On the red carpet at the 2005 Academy Awards, Hollywood royalty in ball gowns and tuxedos paraded in front of a sea of photographers, oblivious to the fact that just across the street, three USC students were conducting secret surveillance to determine the safety of mobile phones.
Armed with a high-powered Bluetooth antenna, Kevin Mahaffey of the USC Viterbi School of Engineering and John Hering and James Burgess of the USC Marshall School of Business were scanning all mobile phones within range to locate those vulnerable to being hacked. They wanted to show that even celebrities’ phones had bugs that allowed unauthorized Bluetooth devices to access them.
The USC undergraduates performed this stunt not to actually hack into Brad Pitt or other celebrities’ phones but to help keep that from happening.
The first security gap they discovered was in a Nokia 6310i phone that allowed for unauthorized Bluetooth access. As responsible security researchers, they disclosed the bug to Nokia. Nokia declined to fix the security flaw, however, citing the claim that since Bluetooth only had a range of 100 meters, the problem was not worth fixing. But the trio had already dispelled that myth a year earlier, when they used a powerful Bluetooth antenna gun called the Blue Sniper to demonstrate their ability to hack into a cellphone from just over a mile away.
There is an understanding between vendors and researchers in terms of security research: If a researcher reports an issue to a vendor and it’s fixed, the security researcher does not disclose the vulnerability to the public until everything is amended. However, as Mahaffey explained, “If you do not fix your vulnerability, the researchers get to give a talk at Defcon, the world’s largest hacker conference.”
Defcon is an interesting venue for researchers concerned with mobile security. At this conference, no one dares to use the WiFi, as “Defcon has the most hostile wireless network on the planet,” Mahaffey said. This means the leading minds in computer programming and hacking switch gears entirely and take notes with pencil and paper.
In 2007, Mahaffey, Hering and Burgess started Lookout, a mobile security company, in downtown Los Angeles and began making software to keep cellphones safe. Lookout was ahead of its time, as all this transpired before the release of the iPhone and the successive wave of smartphones.
“The rest of the software world was building Facebook apps. We were this weird company doing cybersecurity in Los Angeles,” said Mahaffey, the firm’s chief technology officer.
But things sure have changed over the years. Lookout went from filling an unknown niche in 2007 to today serving 45 million users worldwide.
Lookout works on iPhones, Android devices and Kindles. It keeps these hand-held computers secure by scanning apps to make sure they’re safe to download, blocking malicious websites and protecting them from destructive software.
If your device is lost or stolen, Lookout enables you to locate it on a map and send instructions for the device to make a loud sound, which will better allow you to locate it. If the phone or tablet cannot be recovered, Lookout can lock the device or wipe your personal data from it remotely.
Looking into the future, Mahaffey acknowledges the possibility of a world where people are increasingly connected to their devices and one another via insecure networks that can be hacked with disastrous consequences. But he wants to help keep that from happening.
“The alternative is a world where all of this technology can be used to make the world more efficient, to help education, to help bring people out of poverty, to help bring access to completely new technologies and products that never could have been built before,” he said. “And our goal is to make sure that as the world gets more connected, it gets more secure instead of less secure.”