Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
The leak of personal details from the Ashley Madison extramarital dating website is one of the significant breaches of sensitive information in the web’s history.
High-profile data leaks have outed private customer data from internet service providers, online retailers and high-tech toy manufacturers in the last few months alone. As a result, cyberattacks have been elevated from trade-press niche news to stop-the-press nine o’clock news.
Yet the Ashley Madison data-breach is different: it wasn’t just email addresses and credit card details that were liberated this time, it was data of the most personal nature. Changing your passwords after a cyberhack is a hassle; salvaging your family relationships after being publicly outed on an adulterous dating website is something infinitely more profound.
While the story was still developing in August 2015 the team from Mentorn Media got in touch to ask if I could add some context to the story for a quick-turnaround documentary they were making for Discovery Networks. Beyond the hack itself, the show sought to explore the wider impact that internet and connected technology is having on 21st century sex and relationships – it’s not often I get to talk about teledildonics and virtual reality sex on television…
The documentary aired in September 2015 in the UK and in January 2016 in Australia. Here’s a trailer:
In whichever direction your moral compass points, Ashley Madison has for a long time been a hugely popular online destination. The Ashley Madison Agency Limited launched in 2001 and, until the events of July and August 2015, welcomed almost 125 million visitors every month from over 50 countries around the world.
Around this time I’m often asked what I think will be the big technology trends for the coming year. This time I thought it would make sense to get my thoughts together and share them on my YouTube channel.
As it happened the first opportunity I had to do this was while I was in Las Vegas for CES – rather aptly, the world’s largest technology show.
So, in no particular order, my top tech predictions for the year ahead:
- Virtual Reality – 2016 is the year VR takes its biggest steps yet into the mainstream. Off the back of major investments and acquisitions by some of consumer technology’s largest firms, this year sees long-awaited releases from the likes of Sony (PlayStation VR), Facebook (Oculus Rift), HTC (HTC Vive). Virtual reality becomes actual reality this year, and Christmas 2016 will be a key battleground.
- Biometrics – If the high-profile hacks and data breaches of 2015 taught us anything it’s that username and passwords are broken. Biometric authentication – whether fingerprint, retina or even voice – will continue to grow in 2016.
- Mobile Payments – Apple Pay, Android Pay and more please – I for one am hoping it’s all change for loose change this year as these payment systems expand beyond premium devices into the mid-range. And while BitCoin took a bit of a battering in 2015, the underlying block chain technology is what is piquing the interesting of many mainstream players.
- Internet of Things – Embedding everyday objects with computing power and connectivity; connecting people with their possessions and their possessions with one another (I may have unwittingly borrowed, condensed or paraphrased those definitions from others over the years). I really hope we stop talking about IoT in 2016 and start seeing it instead – more everyday stuff getting connected (notwithstanding safety concerns – VTech et al). A little less IoT conversation, a little more IoT action please.
- Drones – in the beginning drones were about fun: the category breakthrough device was the 2010 Parrot AR.Drone, an augmented reality gaming device (hence the AR); however, the French firm soon realised the onboard camera was what got everybody excited and so the drone photography and videography revolution began. However, the next revolution here will be about non-camera payloads – how drones (eg Amazon delivery drones are a, ahem, Prime example) are able to carry small packages further and further.
The YouTube video was picked up by ITN Productions tech show N2K and cut into one of the January episodes – I haven’t seen the show yet but will be sure to share here when I do.
I rather enjoyed compiling my 2016 predictions, so I plan to do a debrief later in the year to see how close to the mark I’ve been, then to try again with my top tech trends for 2017.
Let’s talk about trolling. Last autumn I began working on a documentary for the BBC and, after several months and many late nights, it finally airs this week. In Troll Hunters I join YouTube vlogger Em Ford, a high-profile victim of internet trolls in the past, to investigate the rise of online abuse in Great Britain.
Online trolling has what could be described as a rich history that dates back to the first exchanges on the internet. Some consider trolling an art-form, others a menace. Opponents say it’s the internet equivalent of assault; supporters argue it’s about humour, mischief and freedom of speech. I believe the very term ‘trolling’ has become confused, too often a generalised catch-all used in the media for any harsh words online.
In making Troll Hunters we’ve strived to understand where trolling stops and online hate-crime begins. Throughout I’ve found myself challenging my own understanding of what trolling is and where the line falls between robust-but-defensible discourse and unacceptable online behaviour. I defend free-speech on the internet, I defend our right to express opinions and to question those in authority, and anonymity can play an important role in those. Provocation, mischief-making, mockery is a part of life online (fuelled by the online disinhibition effect, perhaps). As the saying goes, just because I disagree with you it does not make me a troll. But there are lines that should not be crossed.
For me, more often than not it comes down to intent: directing posts with a determination to abuse, menace or threaten somebody because of their gender, race, how they look, who they’re dating, their political beliefs or sexual orientation is not trolling, it’s abuse.
In its most extreme form, trolling is a criminal offence – one increasingly pursued by the police – but online anonymity remains a major barrier to conviction. As we learn in the show, trolling can escalate to levels so severe that victims and their families succumb to anxiety, depression and, tragically, suicide.
We also explore online anonymity and investigate whether it is possible to track down a troll. We attempt to understand the psychology and motivations of a troll, and to shine a light on the real-world impact of online bullying. The film also hopes to encourage cyber-victims to put a stop to the hatred levelled at them and stand up to their trolls.
All of the victims of trolling, online abuse, net-hate – call it what you will – that we spoke to had one thing in common, a question above others that they each needed answering: Why? What motivates their troll, why do they expend so much energy in singling our their victim? Sadly, there is not one common answer.
I find it difficult to believe that a documentary like Troll Hunters will make a substantial difference to life online, but I do hope it empowers victims of online abuse to see beyond their abusers’ masks. I also hope that by seeing the real-world distress caused by their actions some would-be trolls are persuaded to behave more responsibly online.
Troll Hunters airs on BBC Three at 9pm on Wednesday 27th January 2016 as part of the One Click Away season.
*** Update *** Troll Hunters will also run on BBC1 on Tuesday 9th February 2016 at 11.15pm
CES – or the International Consumer Electronics Show to give its full name – is in full swing and I’m here in Las Vegas making some sense of the tech gifts we’ll be unwrapping in Christmas 2016 and beyond.
As expected virtual reality, unmanned aerial vehicles (okay, drones), connected home/internet of things and wearables are all well represented here, as is the motoring industry with major announcements on driverless cars, electric vehicles and more from the likes of Ford, Toyota and newcomer Faraday Future.
Here’s a quick hit of one of my live reports for the Mark Forrest show on BBC radio broadcast midway through press day:
Make no mistake, hoverboards have been the hot technology of 2015.
Fuelled by Back to the Future fever and celebrity spots with Jamie Foxx, Justin Bieber et al, self-balancing scooters (to give them their proper name) have proven so popular with the public that online auction site eBay reported sales of one every twelve seconds earlier in December.
On Thursday I joined the ITV Good Morning Britain team to talk through the hoverboard phenomenon and the growing safety concerns that have led retailers around the world to stop selling and start refunding.
Negotiating an obstacle course on a hoverboard in windy conditions while answering Ben Shephard’s questions live on national television? No sweat!
There are two powerful safety angles to this story:
First up, hoverboards are heavy, powerful vehicles requiring skill, balance and practice to master. Unlike a Segway – considered the hoverboard’s forebear by many – there are no handlebars here, it’s just a motorised sideways skateboard.
Like the Segway, however, it is illegal to ride hoverboards on public streets and pavements in the UK. When the Crown Prosecution Service issued a statement reinforcing this guidance in October some argued the law (derived from the Highway Act of 1835 in England and Wales) was overbearing and heavy-handed. Then, last week, a 15 year-old lost control and was killed, run over by a London bus after losing balance on a hoverboard.
The other safety angle is the construction of the boards themselves. Leaping aboard the lucrative coat-tails of the hoverboard craze far-east manufacturers have mass produced hoverboards to lower price points with inevitable corner-cutting. Sadly, these short-cuts have been potentially lethal, with basic safety standards and common sense all but ignored. The main flashpoint has been the electronics.
One problem is that lithium-ion batteries used are notoriously unstable unless properly shielded. Major airlines are refusing to carry hoverboards in hold or checked luggage for risk of the batteries catching fire mid-flight. The other problem is that to keep costs low manufacturers are choosing to ship hoverboards with inferior quality poorly-shielded batteries, without thermal cutout circuitry or fuses in their plugs. Outcomes have included spontaneous explosions and fires and have been well-documented in various social media and the mainstream press. National Trading Standards claims to have examined thousands of self-balancing scooters at UK borders since October, with 88% (15,000) assessed to be unsafe and detained.
Eager to avoid a PR horror story major retailers have been quick to ground hoverboards, pulling stock from shelves and issuing health and safety advisories faster than you can say Great Scott. Amazon has been issuing automated refunds to customers and advising to dispose of hoverboards in WEEE approved sites.
In the wake of the VTech hack I answer ITV Good Morning Britain viewers’ concerns on the safety of their kids’ personal details.
Another week, another high-profile online hack.
In August 2015 the Ashley Madison scandal climbed the mainstream news agenda based largely on how the outed data transcended the all-too-commonplace bank details and password leaks.
The breach of tech-toy manufacturer VTech’s data last week has achieved a similar degree of infamy: six million sets of children’s personal details – including photos and chat transcripts – were swiped with apparent ease.
It’s of scant consolation that the hacker chose to share the story (and data) with a journalist rather than the denizens of the dark web: the Hong Kong firm hadn’t a clue that its online defences had even been breached until the journalist contacted them, begging the question of whether VTech’s website has been breached before? Nobody, not even VTech, can be sure.
The very nature of the VTech hack is disappointing but, if there is a positive, also a cautionary tale for remainder of the online industry.
‘SQL injection’ attacks are the oldest in the book, literally child’s play to execute, with plug-and-play exploitation toolkits and tutorials freely available online.
Like TalkTalk before it, VTech should have known better. As well as poorly-secured passwords (hashed with fatally insecure MD5 but not salted, therefore crackable with little more than a Google search) were plain-text secret questions and non-existent SSL security, all of which indicates a business quite simply not taking seriously its duty of care with users’ most sensitive data.
That in 2015 high-profile online services are still open to rudimentary exploitation signifies – to me at least – a distinct immaturity of the web as a whole. If any good comes of this attack it will be the wake-up call to other service providers to get real with their online security.
While VTech might make it through the immediate blip in its seasonal sales, time will tell whether it can survive the longer reputational damage. I hope so: as a parent I’ve found VTech’s tech toys to be among the best in class. I just hope it now takes less of a toy-town approach to its online services and its users’ data.
In the same Good Morning Britain episode I also talked viewers through how to enable parental restrictions, controls and security measures for other Christmas gadgets – the full story is available on the ITV website.