When hackers get hacked: Sam Curry on his career — and his latest research

In the latest edition of the ConversingLabs podcast, ReversingLabs talks with Sam Curry, one of the most prominent independent security researchers today. This talented white-hat hacker has a penchant for finding and exploiting holes in public-facing web applications — especially the growing number of cloud-based apps and other infrastructure backing internet of things (IoT) deployments.

His research frequently makes headlines, and his latest is no exception. Curry joined our podcast to explain how a remotely exploitable flaw in a web server operated by the automaker KIA could be used to track vehicle owners and obtain personal information, including the owner's name, phone number, email address, and home address.

Curry's latest find comes less than two years after an even bigger survey he and other collaborators published, Web Hackers vs. the Auto Industry, which disclosed wide-ranging, exploitable flaws in vehicle telematics systems by 16 car makers.

Read on and check out the latest ConversingLabs podcast for a deep dive into Curry’s life as an independent security researcher — and his latest research.

War Games, anyone?

Curry had an early introduction to cybersecurity, at the age of 11 or 12. “These were like the old video game-hacking days when there were flame wars between forums and stuff. And yeah, ever since then, just like deep-diving web security,” he told me during our ConversingLabs discussion.

That eventually led to a War Games-like scenario at age 15, with Curry hacking into his school's network. He ended up face to face with the district’s IT manager — and they hit it off. “That was like my first conversation with someone who did computer stuff,” Curry said.

The broadband router compromise

One of the highlights of this ConversingLabs episode is the discussion about a blog post Curry published in June, in which he detailed how his discovery of a malicious IP address interacting with his home network kicked off an extensive investigation. The IP address replayed HTTP requests he had sent, suggesting his broadband router had been compromised.

Digging deeper, Curry found that his internet service provider, Cox, had a vulnerable application programming interface (API) capable of remotely managing customer devices. However, the hack occurred before this API was implemented, indicating a different method was used: the exploitation of an embedded software flaw, which pushes the possible date of compromise back by a couple years.

Curry’s thorough investigation, which included assistance from professionals in the threat intelligence community, revealed that the IP address was linked to various phishing domains targeting a security firm in South America that is a major consumer brand. In the podcast, Curry shared insights on the widespread risks facing IoT devices and embedded software used in homes, businesses, and critical infrastructure. And he offered some guidance about what consumers (and security researchers) can do to monitor that risk.

Investigating airport security

In the months between the router hack and the KIA revelations, Curry was busy on other projects. Among them was delving into airport passenger-screening systems with security researcher Ian Carroll. Curry and Carroll discovered vulnerabilities in a system used to validate pilots’ credentials. By exploiting these weaknesses, they could theoretically add unauthorized individuals as valid pilots. This alarming finding demonstrates the real-world implications of software vulnerabilities in critical infrastructure.

The big picture? Transparency matters

In this latest ConversingLabs podcast, Curry explains the broader implication of his research: that many organizations still rely on outdated security practices. Whether it’s automotive telematics, broadband routers, or airport security systems, the urgent need for robust cybersecurity measures is clear.

Curry's work brings attention to these exposures as he and others push for better practices and greater accountability within the industry, noting that the cybersecurity landscape is ever-evolving — and that it’s imperative to stay ahead of threats.

Get key insights and more in this latest ConversingLabs podcast — and check out Curry's blog for his latest research