Do you have what it takes to be a hardware hacker?
If you ask Yago Hansen, a hacker specialized in Wi-Fi and RF security, curiosity and a willingness to learn and improve your skills are the two things that you absolutely must have to embark on a (white hat) hacking career.
A love for money, on the other hand, is not. “In my mind, hackers are security researchers who spend a lot of their life in testing, learning and getting better at what they do because they love it, not because they can earn a lot of money,” he told Help Net Security.
“A desire to share their time, knowledge and work with others just so they can make those lives and society better is a logical extension of that.”
That’s not to say that hacking can’t be a lucrative career but, he noted, for those who are just interested in money there are many other well-paid jobs within the infosec industry.
Hardware hacking as a push for better security
Hardware hacking is not a new phenomenon.
“Back in the day it was mostly called ‘industrial espionage’. But today, thanks to the popularization of technology and electronics, it is not considered a clandestine activity and many people have learned about it, though it is still used for industrial espionage by some companies,” Hansen noted.
The demand for ethical hardware hackers is high due to the exponential growth of new technologies, he feels, as there are unfortunately too many “black hats” that use their knowledge and skills to misuse new technologies for purposes that are often in conflict with societies’ and companies’ goals.
“Since we cannot stop progress, we need to learn from mistakes. Hardware hacking is not only a way to learn about your competence, but also about the competence of others,” he said.
“By trying to alter the technology’s behaviour and capabilities, hardware hackers and pentesters probe and evaluate the security of technology developed by others, and this discipline is getting more important by the day.”
Hansen also believes that the tech industry needs to be regulated and pushed to comply with security standards and create better, more secure technologies that are more difficult to turn against users.
“I’m talking here both about users’ privacy/data security and their physical and psychological safety, as many future technologies (e.g., self-driven cars) will have an outsized impact on users’ life,” he added.
“Privacy and security regulations and standards have been and must continually be created: society must be protected against cyber-related risks.”
In the meantime, hardware hackers engage in a dual “fight”: against black hats and against tech companies who put their own economic interest before their customers’ security and privacy. By finding and disclosing vulnerabilities, hackers are pushing companies towards better security practices.
You don’t have to choose to do just one thing
Hansen’s view of what makes a good hacker is, expectedly, influenced by his life and infosec career.
His childhood and journey to adulthood happened in parallel with the development of the electronic toys and the first home computers.
His first few jobs were in IT – sales, support, administration – but, fifteen years ago, his desire to upgrade professionally lead him to start assisting during security courses and to begin learning about security on his own. (He continues to do so, loves it, and finds it crucial for keeping up with the never-ending technological changes.)
“I try to keep motivated,” he shared. “Over the years, I have run a variety of security-centered projects: I have written technical books; co-founded one of the first security podcasts (Mundo Hacker), which ultimately became a public TV show in Spain and Colombia; I co-founded a conference (Mundo Hacker Day); I’ve taught security for government agencies; I’ve run many security projects as project manager; I’ve been a pentester; I’ve developed a communications interception system that was later sold to one of the biggest global security corporations.”
He started that last project eight years ago: he first met with representatives of several police agencies to discover what products they use and to learn about their needs, and then spent about three years developing a functional product.
When he felt that it was functional enough to be used, he presented it at a private law enforcement conference in Europe: he rented a stand, created a presentation video and brochures, and received a lot of interest from many international agencies and from several big companies.
“After a lot of negotiation, I sold the product and the technology to one of the largest global intelligence companies, which is now selling it all over the world. I had to set up a company (WiFense) to take the product from the development to the production stage and to transfer all the knowledge to the buyer, and that took three more years,” he shared.
“It was a great experience for me, as I have learned a lot about many different things: project management, company development, security, etc. Naturally, security was, from the very beginning, integrated in our product development.”
Among his latest projects is also The Hacker’s Hardware Toolkit, a non-commercial catalog that provides a broad (but concise) overview of 100+ hardware gadgets red teamers, pentesters and security researchers might find handy.
Present and future
Being a freelancer for the last twenty years must be part of the reason why he engaged – and continues to engage – in such a wide variety of interests and projects.
It hasn’t been easy, he noted, but for him there was no other way: he doesn’t feel comfortable working for big corporations with strict labor policies, structures and “illogical” rules. He also believes that many hackers are like him, and that companies should adapt their labor policies if they want to attract these types of experts.
“Technology is changing people’s way of life, introducing new devices in their homes, cars, offices, on their bodies, etc. Hacks targeting Internet of Things devices are ubiquitous and, slowly but surely, the number of attacks targeting critical infrastructure is also rising. Hacking knowledge and skills are necessary to fight against these criminals, now and in the future,” he opined.
Although, he’s not entirely satisfied with the direction in which the infosec industry is going.
“In the last few years, many cybersecurity companies and consultancies have been acquired or financed by banks, equity firms and corporations, and profitability is becoming the main goal. Unfortunately, when the owners’ or investors’ only concern is profit, spending enough resources and effort on improving security is not a priority.”