In 2015, Tripwire partnered with FIRST Robotics to bring on summer interns from local high schools. Our goal was to teach the students about various aspects of information security on both the offensive and defensive side. The goals I set out for our interns in 2015 were a bit lofty, to say the least. I had planned on teaching them about the various tools in Kali Linux, how to attack known vulnerable resources on the network, and various other digital forensics use cases we leverage here at Tripwire. While these may be ideal goals for an intern coming from a trained computer science type collegiate program, the stunned look on the intern’s faces told me that this was way over a high schooler’s head. The 2015 program taught the interns about the potential of the information security world and the dangers that are out there, but it was too steep a learning curve in terms of their base skills and the 180 hours available. In 2016, Tripwire renewed its partnership with FIRST Robotics and brought in new interns for the summer. One of the main challenges I faced the previous year was getting these young students engaged in what they were doing. I wanted to not only challenge them but also let them have fun in the process. Then a few days before the interns were supposed to show up, it came to me; the idea seemed so obvious I questioned why I didn’t think of it sooner. They were part of an extracurricular activity to build robots for a specific challenge, so they had at least some interest in that subject. My assumption was that if I could pair their interest in robotics with information security, they would be much more engaged this summer. I found the perfect project for this summer’s internship, a $90 robot controlled by a Raspberry Pi over the network. While we waited for the robot to be delivered, I wanted to get the interns in the state of mind of how to attack the robot after it was built. After analyzing reports, such as the 2016 Verizon Data Breach Report, I had them envision a file that was on their laptop at their desk, then sent them outside. Their task was to start at the sidewalk and look for any and all security controls that could help prevent someone on the street from gaining access to the file on their desktop. The goal of this was to understand not only the reasoning behind individual controls but also the concept of defense in depth.
Finally, once the robot was in-house, they got to work assembling the hardware and installing the software. The great thing about this specific robot is that it is intended to be a learning tool from the beginning. There are command line tools, a web application and an Android app available to control the movement of the robot. I had them spend a couple of days learning how each of these various controls worked by driving the robot around their desks. Now that they understood how the robot worked, I had them go through the same process of analyzing the robot from an attacker’s mindset. I asked them to think about how an attacker would take control of the robot. Very quickly, they took the concepts from earlier in the internship and applied them to taking control of the robot. Things such as lack of encryption and no user authentication stood out immediately. Based off packet captures, I showed them exactly how an attacker could eavesdrop on communications with the robot and take control. We put this theory into practice as one intern drove the robot via the Android app and another took control via command line. Once they saw how vulnerable the robot was, I had them focus on improving its security. Since the robot was controlled via python scripts, I had them rebuild the web app using Flask. While testing their code, they learned important lessons, such as testing the ability to stop before testing the ability to go. Within a couple of days, the web app was complete and they were able to start applying security controls. Over the course of the summer, they added user authentication, migrated the system to SSL, and many more controls. In addition to all these protection measures, they also built their own version of the Android app using MIT’s AppInventor and Unity3D. By the end of the summer, they had learned not only how vulnerable their robot was but also how to actually make changes to secure it against potential attackers. As an employee of a software company that builds security products, I see a lot of potential teaching points using this robot. From the security research side, there are tons of avenues for detecting and exploiting vulnerabilities in the robot. From the development side, there are lots of education opportunities, including how to secure a web server and how to build secure client side applications. For any student wanting to get into any avenue of computer science, this is an excellent program to adapt to their interests. So, was our internship program a success in 2016? You can read all about how our interns would answer that question here.
