DefCon Hacker Details How to Forge Death, Birth Records Online

NEWS ANALYSIS: Without proper validation, the Internet can be used to legally declare you dead, demonstrates a security researcher at DefCon.


While hacking activities are often a nuisance and can sometimes result in financial loss, a new weakness demonstrated at the DefCon security conference in Las Vegas this past week also shows how hacking can even declare you legally dead.

Among the seven most highly anticipated talks (as ranked by eWEEK) at this year's Black Hat and DefCon security conferences, the session titled "I Will Kill You" from Australian security researcher Chris Rock, CEO of Kustodian, did not disappoint. DefCon attendees braved long lines to get into the packed session in which many attendees sat on the floor in between aisles and at the front of the room, all trying to see and hear the highly anticipated talk.

During his presentation, Rock outlined the process by which an individual could legally be declared dead, with an accompanying death certificate. It's a process that involves multiple steps that can be taken online thanks to the lack of proper forms of validation checking to ensure information authenticity.

Many states in the United States have an Electronic Death Record System (EDRS) that medical practitioners use to log patient deaths, according to Rock. To get access to many of those EDRS platforms, doctors use a self-service mechanism to register on their own, he said. Since registration in the EDRS largely requires just publicly available information about medical practitioners, it is relatively easy for an attacker to gain access to the system, he added.

In cases where cause of death is questionable or due to some form violence, that death is referred to a coroner or medical examiner for supplementary analysis. However, when a death is reported to be from natural causes, there typically is not a secondary examination. In those cases, Rock said, once the death is registered via an EDRS, there typically isn't even a phone call made to the doctor to verify the information.

After the doctor has filled out the required information in the EDRS, the next step of the process involves the funeral director. Rock noted that the process for online registration as a funeral director is much the same as it is for EDRS, where all the information is publicly available online.

During his DefCon presentation, Rock demonstrated how he applied to be a funeral director through an online registration process. In fact, he showed the email he got three days after applying that showed that he had successfully become a funeral director in Australia. In the United States, requirements for becoming a funeral directory vary across the country. For example, in California all you need is an Arts degree while in Colorado, there are no prerequisites.

The charismatic Rock also showed how the EDRS platform has a bulk upload system.

"The bulk upload comes in handy when you want to kill off a lot of people really quickly," Rock quipped.

Going a step further, Rock took direct aim at DefCon founder Jeff Moss.

"I know it's not good form to kill your host, but this a death certificate for Jeff Moss," Rock said as he showed a screenshot of an EDRS form with Moss' name on it as the audience erupted into laughter. "He doesn't know he's dead, he's still walking around, but on paper he's dead and that might be a problem for him when he travels."

As to why a hacker might want to manipulate the death certificate system, Rock offered such reasons as life insurance fraud or just to make life difficult for someone by getting them declared dead legally. Rock added that he knows that Moss has a lot of money and since he wants some of it, he went through the process of making sure there is a will that directs the money to where Rock wants it.

While the topic of Rock's session was largely about death, the same types of registration weaknesses also apply to the online birth registration system. As such, a hacker can virtually birth a person just as easily as he or she could declare a person dead through an online registration system.

Rock has written a book, titled The Baby Harvest: How Virtual Babies Became the Future of Terrorist Financing and Money Laundering, that details the whole process.

While much of Rock's DefCon presentation was delivered as a tongue-in-cheek overview of how to kill or birth someone, there is a very serious lesson about security in general that sits at the core.

Fundamentally, the reason why a hacker could potentially falsely register a death or a birth is due to the use of do-it-yourself (DIY) portals that lack robust authentication and identity verification mechanisms. Security—whether it's for banking information, email or a death registration—should always involve multiple layers of authentication and verification. As Rock's presentation correctly points out, not having proper verification could (legally) kill you.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.