Many would think that the root of all the cyber-evil is tech itself, and once you say no to fancy smart devices, all those spooky cyber-threats should go away. If you don’t have a smart fridge, a smart washing machine that connected over Wi-Fi (or wireless switches and controls) then you should also be safe. As it turns out, everyone has something hackable.
Mrs. Patsy Walsh, a good elderly American woman, consented to take part of an experiment and allowed two good-willed hackers — Reed Loden (CEO) and Michael Prins (co-founder) of HackerOne — to hack something of hers. Walsh had noted that, she had nothing to hack whatsoever! The researchers also invited New York Times reporters to chronicle this test.
Patsy Walsh can be considered what we call an ‘Advanced Grandma:’ she has six grandchildren, a laptop, a Facebook profile to keep in touch with her friends and family, satellite TV, and a car. As you might notice, contrary to her initial assessment, she has plenty of things to hack!
First, the hackers prepared the foundation. They visited Mrs. Walsh’s Facebook pages and found out that she recently signed a petition on change.org. The researchers spent 10 minutes to compile a faux email to Patsy on behalf of change.org asking her to sign another petition about land ownership in Marin County, CA, where she happened to live.
How easy was it for hackers to ‘pwn’ a grandmother of six? Very. http://t.co/gwAp7FUg5v pic.twitter.com/LVXzrm65On
— NYTimes Tech (@nytimestech) October 15, 2015
The “Advanced Grandma” could not stand pat and, predictably, signed the petition. However, the link in the email she got directed her to a phishing website instead of change.org. This is how the hackers managed to obtain Mrs. Walsh’s password, which she later acknowledged to be using on different services.
So as it turns out, one fake email was enough to fully compromise Patsy Walsh’s digital life — imagine what could have happened if it were a real hacker attack and not white hats conducting research. Culprits could have used Patsy’s data for any rogue activities.
There are 40 tabs open here. My grandma is clearly v tech savvy. pic.twitter.com/jlzW8LhMei
— ris (@marisanjones98) October 15, 2015
After that, the HackerOne team visited Mrs. Walsh’s house. One and a half hours were enough to brute-force a simple digital lock on the garage door. Then they then spent a bit more time to hack into her DirecTV satellite television — the two hackers could not resist subscribing Mrs. Walsh to a selection of adult channels.
Then the researchers got a hold of her laptop. Walsh had all of her passwords written on a post-it note attached to her home router, so the process of hacking took almost no time. Having infiltrated the laptop, the hackers obtained Mrs. Walsh’s personal information, including her social security number, PayPal password, a frequent flier profile to one of the airlines, and her insurance plan. They even managed to get their hands on her Power of Attorney letter.
Me: ''Today is last date to pay my mobile bill.. Arggh''
My 67yr GrandMa: ''Just PayTM it'' @vijayshekhar @Paytm Tech breaks Age-barrier— Chaitaanya Pravin (@Hungry_Chai) October 23, 2015
The white hats also found out that they were not the first to ever set foot into Mrs. Walsh’s digital world. Her laptop was infested by a couple dozen of malicious programs, including some that install other malware, track browser history, seed malicious advertising and the likes. A weakly protected laptop belonging to a person with low level of digital literacy is bound to become a desirable target for attackers.
Mrs. Walsh even benefited from this hacking experiment: first, she got a heads-up on the basics of cyber-security, as well as a proof she needed a new garage lock and had to use unique and more sophisticated passwords for numerous web services.
Second, the hackers promised to drop by some time around Thanksgiving and purge Mrs. Walsh’s laptop from all the malware it contained. All in all, this real-life example demonstrates how easy it could be to compromise the entire digital life of a person that is not cyber-savvy, even if this person thinks they have nothing hackable.
Mission: Hacking #Grandma. Level: piece of cake. #tech #hackers #Internet
Tweet
Eventually, we are surrounded by a mass of potentially hackable objects. We all use PCs and most of us are very attached to their smartphones. Many also have routers, smart watches, gaming consoles and smart TVs, which are all likely targets for cybercriminals.
Many of these things are perceived as something not prone to being hacked, but, historically, they enjoy a far lower level of protection than PCs — take that garage lock, for instance. A car with an integrated satnav system which is capable of downloading real-time traffic data? Hackable. A car without a satnav system but equipped with a proximity keychain to unlock a door? Even more hackable.
#BlackHat 2015: The full story of how that Jeep was hacked https://t.co/y0d6k8UE4n #bhUSA pic.twitter.com/SWulPz4Et7
— Kaspersky (@kaspersky) August 7, 2015
Moreover, in order to be hacked you don’t actually have to possess a digital device. A load of digital data on any person is stored in databases at various government or commercial premises –hospitals, local municipalities, airlines, banks, shops, insurance companies and the likes.
This data is also potentially hackable — in this case the consequences could be utterly fascinating. For example, recent case proved that in some Western countries a culprit is capable of including a person into the ‘Deceased’ database without even hacking anything — and a victim might have a hard time proving the opposite.
How to kill a human with a keyboard https://t.co/Mg6yBJxHRz #defcon pic.twitter.com/F3VRae185m
— Kaspersky (@kaspersky) August 10, 2015
You cannot be completely safe from all of these threats — just as you cannot be completely sure that the boat you are sailing won’t drown for some reason. But if you check the weather forecast before going out, master at least basic sailing skills, and wear a safety vest — the threat would be minimized and you’d have a great time.
The same applied to cyber-security issues. You have to know how your data could be compromised and do your best to avoid it. Use robust security software and, of course, don’t store your password written down on a post-it note and attached to a router.