Meet the tech-heads breaking into big-name products for the public good
Malware has gone political this past month after Jeff Bezos’ WhatsApp sexts were leaked. The white hats are here to prove that not all hackers are out to exploit.
A Tesla in a nondescript Oslo carpark suddenly blinks to life. Soon the person who unlocked it will open the door, slide in behind the steering wheel and accelerate down the street. Or so the theory goes.
In fact, the car sits, open, ready but nothing happens. The would-be driver isn’t actually in Oslo – the owner is in fact dozens of miles away. That’s because the person who opened the Tesla isn’t the owner but a hacker.
Simply by tempting the real owner into downloading a code for a “free burger meal”, they have gained complete control of the vehicle. Alongside the burger code, the owner unwittingly downloaded malware which enabled the thief to assume control of the vehicle from a remote location.
It isn’t quite gone in 60 seconds, but because no crowbars are used and there are no smashed windows, it is arguably even more baffling for the owner. Fortunately, on this occasion the “thief” isn’t actually looking to steal the vehicle – they just want to test the limits to see if it can be done.
The world of malware has gone political this past month. Jeff Bezos hired a private security firm to unpick how details of his sexting scandal reached the National Enquirer. His team subsequently claimed that a WhatsApp message sent by the Crown Prince of Saudi Arabia, Mohammed bin Salman had contained a video which unleashed malware that could steal personal information. The Crown Prince’s camp vehemently denies the allegation and the UN and FBI are currently looking into it.
But not all hacks are malicious. Promon are a Norwegian security firm who run “white hat” hacking programmes such as the Tesla scam. Their research exposes flaws in big-name products for the public good. Also, as Promon’s business is designing security software to protect big businesses, it’s also part of their business model to show how helpless some companies are without them.
“The Tesla hack was done with tools available to any dark web attacker, [either] for free or bought with very little money,” says Promon’s creator Tom Lysemose Hansen. “What we want to warn people is that without many technical skills, bad guys can do this.”
Hansen doesn’t fit the stereotype of the overweight hacker, sitting alone in a basement flat covered in Doritos-dust. After studying philosophy and computer science, he was pushed forward to do a Mathematics PHD by his tutors, even though he was only in the first term of his degree.
He likes to keep his hacker skills toned by playing blind chess – i.e where you can’t see the board or the pieces – using only a mental map of where the pieces are. In his Norwegian office – stripped-back industrial chic, naturally for Scandinavia – there is a strange hybrid flesh and bolts reimagining of Auguste Rodin’s bronze sculpture The Thinker.
“Philosophy is great for the playful mind and forms a great foundation for innovation,” Hansen says.
The hypothetical potential of the Tesla hack – which happened in 2016 – was endless. You could steal the car or stalk the owner to find out when they left their home attended, or troll them by turning the heating on and off without their knowledge.
Frighteningly, Hansen says apps ranging from freebies like WhatsApp to ones controlling expensive products like Tesla are vulnerable. “WhatsApp is generally quite safe, but a hacker could get access to someone’s videos, pictures, personal data, banking codes and even their camera or microphone,” he warns ominously.
Last year, cyber-security research group Kaspersky discovered that CamScanner – an app downloaded more than 100 million times by Android users in order to produce digital scans via their phone – inadvertently contained malware. A code within the part of the app that delivers ads made it possible to snoop on login credentials.
It’s often hackers, not the authorities, who spot these flaws, say white hat hacking experts.
“The nature of a hacker is not what the media portrays,” says Christopher Hadnagy, who started the first human hacking conference for professionals and runs his own nonprofit group, Innocent Lives Foundation, which enlists white hat hackers to stop child predators.
Hadnagy is now 40-something-years-old, but remembers getting the computer bug as a boy when his Dad brought home a computer – no hard drive, no internet – that he was banned from touching. Hadnagy was given a Commodore 64 when he was 12 years old – he started using it for gaming, programming and writing scripts.
Once the internet appeared it set him loose on the world. At college he accidentally shut down a county’s phone system for 24 hours. It got him kicked out of college – not that he says all hackers are bad.
“A hacker is often a person who wants to understand how things work – whether that is a computer or a human – then learns how to exploit that. A white hat [hacker] is a person who does this for good, to help. Where a black hat is one who does it for their own benefit whilst hurting others.”
Strandhogg: why Android is never safe
White hat hackers often team up together. In December 2019, Promon worked alongside Lookout, a US security firm, to expose a vulnerability in the Android operating system made by Google. It rendered devices so naked to attack that the “white hats” named it “Strandhogg” – a Norse term given to coastal villages that were ripe for pillaging by bloodthirsty Vikings.
Lookout proved that the Android system failed to spot malignant apps that were freely available on the Google Play store.
The flaw worked like this: an Android user downloaded an innocuous-looking app such as a weather app. They’d install and forget about it without realising that the weather app was actually a parasite which effectively mimicked other apps. It essentially moved itself in front of other apps – like your email or banking app – in order to steal your personal information.
“Somehow you got a malicious app on your phone and it begins to attack the other apps,” says Hansen. “You click on your normal banking app and you expect the normal banking app to launch, but instead, this parasitic, malicious app forces itself in front of your app to mimic it.”
“You then start feeding it all your private banking information until it’s stolen all your info.”
Banking apps are normally much harder to hack, but in this instance the chameleon-like malware sidestepped the usual obstacles by simply mimicking the banking app to get your personal data. The malicious app also sought permission to access the device’s camera, microphone, messages, GPS and storage. With one absent minded swipe of the thumb, the malicious app gained access to these components.
By the end of last year several banks in the Czech Republic reported that customers had their accounts emptied. Promon and Lookout identified hundreds of apps on the Google Play store which had the capability to do this kind of damage.
For their work in exposing the flaw, Hansen’s team received a “significant reward” from Google. “They have an official channel especially for all of this sort of thing, and they were very positive,” Hansen says. “We gave them intricate technical advice on how they can then block this problem. After that they phoned us about the reward.”
Other white hats make their living testing big companies’ defences.
White hat sends 14.5 million phishing emails
“I estimate that I have personally sent 14.5 million phishing emails,” says Hadnagy. “I don’t sit in my mom’s basement with a hoodie wreaking havoc on the internet, I am doing good work for people.”
What many companies overlook is that the real weakness isn’t in their tech, but in the people they employ. Hadnagy saw this when he was hired to test the security levels of a major US corporation.
“I emailed 1,000 of the staff saying they had the chance to win one of ten brand new iPhones in a raffle,” Hadnagy recalls. “All they had to do was go to a website and send their domain credentials – i.e. their username and password.”
Because the email looked like one from within the company, 75% of staff did exactly what they were told. Then Hadnagy used their trust against them a second time.
“I rang 25 of them and introduced myself as Paul from tech support,” he says. “I said because they had accepted that iPhone email, their machine was now laden with malware. I told them to go to another website and download a programme. However, this programme was something called a ‘reverse shell’, which enabled me to hijack their entire desktop controls.”
This whole exercise showed the major corporation how their staff – otherwise successful, productive people – could easily be duped into simply throwing open the door to hackers.
Hadnagy acknowledges that some “white hat hackers” morph into “black hats” through their own hubris or by failing to stick to a professional code.
“[A white hat] should always make sure everything must be documented and above board,” he says. “I know someone who shut down a whole city’s water supply because they wanted to ‘try’ something. Once inside the system, he thought ‘let me see what this button does’ and it was the emergency shut-off. There was 30 minutes of panic then it was back on.”
Big companies offer cash carrots for white hats to test them
But as the number of fraud scams rises – £616m was lost in the first six months of 2019 to bank transfer scams alone – so do the rewards for ethical hackers who manage to spot the holes.
In 2008, white hat hacker Charlie Miller won $10,000 for being the first to locate a MacBook Air bug at the Pwn2Own contest in Vancouver. A year later, Miller also beat the browser security at Safari and received a $5,000 reward.
Today most tech companies offer six-figure bounties for spotting faults – Facebook alone has paid $6.3m (£4.8m) to independent cyber-security researchers since 2011. Intel and Microsoft are believed to offer up to $250,000 (£180,000) for identifying a fault, while Google and Apple offer up to $200,000 (£151,000).
Promon’s Tesla hack took place in 2016 and broke new ground. By 2019, Tesla were so keen to make their latest model watertight that they were inviting hackers to try their luck for a $375,000 cash reward. Hacker team Richard Zhu and Amat Cam, known as Fluoroacetate, emerged victorious, using a bug to get into the car’s internet browser and load a message on its screen.
Tesla were grateful for the interventions, saying: “We thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
There are now even platforms for “bug bounty hunters” which match-make them with big corporations looking to use their skills. HackerOne is one such platform.The company, which enlists hackers from around the world, says 116 different “critical vulnerability” discoveries were rewarded with $10,000 payouts during 2018, with some top level “white hats” earning 16 times the average salary of a software engineer in their home country.
HackerOne claims that the US government, Goldman Sachs, American Express and Toyota now run bug bounty programmes. The platform says that in 2017, one large firm paid out $75,000 to a hacker who spotted a flaw that would have allowed attackers to steal credit card information, spread ransomware to take over user accounts, attack employee accounts and take over parts of the company’s IT infrastructure.
With the first internet-raised generation becoming adults – these high rewards are ripe for picking by even the precociously young. Hadnagy began teaching his kids hacking techniques from the age of five and he says it’s not uncommon for him to encounter “white hats” on the internet who turn out to be 12 years old.
But those capable of hacking a company in this way should be careful to do so correctly, says Hansen of Promon.
“On a web service, if you tamper with the security, that can often be enough to bring the whole network down,” he explains. “So we normally tell [the company] in advance, and can test an app without harming anything outside our own mobile phone. We are selective if and when we go public. We always, if we find a vulnerability, use responsible disclosure. We informed Google well before anyone else.”
As for rewards, Hansen remains coy.
“We got a reward from Google – I prefer not to reveal that. It was a significant amount which we really appreciated.”
As ever, the best “white hats” know the importance of being discreet.