Ethical hacker turned off heating 300 miles away

Andrew Bolster, an ethical hacker from Belfast, gives an insight into the hidden world of cybercrime.
Andrew Bolster, an ethical hacker from Belfast, gives an insight into the hidden world of cybercrime.

An ethical hacker from Ballymoney has given his insight on the rising tide of cybercrime across Northern Ireland - and what ordinary people can do to protect themselves.

Andrew Bolster, has been part of the hacker community since he was 14. He later specialised in Digital Communications and High Performance Computing at Queen’s University Belfast and later took up a project to secure control of robotic marine systems for Nato, the MoD and the French government. He has also worked at the University of Liverpool on measures to protect wireless payments from hackers.

Andrew launched the Farset Labs hackerspace in Belfast in 2012, where all sorts of computer enthusiasts come together to build and experiment with technology and engineering.

“Probably the worst thing [I ever did] was breaking into school networks to see the lists of donors to a regeneration campaign my school was going through at the time,” he said.

But in adult life – he now lives in Belfast – he is adamant that he only uses his skills for good.

The term hacker does not have to mean “criminal” but originally came from the model train community, and simply means people who “played with technology in ways that that technology was not designed or made for”.

He described another early display of his powers.

“One particularly entertaining one was doing some testing for a friend’s family business, and by jumping through a couple of company systems, I was able to turn off the heating in their chicken coop from 300 miles away.”

READ MORE: Ulster’s hidden £100m war with cyber crime

The “big scary” of cybercrime, and why it’s putting so much pressure on our classical criminal justice processes, he said, is its remoteness and anonymity.

Attacks can be launched from anywhere in the world, and can be extremely difficult to track back to their source, if an attack is detected at all before it’s too late.

Northern Ireland has a particular vulnerability because high security multinationals are often working with smaller local companies which do not have the same resources to protect themselves, he said.

“Many believe that software lasts forever and is always fully tested and bullet proof before release. This is horrifically incorrect.”

One computer operating system had over 3,000 “hotfix” and security “patches” in 12 years, he said.

“An important consideration is that every time there is a security ‘patch’, that means that there was already a ‘hole’ there but nobody had either recognised it, or had fixed it, and by announcing and releasing the ‘patch’, malicious hackers can reverse-engineer what that hole was with relative ease, and can then target machines that haven’t received that update yet with confidence that they can get in using this hole.”

In 2016 one source in Queen’s paid a ransom to hackers who had taken over this precise operating system and more recently the “WannaCry” infection of the NHS also targeted the same software.

This should be a wake-up call to administrators and the general public, he said.

He added: “In my experience there are three kinds of hackers; hacktivists, hackers for hire and experimenters.

“I’d personally identify myself as the latter; motivated to explore and manipulate systems purely out of curiosity and a desire for knowledge of how a system operates.

“Hacktivists just want to break things, or may have a political or [in their view] ‘ethical’ motivation for their activities.”

In the past, if someone wanted to rob a shop, for instance, there was a hard-limit on how much a thief could get away with.

“Today however, the thief doesn’t have to be in the same country as the shop, there are no outward signs of intrusion, the till is effectively infinite, and if you successfully break into one system, you have an extremely easy path to then break into neighbouring systems.”

Now that all sorts of devices are becoming “smart” and internet connected – TVs, fridges and washing machines to home assistants – they collect and share information about the state of our homes and lives, hopefully making them easier, but at least providing advertisers a bit of extra information about our habits, he says.

However, in October 2016, millions of such smart devices across the world, like webcams, DVRs, thermostats, and more, were all used maliciously to target and disrupt the same computer server at the same time.

“That’s the equivalent of posting a million Instagram pictures every second, all being fired like a machine gun at one system. These types of attacks are called DDoS or Distributed Denial of Service attacks, and are not particularly sophisticated; relying on sheer numbers to overwhelm a target.”

The steps people can take to protect themselves, he says, are:

• Make sure that default passwords are changed on smart devices such as routers or webcams.

• Use a password manager like LastPass or 1Pass to generate and store randomised passwords.

• Don’t use the same passwords on multiple systems.

• Make sure you have automatic updates enabled on your computers, and also keep mobile phones up to date when possible.

• If something is too good to be true, it probably is; nobody gives prizes for being the 100,000th visitor to a site, you haven’t won a free prize draw, and there are no attractive singles in your area.

• Be careful about what permissions you give apps and games, particularly if they use shared credentials such as Facebook or Google logins.

READ MORE: Ulster’s hidden £100m war with cyber crime