The FTC wants hackers to build "honeypots" to defeat a robocaller named Rachel
The Federal Trade Commission is at one of the world’s biggest hacker conferences this weekend, where hackers are competing to help save us all from robocalls.
No one has ever seen her, but she may have the most infamous voice in America. “Rachel” is the most prolific robocall bot in the United States, and the FTC has turned to some of the best hackers in the world to try to stop her. At Defcon—one of (if not the) biggest hacker conferences on earth—the agency is hosting a three-phase competition to build a “honeypot” to lure and catch robocallers in the act. The “Zapping Rachel” competition is handing out $17,000 in cash prizes to winners of three competitions: one to build a honeypot, one to attack a honeypot to find its vulnerabilities, and one to analyze data a honeypot collects on robocalls.
“A honeypot is essentially an information system that can collect information about robocalls,” said Patti Hsue, a staff attorney representing the FTC at Defcon. “How it’s designed, how it operates is completely up to the designer.”
As with many happenings at a conference of hackers, the technical details can get complex fast. But the basic idea is familiar to any fan of spy fiction—in espionage a honeypot is a trap in which a mark, like a secret agent, is lured into a trap by sexual seduction (think of about half the vixens who show up in James Bond flicks). In this case, hackers are building and testing the honeypot. Rachel and her ilk are the mark.
“It’s ‘Rachel from Cardholder Services.’” Hsue said. “She is one of the most, I think, hated voices in the U.S. We get so many complaints against Rachel and her clones or her minions or whatever you want to call them. There are a lot of companies that try to perpetrate the same scam using the same, you know, pickup line.”
The Robocall problem has become markedly worse in the last decade, as the Internet has matured and become increasingly intertwined with a digitized phone system. Under FTC regulations, all robocalls to cell phones are illegal, as are unsolicited robocalls to any phone number on the federal Do Not Call registry. The FTC does have its own honeypot already, but the agency won’t comment on it beyond the fact of its existence.
Just how many illegal robocalls are made in the U.S. is difficult to pin down. The best data the FTC has on robocalls comes from complaints the agency receives regarding violations of the Do Not Call registry. In 2009, the FTC received 1.8 million complaints for violations of the registry; in 2011, 2.3 million complaints. In 2013, with about 223.4 million phone numbers on the registry, the FTC received 3.75 million complaints. And that only represents people who take the time to file a formal complaint. Many others surely just let out a disgusted huff and hang up the phone.
From among all those millions of illegal robocalls made to Americans, the FTC has brought a little over 100 enforcement actions against violators. It’s not that regulators aren’t trying, but making a robocall these days is extremely easy from a technical perspective, while busting a robocaller—not to mention bringing legal action against one—is quite difficult.
Which is why the FTC has turned to a community of hackers at a conference notorious—somewhat unfairly—for activity that stretches the bounds of legality. The top competitors will be announced Sunday, though final winners won’t be announced until a later date.
E1nstein—a.k.a. Hugo Dominguez, Jr. to people outside of the hacker scene, a naval reservist who works in IT—is competing in phase 2 of the competition, testing a honeypot for flaws by trying to circumvent the technology, place an undetected call to a honeypot, or provide false information about the origin of the call.
“That’s something I’m good at,” he said. “I’m able to find flaws in things whether it’s physical security or technology. Anything.”