CXO Magazine
CXO report Closing the cybersecurity talent gap
Close menu
Amat Cama, the ethical hacker
Part 04

Challenge inspires this ethical hacker

From Senegal, Amat Cama entered college interested in graphic design and left with a passion for cybersecurity.

Amat Cama searches for technology flaws from the comfort of his couch.

Only in his mid-20s, Cama is an accomplished bug bounty hunter, “a top security professional,” according to a professor at his alma mater, Northeastern University. He is among the best of the tens of thousands of white-hat hackers around the world who get paid bounties by businesses and nonprofits to uncover flaws in their digital assets, so they can be fixed—before malicious hackers can exploit them.

Cama grew up in Senegal, attending a school where computer science courses were basically nonexistent. His winding path from there to earning accolades (and a $50,000 bounty) at the world’s leading hacker competition in 2017 shows that cybersecurity talent can come from anywhere. More important, it can be developed and deployed in a variety of ways—although experience always seems to play a big role. Except for his superior skills and native country, Cama’s story is pretty typical within the ethical hacker community.

Q: How did you become interested in hacking?

During my second year at Northeastern, a friend introduced me to internet security concepts. He told me about wargames, which are computer security challenges that teach you different topics in the field. I spent a lot of time playing them and taking computer security courses. Later, one of my professors, Wil Robertson, introduced me to Capture the Flag competitions, which are very similar to wargames except that you compete against other teams. I learned how to pick up new concepts and topics on my own. And it was fun; I discovered that I really loved the intellectual challenge of it.

Q: Did you get right into the hacker world after Northeastern?

I did a one-year internship at the University of California, Santa Barbara, as a research assistant in the cybersecurity lab. I was planning to get a PhD and follow the academic route, but I ended up changing my mind and went into industry.

I joined the product security team at Qualcomm, where I audited some of the code they shipped with their devices in order to catch vulnerabilities and get them fixed.

After about 18 months there, I worked in Beijing at a startup called Chaitin Technology as a senior security researcher. My job was to look for bugs in software and then present my findings at security competitions. But I became homesick and moved back to Senegal.

Now I’m working as an independent security researcher and focusing on international hacking competitions such as Pwn2Own and GeekPwn. Those are my main sources of bug bounties. The competitions are very straightforward. They distribute a list of targets, and your goal is to find vulnerabilities in the months leading up to the event. Then you present what you’ve been able to find during the event. I wouldn’t say I’ve made my entire living that way, but I’ve made a significant amount of money—about $65,000—from just my two biggest bounties.

Q: What is your primary motivation for doing this?

The intellectual satisfaction. It is something that really excites me, and I enjoy learning about new technologies. I guess now, as I am getting a little older, I will have to start making the money aspect more of a focus point. But still I think that the primary motivation will remain my love for problem-solving. Equally as important to me is being able to do this kind of work ethically, not selling my work on the black market or to malicious parties.

Q: What skills are most important for a bug bounty hunter to possess? What is the best way to develop those skills?

The ability to learn new things fast, perseverance, and discipline. I do not believe that a college degree is necessary—first, because security is a field where you must always learn new things, and second, because you can learn almost anything related to security on the internet. Actually, that is another important skill: how to do research on your own.

Amat at his home office

Cama works mostly out of his home office in Dakar.

Q: Tell me about those two big bounties and the vulnerabilities you discovered to earn them.

I collected a bounty of about $50,000 at Mobile Pwn2Own in 2017 by successfully demonstrating an issue in the baseband of the Samsung Galaxy S8 that potentially would have allowed an attack to intercept calls or to initiate calls or text messages. I also earned 20 “Master of Pwn” points, finishing fourth in that ranking.

And I won a bounty of about $15,000 at GeekPwn in 2016, where I demonstrated a remote code execution exploit targeting the Source gaming engine. This issue could have enabled an attacker to take over the computers of victims by connecting to a rogue game server running one of the gaming engine’s popular games, like Team Fortress 2 or Counter-Strike: Global Offensive. 

Q: Do you have a standard way of beginning to look for problems in code?

I usually start by learning about the technology; for instance, in the case of my Galaxy S8 work, I spent time learning about cellular technologies first. For every target, I focus on the high-risk vectors of attack. I identify all the different ways an attacker can communicate with the software and then look at the parts doing the most complex processing of user input.

Q: What particular types of bugs are you most skilled at identifying?

I am probably best at finding memory corruption vulnerabilities. Those bugs make it possible to modify the internal state of a program in unexpected ways. So, take the example of a web browser: A memory corruption vulnerability could allow a website to modify the code executed by the web browser, enabling the operators of that website to execute any code they want to on the victim’s computer. They could steal the information on that computer, like images or files, or they could monitor user activity, including the webcam, for example.

Q: Are bounty programs a valid way for businesses to secure their digital assets?

Yes, if only because they allow for many more sets of eyes to have a look at the products.


Read Part 5