This is all IMO and in an effort to reign in this DoorDash and 'Cloud Forensics' degree thing...I figure I'd help empower people to talk about it in a knowledgable way....
There are 5 ways to break into the infrastructure of applications these days.
- social engineering - where you use your communications skills (voice, text, email, phishing) to trick someone into giving you their password.
- phishing/spear phishing - this might be used in combination with #1. but this is that email you get asking you to log in to check on something important. and the page is capturing your username and password.
- trojan horse - this is where your unsuspecting target installs something on their machine. or is tricked to install something on their machine. or is targeted by an exploit (PDF, music stream) that installs something unknowingly on their machine. giving the hacker access to everything they type into their keyword. including user name and passwords.
- employees old machines - every once in awhile an employee does not return a laptop. and it ends up in a thrift shop somewhere and someone nefarious buys it. or maybe they give it to a cousin and the cousin is dumb enough to fall for #3 as these machines are usually not kept up to date security wise.
- 0day Exploits - this is literally an exploit in a company systems that are so hot off the presses. that they are worth millions of dollars on the black market. Apple, Google, Salesforce and a bunch of other companies have 'Bounty' programs where they will pay 'White Hat Hackers' bounties to find these 0day exploits before the bad guys do.
Once you do any of these things. And you're in the system. You still need to have an idea of what you're doing as their's multiple security checks, gates, and encrypted systems that you need to traverse. And without an encryption key you're likely not going to make it very far. Which is why methods 1-4 are the prevailing methods in today's hacks. Once you have a key you need to have a deep understanding of infrastructure and tech stacks of your target company. Most hackers will get caught as soon as they are in there. Others will sit in the system for a few days lightly pecking and poking as to not be detected before they strike (usually stealing customer information or locking hard drives for ransomware purposes).
I can't speak to Bryan's capabilities of 1,2,3 and 4. But I will say with a 100000000% certainty that he was not capable of #5. The world's greatest hackers work in the #5 area. Almost all of these groups are Russians. North Korea has just started a program of state sponsored hackers that have been training since they were adolescents. The CIA/NSA/FBI and every other alphabet agency is watching these groups like a hawk.
No Cloud Forensics degree in the world is going to put Bryan in the same category as those above. Trust me on this one. If he was prolific with computers (read: gifted) then we would have likely heard about it by now. As these top 0.5% are heavily recruited by the worlds top companies or they go to the darkside.
And even those hacking groups couldn't get into DoorDash's systems at a level where they'd be able to allocate orders coming in. I don't see how a breach like that could even happen without them fully understanding the codebase and rewriting code. And now we're talking a national incident. So this is the most preposterous idea IMO.
DoorDash is a publicly traded company. Any hack or compromising of their systems, no matter how small, would need to be reported to shareholders (the public). They wouldn't need to get into details. Just a general "unauthorized access, we are assessing what systems were compromised"
Now what you might be waiting for...
Before I write this let me preface by saying that not even 0.000000001% of me believes DoorDash plays any part in this crime other than to establish a timeline and MAYBE the driver having seen something (the defense will likely press this poor guy/girl and make them look guilty).
The core of Android OS is open source. Which makes it extremely easy to emulate from your computer. This is 100% legal and has been challenged and upheld by the Supreme Court.
So you could theoretically emulate 1 or 50 android devices on one computer. Connect to WIFI or a hotspot. Download DoorDash across all 50. Login to an individual DD account on each of the 50 emulated devices. And DoorDash would see 50 different phones. There's another aspect to this that I'm going to leave out (IP related). But what we've talked about so far while 100% legal, violates DD TOS.
Just to give you an idea of how hard to detect this is millions of emulators are used by resellers every Saturday Nike has a big sneaker release in order to buy tens of thousands of shoes. Nike is investing tens of millions of dollars in technology to stop this sort of thing....and they can't.
So why would DoorDash users want to do this sort of thing? Simple. This is the only method of GPS location spoofing that goes undetectable by any all apps (reinstating that this is completely legal). So as a DoorDash driver I can place 1 account in the busiest part of town, and another account in the wealthiest where they tip the most. And I can pick and choose the deliveries i want to accept as they are offered to me...as if i was parked in those places.
Now of course DoorDash does have methods to detect cross account activity like this. And they don't reveal those for obvious reasons. So the multiple accounts thing is farfetched. But a single user, with a single emulated Android device could set their location to be anywhere they want it to be in the DoorDash app and receive orders adjacent to it from the comfort of their home if they wanted.
Did Bryan do this? NO.
But at least now when you talk about it you don't have to be vague and attribute him having some sort of magical ninja hacking skills because he took a course taught by a professor that is likely completely out of their depth because they aren't in the field. A computer science program at Stanford teaching this sort of thing? OK...you're closer....but still not in the ballpark of being taught usable methods to get into Fortune 500 companies who are employing 100s of engineers, state of the art encryption and detection methods, contractors, consultants, 3rd party services, auditors and working with the FBI (yes, proactively) to keep intruders out of their systems.
MOO.
Again, everything I described above is legal but likely against DoorDash's terms of service . All TOS violations that have been openly discussed here before (multiple accounts for one user, multiple identities for one user, spoofed GPS). MODS if needed I'll happily edit and repost.
en.wikipedia.org
