James Lyne, Sophos
Our lives are moving increasingly online. Tax, pensions and benefit claims are handled over the Internet. We pay bills, buy things, do banking, and Royal Mail is rapidly being replaced by e-mail. These communications often contain sensitive personal data. But how safe is it?
James Lyne is the Global Head of Security Research at Sophos and he set up a project called the World of Warbiking to show just how vulnerable we are...
James - The World of Warbiking was a bit of a mad science project that we came up with to go and measure just how well we, in society in general, are doing at securing things like our wireless networks that we’re all increasingly depending on for business and of course, most of the time at home. So, we took a bike, fitted it with some special wireless scanning equipment, some minicomputers and some batteries and solar panels – very Heath Robinson – and cycled around 5 major cities around the world, building a map of the wireless networks that we all use. Really, to cut to the spoilers, I can tell you that across each of those cities, between 4% and 9.5% of the population of those cities, we’re using wireless security standards that have been known violated and broken in less than 60 seconds by the hackers since 2004. Shocking!
Chris - So, you're basically riding around in a bike and the bike is rigged up with a system that will probe without hacking into them, just probe and ask the simple question, what wireless networks are here and what security protocols are they running, and you're therefore assuming because we know how vulnerable various networks are, that those people have got no other security.
James - Precisely and with a small number of willing victims that signed off, we actually did demonstrate the ability to break those networks in less than 60 seconds and show them their own passwords. And what was very amusing was of course, most people didn’t know their own password and had to go and look at the sticker they put on the fridge which is an entirely different security issue.
Chris - Which cities did you look at?
James - So, we did London, San Francisco, Sydney in Australia, Hanoi – cycling in Hanoi was very interesting. And wrapped it all up with Las Vegas which was a particularly interesting area I must admit. We had a little extra dimension to this experiment. As we were cycling around, we had our very own wireless network which we offered to members of the public. If you connected to our network which was named either Free Public Wi-Fi, Free Internet or Do Not Connect ( that was my personal favourite), you would be offered internet access, you'd be given a warning and then we logged what people got up to and how secure they were. I can't even go to the details of what some people were browsing in Vegas, but suffice to say that overall level across the different cities, a less than 1.2% of all the people that connected to our wireless network, thousands and thousands of people were appropriately securing themselves to protect themselves against us deploying malicious code, intercepting their emails, instant message chats, or alike…
Chris - So, you’ve got people connecting to a network called Do Not Connect and what are they doing? They're online banking or something?
James - Actually, yeah. The number one activity was online banking. I mean, what could possibly go wrong by connecting to one of these networks? I'm sure that’s fine.
Chris - And 99% of them are vulnerable. The people who do that are not using any kind of security measure. That means that were you interrupting those transmissions and siphoning off the data on the way to the bank and they wouldn’t know about it, they wouldn’t be able to stop you.
James - Yes, that’s absolutely correct. What's really depressing is, the technology to stop this and the simple behaviours to prevent these kinds of attacks has been widespread and well-known to the security community for many, many years, most people simply aren't doing it.
Chris - The other thing which I think perhaps we should dwell on is, going back to your fact that maybe 10% of networks whether they're in businesses or in public or Wi-Fi hotspots and things, less than 10% of them are using robust and resilient security. Surely, a bigger question is, what is behind those networks? What's plugged into them because increasingly, lots of devices now are on the internet. We’ve got this phenomenon of the internet of things coming along and this means potentially, if someone can compromise your home network, they're actually compromising everything you’ve got in your house.
James - You're absolutely right and it’s a really interesting trend that has seriously taken us all by surprise. Just yesterday, I bought a slow cooker for my kitchen which comes with wireless built-in by default and connects to a smartphone app which enables me to turn it on from the other side of the world. And a little bit of reverse engineering, I've already found that it uses a static password which means that if I can find anyone else’s slow cooker, I can control that as well. So, I might be ruining a few beef stews shortly. But that’s of course just one of the many types of devices – baby monitors, CCTV cameras. I mean, I've even found wireless plant monitors that will water your plants for you whilst you're on holiday. I mean, we’re really extending the reach of digital technology into the physical world and placing it all around us, which opens up a lot of possibilities for attackers.
Chris - Going back to the CCTV point, if people have got a CCTV at home extensively to make their house more secure and that’s behind an insecure network interface and someone like you knows how to find those cameras then you could potentially actually turn it around. And so, well I now know when the people aren't at home because I can use their own camera to find out when their home is empty and then go rob it.
James - There's a deep-rooted irony there, isn’t ther? These devices are shockingly poor. I acquired 12 CCTV cameras from Amazon – the kind that you would put in your home or a small business and I found serious flaws that would enable anyone with a bit of skill to get into every single one of them. I actually did a bit of searching online as much as we could within the confines of law and ethics unlike the cyber criminals. I found a petrol station. This petrol station has a feed over the chip and pin terminals which you use when you make payments. And it’s high enough resolution that I could see all of the credit card numbers and the pin numbers being typed in. And that was streamed to the internet with no user name and password.
Chris - Good grief! Have you told them?
James - Yeah, I've actually managed to locate which I think is the right petrol station and I've sent them a note. The feed is still there, along with many others. I found an Italian clothing store that’s wonderfully creepy as it has infrared in the changing room which I've emailed them and said, “I thought I was horribly inappropriate even it was a secure system” an astonishing number.
Chris - What can be done because your average person who isn’t computer savvy, they use certain platforms that are very, very user friendly for a reason because they don’t want to have to become an uber geek on a computer to overcome this sort of thing? What can they do? What can the average person do to make themselves safer?
James - I've got a very simple ask that there are a number of very simple best practice items, things like getting yourself good passwords, not using the same password on every site and service, keeping these devices up to date, check your home wireless network, and make sure you're using the latest security standard. I could use a bit of jargon here, but it’ll be helpful so you'll know what to Google to get some tips. Look up wpa2 and if you're really, really unsure, ask an expert. If you can do those simple things, we’ll make sure as uber geeks, along with lawyers, regulators and the like, that these internet things devices get improved.