MENTION the word “hackers” and most people think of the villains of the digital age.

But that isn’t the whole story. In China, so-called White Hat hackers are helping technology companies test the security of their systems. These “ethnical hackers” are the antithesis of cyber bad-guys, known in China as “Black Hackers,” who break into computer systems illegally for money, retribution or some form of self-expression.

“China hasn’t yet got a mature White Hat group or organization, but it’s on the way now,” said Jin Yier, an assistant professor from the University of Central Florida who returned to China last month to attend GeekPwn, a security geek contest held in Beijing.

At the competition, White Hats showed their skills in taking pictures and recording voices on shutdown phones, remotely installing applications unwanted by owners and controlling Tesla cars through handsets.

White Hats at the contest succeeded in finding loopholes in 14 smart devices, including iPhones, Google Nest, Xiaomi Internet routers, Jawbone and Qihoo 360 wristbands.

The White Hats, mostly computer security experts, specialize in penetration testing to find security weaknesses in smart devices or websites. They report their findings to pertinent companies or third-party organizations. Generally speaking, they get paid for “good hacking behavior.”

China urgently needs this sort of expertise, said Yu Yang, head of Tencent’s security team.

White Hats targeting system or chip-level loopholes require both technical skills and creative thinking, compared with traditional hackers who mainly target ordinary personal users.

During the two-day contest, the first of its kind on the Chinese mainland, talent security experts broke through the security constraints of various devices. These derring-do digital denizens generally like to work out of the limelight. They often use nicknames to disguise their identities.

The Google thermostat Nest’s default-starting animation was replaced by China-themed pictures, which meant Jin from Florida could successfully gain complete control of the device. With a team that included some of his students, Jin took just one month to hack Nest. Then he sent a loophole report to Google, with the advice to offer users expanded setting options.

“They not only help us fix bugs, but they also share their knowledge and ideas, leading us to improve the protection mechanism of products,” said Chris Evans, head of Google Chrome’s security research team, who participated as a judge at the contest.

Google often offers money awards at such hacking competitions and actively recruits White Hats to help develop safer systems, Evans told Shanghai Daily.

Riusksk, the nickname of a man on one of the competition teams, said it took three months to break smart routers. He sent a report on the potential risks of leaking user information.

Female White Hat

Li Mengmeng is a female White Hat, a bit of a rarity in security circles. She said she switched to information security from medical studies at university. During GeekPwn, she succeeded in hacking an Android system smart TV set-top box and installing unwanted applications. In the marketplace, such applications often contain advertising pop-ups or record user habits and behavior through back doors, clogging the whole system and invading user privacy.

“Internet TV has a huge potential in China,” said Li, who won prize money after reporting the breach to the box maker. “Everyone should pay more attention to security.”

GeekPwn was co-organized by Shanghai-based Keen, the security research team of Keen Cloud Tech. The group focuses on helping worldwide leading software manufacturers discover and fix security vulnerabilities.

GeekPwn focuses on five smart device categories: smart vehicles, smart homes, smart wearables, smart entertainment and smart phones and tablets. These are big money spinners.

In 2014, global mobile phone sales are expected to hit 1.2 billion units, a 23 percent increase from last year. The figure is forecast to rise to 1.8 billion in 2018, when sales in China will account for one-third of the world’s mobiles, according to research firm International Data Corp.

At the same time, demand for wearable computing devices is expected to increase substantially. Revenue from wearables, including smart wristbands, watches and cameras, is expected to hit US$50 billion in the next five years, according to research firm On World.

The smartwatch market, fueled by new giants like Apple and Samsung, is expected to generate US$10 billion in sales by 2018, a sixfold jump from estimated earnings this year, according to Citigroup.

Research firm Gartner said it expects every family will own 500 or more smart devices by 2022, which makes security a critical issue.

That’s possibly why a security contest like GeekPwn attracted some of the giants of the business, like Google, Tencent, Huawei and Lenovo. The companies offered products or cash awards totaling 3 million yuan (US$491,800).

Google is the world’s biggest online search engine provider and the developer of Android, the most popular mobile system globally. Lenovo is the world’s largest personal computer maker and is now expanding into mobile Internet and home entertainment sectors.

“The contest stimulates geeks to come up with new ideas and improve security levels in websites and devices,” said Tencent Vice President Ding Ke. “That means improved security levels and heightened awareness across the whole of society.”

Internet-based crime is estimated to cost the global economy US$445 billion a year, double the cost of natural disasters, according to media reports citing figures from the Center for Strategic and International Studies.

In China, publicized security breaches, such as Ctrip’s leak of user credit card information, have ratcheted up public concern.

Ctrip, China’s biggest online tourism site, with over 140 million users, was reported last March to have a loophole in its website where user payment information was stored. As a result, personal data were leaked.

One White Hat said he had managed to download the credit card payment information, such as identity card numbers and bankcard data, of 93 Ctrip users.

Though the loophole was quickly fixed by Ctrip, it did trigger a wave of concern about the safety of credit card information bundled with online accounts and personal data in online tourism and e-commerce industries in China.

The Ctrip loophole was initially reported by Wooyun.org, a third-party platform connecting White Hats and related companies or websites. On Wooyun, hackers can report and post security weaknesses, thus attracting the attention of the cyber experts in big companies and websites.

Third-party platforms including Wooyun and Freebuf.com allow White Hats to keep their identities secret and receive rewards from companies. For example, Ctrip created a special fund of 5 million yuan to reward White Hats for online security enhancements after the March breach.

Crowd-sourcing

Start-up Freebuf offers a so-called “crowd-sourcing model” that allows big companies like Tencent and Xiaomi to offer up their products and technical standards online and then invite White Hats to scour them for loopholes. If the loopholes are confirmed by the platform, hackers can get rewards from the companies. More than 3,000 loopholes have been found via the website, earning hackers combined rewards of 300,000 yuan.

Detection rewards vary, according to the difficulty of finding security loopholes and the potential risk and damage they pose. Some major problems, such as those uncovered by the Keen team, are valued at up to several million dollars each, a Wooyun staff member who declined to be identified told Shanghai Daily.

“Wooyun and Freebuf are two of the ‘whitest’ platforms for White Hats,” said Lu Chenhui, a security consultant at a China Telecom security subsidiary.

He said there are also “gray” hackers who refuse to reveal what they have found if companies don’t meet their demands for high remuneration. But since these hackers don’t take advantage of the loopholes illegally, they are considered “gray,” he told Shanghai Daily.

The Keen team has successfully hacked Tesla electric cars, allowing any phone to remotely control vehicle reversing and door opening without Tesla’s official phone applications or keys. Keen’s other “achievements” include taking pictures or making voice recordings on personal phones even if they have been shut down by owners, and “jail-breaking” Apple’s latest system iOS8.

Don’t be afraid. Most of the security loopholes found by White Hats are reported to related companies only for fixing bugs. Keen’s whole aim is to find problems, report them and collect rewards, according to Wang Qi, a former Microsoft security expert and chief executive of Keen.

Since the modern digital age is all about connecting everything — including cars, washing machines and even toilets — there are wide opportunities for White Hat skills, Wang added.

In the latest post by Luren Jia – a moniker that means Stranger on the Road — the White Hat claimed to be able to log into any Sina Weibo accounts through a loophole in the system of China’s version of Twitter. The company subsequently confirmed the loophole and said it was fixed.

White Hats used to function in a gray zone in China, but that shadowy status is beginning to clear. The Chinese government is making increased efforts to focus on Internet security as the fifth pillar of national defense after land, sea, air and aerospace.

“Our country really needs Internet security talent in every aspect,” said Du Yuejin, a senior official of the soon-to-be-established China Internet Security Alliance, a quasi-government organization.

Though not speaking publicly, Du admitted that China has increased its focus on Internet security in the wake of the Edward Snowden case. Former National Security Agency worker Snowden made public US intelligence using technologies developed for cyber espionage.