So here we sit at home, hopefully enjoying a long spell of enforced togetherness with our loved ones. If those loved ones include children, then our houses have also become classrooms. That means pulling lessons together — and what better lesson to teach than cybersecurity?
Here at Dark Reading we aim to provide useful information for our readers, no matter where they're spending their working hours. With that in mind, we put the word out that we were looking for projects that could teach useful cybersecurity lessons with a bit of fun mixed in, and people have begun to respond. Today's project features cybersecurity and robots, and it can teach a wide variety of lessons about each.
Before we get to the project, a request for the reader: If you have created a project to teach cybersecurity lessons to young people, we'd love to hear from you. If it's inexpensive, allthe better, but nothing is out of bounds as long as it teaches something useful and is enough fun to keep kids interested.
An Insecure Robot
Travis Smith is principal security researcher at Tripwire. One part of his job involves working with interns brought into the company each year. These interns, most of whom are high school students, come to the company to learn, but Smith says that many also bring important knowledge with them.
"Every year we have interns we hire for the summer, typically out of high school, often members of the First Robotic club. They tend to be familiar with the hardware side and less with the software," he says.
To help kick-start the interns' software skills and build on their robotics knowledge, Smith purchased a smart video car kit from Amazon, along with a Raspberry Pi that serves as the car's intelligence. The total investment at this point was a bit less than $150.
Smith says that the interns built the car, loaded the necessary software for its control, and began driving it around the office. After they had some fun (including crashing the car into the CEO's feet), Smith began the next step of the project.
"We taught them how to break into it and control it — it had no encryption or authentication," Smith says. The basic tool used to understand the network traffic is WireShark, one of the foundational tools in most researchers' toolkits. Since the car is controlled via Wi-Fi, Smith says that the interns were able to watch the traffic flowing between the controller and car.
Once they saw that, they were able to start breaking into the control conversation, spoofing the controller's ID, and taking over control of the car. And when they were able to do that, Smith moved them into the third portion of the project — defending the car against attack.
"We taught them to break into it as it was, and then they switched to defending it, adding strong passwords, encryption, and similar features," Smith says.
Then came the final piece of the project. "On the last day of the internship, we brought our researchers and engineers into a conference room and spent three hours trying to break into the robot. The first year we failed," he says, leading to great celebration on the interns' part.
The next time, though, came a "teachable moment." "The second year we were 2:55 into it, we had an intern who had beat us, and he left the room to call his mom to share his victory," Smith explains.
Unfortunately, when the intern left the room he left his notebook open on the table — and all of his passwords were written on the pages of the notebook. The researchers weren't above some physical-layer snooping, so they took his passwords, broke into the robot, and won the day.
The intern was crushed when he returned, but "I'll bet he never writes his passwords down again," Smith says.
This is the sort of project that can easily become a repeatable capture-the-flag sort of game between players or groups, and it can take young people as deeply into device security as they want to go. It's a security project that keep on giving for a long time to come.
- The Wild, Wild West(world) of Cybersecurity
- Schneier on Hacking Society
- Cyber Fitness Takes More Than a Gym Membership & a Crash Diet
- 5 Resume Basics for a Budding Cybersecurity Career
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.