The scene was set: a surveillance camera, a safe full of money in a Las Vegas casino, a pair of thieves with lock-picking tools and a laptop. I watched in awe as the skinny geeks clipped wires and rewired the feed so that it would loop ad infinitum. Basically, they recreated the climax of Ocean’s 11 before my very eyes.
But there were no police, and there was no big getaway. I was sitting in hotel conference centre at DEF CON 23, the infamous hacker conference that brings hundreds of would be deviants to Sin City to learn how to do things like break into safes. The two hackers on stage were Zack Banks and Eric Van Albert, two Massachusetts Institute of Technology (MIT) alums with a penchant for physical security. They pulled off the mini Ocean’s 11 heist in real time so that they could show off a technique for compromising an Ethernet connection in order to gain access to surveillance cameras and loop the feeds without getting caught.
The hack itself is simple enough. Using a custom-made tap board, Banks and Van Albert successfully spliced into an Ethernet cable connected to a surveillance camera. The hardware enabled the hackers to connect a man-in-the-middle device to the Ethernet cable without interrupting the surveillance camera feed. Then, they used a software hack to create a loop from the video feed. They even clipped out the time stamp from the live feed and pasted it over the looped clip, so that it would appear as if the camera was recording in real time. Once they switched from the live feed to the loop, one of the hackers used the lock-picking kit to break into a miniature safe and steal all of the coins.
Pretty cool, huh? The similarity of the hack to the plot of Ocean’s 11 is hardly an accident. Back in May, Banks and Van Albert published a white paper describing the methodology of the looping surveillance camera feeds and listed Ocean’s 11 as inspiration for their research. “We set out the re-create [the attack] as true to the movies as possible to demonstrate exactly how practical it would be to create a camera loop,” they wrote over an image of the devices used in Ocean’s 11 and National Treasure.
For me, the timing of the demonstration was particularly funny, since I’d just watched Ocean’s 11 in my hotel room. It was just a coincidence — but funny to see how Hollywood hacking isn’t always hilariously horrible. In fact, I wondered if the movie fantasies were finally syncing up with reality. We’ve come a long way from the whimsical imaginary cyberworld in The Net to the strikingly realistic depiction of hacking in Black Hat. One can’t help but laugh a little — with a heavy dose of unease — at how Hollywood and our own reality are converging thanks to hacker heists and malicious worms that devour entire networks.
But it’s encouraging that well-meaning hackers like Banks and Van Albert are discussing their work so publicly. At the end of the day, they’re striving to make public the vulnerabilities of physical and cyber security so that we can all be a little bit safer. If you’re feeling frisky, you can even recreate the hack yourself, since all of the code is public on Git Hub. Quick pro tip, though: don’t try to rob a casino. As we learned in Oceans 12, it really pisses off the owners when you take all their money. And you don’t want the casino crowd mad at you. [DEF CON 23]