started.

I turned on the TV, selected “On Demand”, and found “Goodfellas” available to stream. Just before clicking “Rent”, I glanced over at my phone. Making a decision, I put down the remote, and launched the messaging app.

< Hey 8bit

< Want to come over and watch a movie?