LAS VEGAS -- A young hacker here at Defcon 20 has pulled back the dense curtain of text and ambiguity surrounding warranties to show consumers how they can hack the warranty system -- and to tell companies how to improve their warranty management.
"Darkred," as he prefers to be called, explained to a standing-room only session that it's the way manufacturers manage serial numbers and warranties that allows the system to be hacked.
"The serial number makes you the owner of a product," said the 17-year-old, a high school senior from Texas. Darkred declined to provide additional identifying information.
Once you have a serial number for a product, he explained, the manufacturer presumes possession. It's a bit like presuming I'm you, simply because I have your Social Security number. And having a serial number isn't just an exercise in pattern prediction: Darkred says it can lead to tangible benefits. For example, he said that registering a serial number with Amazon will get you one month free of Amazon Prime.
A lifelong interest in math and algorithms led him to explore those lengthy strings of numbers on the back of nearly every product out there. "I started comparing serial numbers on the same items to see if there was a pattern," he said.
One example he explained was how Apple generates its serial numbers. "The first four digits are the manufacturing facility, the second four are unique identifiers, and the last four describe the model and color." Many other companies follow similar serial number generating practices.
Manufacturers could be better at protecting against serial number fraud, he said. Some serial numbers are easy to guess because they are generated sequentially, while some companies give you an unlimited number of attempts to register a particular number. "Nobody is going to misread their serial number 200 times," he noted.
The manufacturers could be more cautious about removing serial numbers from demonstration or floor models, which help people figure out how to create a serial number. Other techniques warranty hackers could use involve e-mailing people on Craigslist or eBay to check a real number against the online product database, or looking through image search results, he said.