Sitting in a London coffee shop, within the labyrinthine folds of financial mecca Canary Wharf, ShortList has journeyed deep into the belly of the beast.
We are in the presence of an individual that operates in a notorious, sometimes criminal, and often misunderstood subculture. No, not a City trader (though there are 50 besuited bankers sipping macchiatos around us). Instead, a member of the digital community credited with outing 37 million would-be adulterers registered to Ashley Madison, that remotely killed a Jeep’s engine while it travelled at 70mph on a motorway, and that compromised Iran’s secret nuclear facilities by blasting AC/DC’s Thunderstruck out from speakers.
Someone within Wi-Fi range is accessing porn... probably in the bathroom.
ShortList has an audience with a hacker as he stages a live attack to prove how easy it is to observe an unsuspecting stranger online, pillage their personal data, empty their bank account and, just for kicks, load up some viruses. Five minutes in, we’re not sure we like it.
“Uh, this is embarrassing, for whoever it is,” says the man we’ll call Mr X, whose employer is a tech company that, among other things, schools corporations in the art of hacking.
“Someone within Wi-Fi range is accessing porn.”
He gestures a few feet to our right. “They’re on RedTube. They’re probably in that bathroom.”
To clumsily paraphrase a famous anti-piracy ad: you wouldn’t leave your front door open. You wouldn’t leave the keys in the ignition of your car. You wouldn’t write your bank details and passwords on a napkin, photocopy it, and hand out copies to passers-by in the street. So why, in 2015, do so many of us play fast and loose with our safety when connected to the internet?
We’ve all been there: step off a plane in a foreign country, perhaps a train or bus in the middle of nowhere, and in the absence of 4G signal scour for a Wi-Fi network not protected with a password. And lo, while you may have scored a quick dopamine rush by catching up on Instagram, you’d better hope double tapping that moodily-shot avocado on sourdough toast was worth it, as the unsecured network you accessed might have been just that – unsecure – leaving you wide open to a catalogue of attacks.
Whether proffering a Wi-Fi network named something ambiguous or, in the hope it’ll lure you in, the shop or restaurant where it’s hosted, these so-called ‘Man In The Middle’ attacks pose as a legitimate web service, by inserting a hacker between the victim and server.
This means any data sent over the network can be monitored and, once in possession of such valuable info, a hacker might sell it to advertisers, steal your identity or even threaten to delete your hard drive for a ransom.
“We’ve moved from just using computers to go on the internet, read news stories and play games,” says X, “to a place where we conduct commerce; buying flights, clothes, food. We do our banking online, talk to friends, even arrange extramarital affairs. Data is now much more valuable – we’re talking potentially life-destroying stuff – so the stakes are much higher.”
Yet these hacks aren’t exactly a closely guarded secret of the digital underworld. Europol warned of the dangers free Wi-Fi hotspots pose last year, months after the European parliament itself was targeted in a Man In The Middle attack, whereas in 2013 the NSA is reported to have used an MITM to impersonate tech giant Google and spy on the public. And still, given the opportunity to log on to a potentially toxic network without knowledge of its safety, if it’s free users seem happy to roll the dice.
Back in our well-known coffee shop (that will remain unnamed for legal reasons), we have pilfered the Wi-Fi network of a nearby clothes store and set up a hotspot called ‘Free Public Wi-Fi’. Anyone connecting will feed straight into the flashing-blue antenna on our table that, surprisingly, no one seems remotely concerned about, their activities displayed on our laptop. Little do these coffee drinkers know, but not one of them is safe. Not even the individual watching porn in the toilet cubicle nearby. What’s more, all this is – at this stage, at least – entirely legal.
Within minutes, six people log on. One is using an Android phone, browsing their emails. Another is reading the FT. Then, oh look, some poor sod’s just accessed their bank. And, as this bank has an unencrypted homepage, we can inject a ‘key-logger’ – a tool that records every keystroke – to strip out all security before they access the more securely protected login page, or redirect to a new page entirely. In short, this oblivious person is in serious trouble.
“From here we can see what is being sent – passwords, usernames, customer numbers,” says X. “We can then change their request. Maybe they are transferring money to their mum – we can change the account number the money goes to.”
Fortunately for those in range, Mr X doesn’t break the law. Even when meeting ShortList under the blanket of anonymity, he’s not so foolish as to commit a crime in a national magazine. But while mass security breaches often portray the hacking community as a gang of crooks, X believes the majority of hackers are a force for good.
He claims such people (known as ‘White Hat’ hackers) want to preserve safety, not compromise it.
Granted, two US hackers commandeering a Jeep Cherokee on a highway in July – for a Wired article – might’ve appeared malicious, but the truth behind the hack was far more noble.
“They reported this security vulnerability a year ago, and Jeep didn’t say much. They kept announcing it to Jeep, who responded slowly and ineffectively. Then the Wired article came out and suddenly Jeep recalls millions of cars. It took a sensational video before the company would take it seriously.”
There’s even a hacking conference, Def Con, held annually in a Las Vegas casino. Host to in-depth lectures and a variety of contests (from lock-picking to capture-the-flag hacks), it figures that you’re advised against using the public Wi-Fi.
“You get some serious people there,” claims X. “They’ll barely sleep – by the last day there are people asleep on their laptops.” X should know, this year he was a guest speaker at the four-day summit.
...From 50m away, you can kill people.
Just in case you weren’t already tempted to fling your MacBook off a bridge and embrace a new tech-free Amish lifestyle, the threat of hacking doesn’t cease when you switch off. As our modern world becomes more digitised, where everyday objects such as fridges and light bulbs are synced to cyberspace, hackers are increasingly becoming a threat to your physical safety, too.
“What we’re about to find, with the Internet Of Things,” says Mr X, “is that everything is connected to the internet. Your car, TV, kettle, toaster, doors – that’s potentially scary. [Hacking] a kettle sounds trivial, but if someone can get into your kettle and turn it on when there’s no water in it, they can start an electrical fire in your house.
“There was also a cheesy script in Homeland where a pacemaker gets hacked, remotely killing the vice president. People said it was unrealistic, but someone worked out you could actually do it, from 50m away. So you can kill people.”
While malevolent ‘Black Hat’ hackers do irrefutably exist, in a strange twist of irony, it might be the hackers themselves that represent our best shot at survival.
“One aspect is embracing the hacker community,” says X. “These are the people you want on your side – those who live and breathe this stuff, and want to take systems to their extreme.”
As a fresh Wi-Fi user pops up (checking Twitter), then another (their bank), Mr X smiles.