He was once the world's most-famous hacker. Eventually, he went to prison. But in a recent interview, Kevin Mitnick says his "favorite hack" was the time he took over the drive-thru at a local McDonald's.
Mitnick was 16 at the time. He was born in August 1963, so that puts this hack back sometime in 1979 or 1980--probably before your typical McDonald's customer or worker even imagined it was possible to hack into a drive-thru's system, and before the term "hacker" was even really used.
Here's how he did it--and why it's an instructive story even now, 40 years later, if you want to stay protected.
"Hide the cocaine!"
In a video interview with Vice, Mitnick describes the whole episode as having been very simple. He was "interested in magic and amateur radio" at the time, he says, and he figured out how to "overpower those very low power headsets they gave employees at ... McDonald's," by broadcasting from his car on the same frequency with a 5-watt transmitter.
Parked across the street, it was easy to impersonate a McDonald's employee on the speaker when people came up to order.
His execution was prankish. He told some customers they had placed the 100th order of the day and should drive up to get their meal for free as a thank you. When police officers stopped to order food, he feigned panic, yelling so they could hear it, "Hide the cocaine!"
Later, a McDonald's manager came outside to search the parking lot. When he examined the speaker closely, Mitnick says, "I couldn't. I got on my microphone: 'What the hell are you looking at?!'"
It's amazing what you can get if you ask.
Mitnick is the only source for his McDonald's story, so who knows how accurate his memory is. However, the whole thing sounds kind of amateurish, and way more mischievous than criminal.
That's also how Mitnick likes to describe most of the things he did as a hacker--even the criminal things he later went to prison for. His convictions and imprisonment are controversial, however. Mainly it's about whether he was really a big enough deal for the FBI to devote resources to tracking him down. Part of that is about whether he was only using social engineering--not software manipulation or other hacking tools--to break into corporate networks.
He says it was mostly social; maybe even exclusively so. For example, as part of the hack that led to him going to prison for the first time, in 1988, here's how he says he gained access to "The Ark," which was the computer system at Digital Equipment Corporation. It sounds like it wasn't long after the McDonald's drive-thru prank:
Claiming to be Anton Chernoff, one of the project's lead developers, I placed a simple phone call to the system manager. I claimed I couldn't log into one of "my" accounts, and was convincing enough to talk the guy into giving me access and allowing me to select a password of my choice.
As an extra level of protection, whenever anyone dialed into the development system, the user also had to provide a dial-up password. The system administrator told me the password.
It was "buffoon," which I guess described what he must have felt like later on, when he found out what had happened.
In other words, he says all he really had to do was act confident, and ask for what he wanted.
The simplest explanation, and the easiest defense.
I'm not going to rehash Mitnick's entire history here. He went to prison for 12 months for computer crimes, then was caught hacking into Pacific Bell's voicemail computers (not smart), and became a fugitive for more than two years.
He eventually was caught and served another five years in prison (including eight months in solitary confinement). If you want to read his side of the story, part of it was excerpted in a British newspaper a few years ago.
The lesson for us today, however, is in just how simple most of these "hacks" were. For example, when I first saw the headline, "When 'The World's Most Famous Hacker' Hacked a McDonald's Restaurant Drive-In" on Vice, I assumed this meant some kind of sophisticated password-guessing program.
Nope. Way more simple. And that's how most people wind up getting trapped, scammed, and hacked--even today.
Mitnick should know. He now makes a nice living working as a public speaker and a consultant for companies that want to defend against hackers. No word on whether he eats at McDonald's.