White Hat, Black Hat: Bringing Hackers Out of the Shadows
Hunched over laptops, a group of masked hackers stands in an open parking lot trying to probe a newly released SUV’s intelligent onboard system for weaknesses. When they find one, they’ll exploit it to unlock the doors, start the engine, and drive it away.
They have 20 minutes to crack it — and their every move is being watched remotely by an expectant audience in Shanghai’s West Bund Art Center.
This was the scene in late October for the final of the 2023 GeekCon AVSS, an annual cybersecurity contest that tests amateur and professional hackers on their abilities to find vulnerabilities in high-technology systems.
Just six of the 93 teams that entered last year’s contest reached the final stage, having progressed through a series of challenges that involved compromising the operating systems of Android phones and smart vehicles against the clock. Winners receive a grand prize of 50,000 yuan ($6,980) and a place in GeekCon’s Hall of Fame.
Beyond the competitive aspect, the competition aims to raise greater awareness of the security flaws that can exist in the devices and other products people use every day. It begs us to ask: Just how safe are my data and possessions from hackers?
“We’ve invested 10 years of sustained effort to convey the idea that there are no vulnerability-free systems in the world,” says Wang Qi, chairman and CEO of DarkNavy, an independent cybersecurity research institution and the organizer of GeekCon. “Our message also is that vulnerabilities don’t exist because of hackers, but they can be destroyed when hackers discover them.”
Yet, despite being common sense within the “geeksphere,” mainstream recognition of the positive impact of “white hat” hackers — those who help fix problems rather than exploit them — has been hard to come by.
A black and white issue
In pop culture, the word “hacker” has long carried sinister connotations, often used to conjure images of a criminal invading a private network to spy or steal personal data for profit. However, this actually describes only one kind of hacker, the so-called “black hat” hacker. White hat hackers also attack systems, but their goal is to find solutions and improvements.
When GeekCon — then named GeekPwn — was launched in 2014, tech companies and manufacturers still tended to view all hackers as trouble makers, and the vast majority flat-out refused invitations to take part or observe the games. Some even attempted to disrupt the competition.
That first year was a bumpy one. Frequent network interruptions onsite meant the live broadcast had to be ended early, while some companies even shut down their servers entirely for fear that if they were hacked, it would affect their reputation and sales. Ultimately, the event was called off.
At the Shanghai art center in October, the crowd watches on as the hackers’ first two attempts to crack the SUV’s system fail. The contestants, who include university students and industry professionals, are unrecognizable in full face masks and brightly colored hoodies. “As the vulnerability hasn’t been released to the public, the hackers and the vehicle have been disguised to prevent identification,” Wang explains to the audience.
Before establishing DarkNavy in Shanghai in 2011, Wang worked as technical leader of Microsoft China’s security response center. He is also part of the Keen Team, one of the top prize-winning teams at Pwn2Own, the world’s largest hacking competition.
He felt that something like GeekCon, which in addition to organizing contests in China and overseas also holds debates and exchange sessions, could help bring white hat hackers and the valuable role they play into the spotlight.
The 2021 China White Hat Report by Freebuf, a cybersecurity forum, and research by internet security companies 360 and QAX offer some insights into the makeup of these mysterious hackers. The data shows that China had more than 170,000 white hat hackers in 2021. Almost 95% were born between 1990 and 2009, and men account for 88% of the total.
Just as the countdown clock strikes two minutes, the contestants finally find a loophole in the SUV’s system. One runs to the driver’s door and pulls it open, receiving a cheer from the audience. Soon, Wang chimes in over the microphone: “Unlocking the doors is not enough. It’s not a successful hack until you drive away in the vehicle.”
Wang says he feels it’s important to set limitations for hacking projects, as cybersecurity needs a standardized and systemized approach. Unfortunately, few companies recognize this or are willing to invest sufficient resources.
“In many companies, those in charge of security are not people with a security background,” he says. From the decision makers’ viewpoint, safety is effectively a guarantee that “nothing happens,” but if a security department accomplishes nothing all year, a company might question whether it’s value for money.
A few years ago, the director of cybersecurity at a major tech company approached Wang to propose including its products in the GeekCon contest. “I asked him, ‘If we manage to hack your products, does it prove your work is valueless?’ He told me that he just hoped it would encourage the executives at his company to take security issues more seriously.”
Wang says that although the company is already one of the best domestic enterprises in terms of tech security, the budget and headcount it invests in that department is still far lower compared with its core business, which is cameras and image processing.
The value of white hat hackers was first recognized by some large overseas enterprises. In the 2000s, companies such as Microsoft and Google took the lead in recruiting hackers to help them find vulnerabilities in their systems and products. The concept has been spreading among Chinese enterprises since 2010, with Baidu, Alibaba, Tencent, and Huawei now employing hackers in their security teams.
However, many decision makers have so far failed to grasp how to maximize their value, Wang says. “If we imagine for a moment that the world’s top white hat hackers are medical experts who can develop vaccines, right now they’re basically taking temperatures. It’s a huge waste of talent.”
A hacker who claimed to have assisted the police in taking down hundreds of “gray hat” hacking syndicates — those working in the murky spot between white and black hats — complained that his employer has failed to give him any corresponding rewards because his actions were not within the scope of its evaluation system. He was even given a gag order to prevent him from speaking out. “Security departments need a metric that allows people to realize the value of white hat hackers,” says Wang.
In the parking lot, one challenger climbs into the driver’s seat and accesses the operating system. This time, he manages to start the engine and drive away. As he does so, he extends an arm from the window and proudly waves to the cameras, prompting cheers and rapturous applause from the audience at the center.
Over the past 10 years, the security industry has witnessed tremendous changes, says Wang. Hacking an intelligent vehicle manufactured by a company with a sustained security budget can take an advanced hacker a year or more, while other vehicles might only require a few weeks or even less. The same goes for mobile phones and other smart products.
When a company investing 100 million yuan in consumer safety sees a rate of return similar to one investing just 1 million yuan, they are naturally going to look at rebalancing the books. Bad money drives out good money, and end users are ultimately the victims. Equally, even if the security industry tries to expand the talent pool, if its contribution is not valued by the leading companies, more white hat hackers will likely flow toward the black and gray markets instead.
Wei Tao, vice president and chief information security officer of Ant Group, the financial arm of Alibaba, was among China’s first generation of cybersecurity personnel. He has expressed concern about the current situation in the global security field. A paper he published at the cybersecurity conference Black Hat USA 2014 estimates that hackers can accurately track the location and remotely control at least 60% of Android phones. He warns that both China and the United States face serious cybersecurity threats due to the rapid rise of black and gray hacking industries.
Such industries boast a quick return on investment. After just a dozen years they can have a completely anonymized economic system, making them “more profitable but less risky than drug trafficking,” according to Wei.
“As the value of the digital industry grows, so too does the cost of security. When the hacking industry faces insufficient investment, it will be utilized in a bad way, and all kinds of vicious incidents will inevitably happen,” Wei says. “Currently, competition for talents is fierce. In China, for every 100 research and development engineers there are less than 0.5 security engineers. If the traditional security sector can’t absorb these talents, some of whom are still students, they will end up in the black and gray industries. That’s terrible.”
Age is a major factor when considering talents in the security industry, as it is seen to relate to brainpower and technical sensitivity. “The best age for a white hat hacker is between 25 to 35. It’s almost a law in the industry,” Wang says. He warns, however, that if they can’t earn a fortune or a professional honor in their prime years, they will likely switch to being a black hat.
Among the black and gray hacker groups that Wei’s team has taken on, the youngest hacker was a student yet to take the gaokao, China’s national college entrance examination. “It’s a real pity that many talented practitioners go astray due to the great temptation from the black and gray industries,” he says. “It’s a road of no return, and that unwise choice will overshadow their entire life.”
Wei says that the Chinese government has introduced policies and mechanisms to prevent a brain drain, but the country still needs a market-based mechanism for cybersecurity insurance. The market cannot absorb talents efficiently and provide room for growth, he adds. Although the employment rate and the average salary of graduates with cybersecurity degrees are high, there’s still a shortage of jobs. “Only the leading companies can provide fertile soil for the top security talents.”
To address the issue, he proposes placing special emphasis on enhancing cognitive education. “Currently, our children receive education in aspects of personal safety, transportation safety, and even preventing fraud, but they have little knowledge about information security. That’s why I think there is still room for improvement.”
The next step is to perfect the market system. “When information security insurance becomes mandatory, just like drivers need to buy compulsory car insurance, everyone will become more aware and cautious,” says Wei. When the market has developed a greater tolerance and compensation mechanism, people will treat cybersecurity vulnerabilities seriously rather than be afraid of “exposing the flaws.”
Reported by Lei Ceyuan and Shi Mengjiao.
A version of this article first appeared in Original, a platform for in-depth stories from the Shanghai Observer. It has been translated and edited for brevity and clarity, and republished here with permission.
Translator: Eunice Ouyang and Chen Yue; editors: Xue Ni and Hao Qibao.
(Header image: Happyvector071/VectorStock/VCG)