Last year I got an email offering me the opportunity to do some work with the BBC and show something security focused that would be broadcast live on the BBC's flagship technology show, Click. This is the story of how that came together and how we gave someone psychic abilities!
Previous work with the BBC
I've been really fortunate to work with the BBC Click team on a few different shows now and we've done some really great stuff. The first episode came earlier in 2017 and regular readers will surely not have forgotten the wonder that was Nomx. You can read all of the details on the research I did with Professor Alan Woodward in my blog nomx: The world's most secure communications protocol and yes they really did call their product that and no it really wasn't! Following the spectacular responsible disclosure that couldn't really have gone any worse the story and the show gathered international headlines and gave a great overview of exactly what security researchers do, how they do it and most importantly, why. After the success of the Nomx episode I was invited to join the BBC Click team later in 2017 to attend BlackHat, DEF CON and BSides in Las Vegas! A great time was had by all and even more awesome TV was made. That resulted in 2 fantastic episodes of the show, Fear and Coding in Las Vegas and What happens in Vegas..., and my own blog about the experience My week in Vegas. Given how awesome all of my experiences had been with the BBC Click team, when the producer got in touch and asked me if I wanted to participate in the live show I was immediately on board!
BBC Click Live
The BBC Click team put on the live show once a year and let me tell you, doing a live production is a lot harder than filming and then editing! If you fluff your lines there's no going back, no take 2, you just have to recover. That made me pretty nervous going in but I sure as heck wasn't going to pass up this opportunity. The show would encompass all kinds of technology from drones to bio-tech and 3D printed food to apps that are changing the world. I won't spoil it too much, you should really go and watch the show, but they wanted something with a security element too. Security is moving more and more into the public eye with big data breaches and hacks constantly making mainstream headlines so the show wanted something with a security element. My brief was simple, they wanted something security related, that could fit completely into an 8 minute segment with an interview at the end, be visually compelling and understood by the audience in the small timeframe, within budget, reliable and possible to fit in the theatre. On the bright side there weren't too many requirements to worry about...
With pretty much free reign over the content it was almost more difficult than if there had been restrictions. Given the nature of the audience who are obviously interested in tech as they watch the show but probably aren't security experts, I really wanted to try and target that demographic. I wanted something that would be meaningful, something that they would watch and learn something from, I wanted them to leave having taken away something useful. The nomx work that we did was great and things like the car hacking I did with Troy are all fascinating, but it didn't fit the kind of thing I was going for in the theatre. One idea that quickly surfaced from the back of my mind was something that I'd seen before and I'd actually seen it done in different ways. It leveraged the incredible power of Open Source Intelligence (OSINT) which is basically any information that you can find out about someone online and to present that to the target without them being aware of what's happening.
Cal Leeming did some great work with BBC Crimewatch where they asked people on the street to Like the Facebook page of a coffee shop to go inside and claim a free coffee. From the time they liked the page outside and got their free coffee voucher to being served their coffee, they had already done all the research they needed on the target. It makes for really good viewing and you can see the show here. Another great example that's subtitled from French but still shows just how scary things can be is this one, where they had a psychic retrieve financial information from people's minds. Whilst we couldn't go quite that far on live television, I had a great idea of exactly what I wanted to do. Yes it's been done before but information exposure online is still a massive problem even today. People simply don't realise how much information is out there, how easy it is to access and how it can be used by anyone who knows how to look for it. We could do this within the timeframe we had, it was easy to do live in the theatre and most importantly for me, people would learn a valuable lesson and actually be able to take the information away and better protect themselves.
I put the idea forward and whilst we still had some problems to work out with the worried legal team, it was a green light and time to start planning. One of the things that I knew right away was that I certainly couldn't do this alone, there was simply too much to do! I needed someone reliable, someone that I could depend on to work with and preferably someone highly skilled in this very particular subset of the security field. It's a good job I knew exactly the right person for the role because I don't know if this would have worked without Zoë Rose. Zoë was in from the moment I asked and we now had our crack team of security experts to pull off the data heist! Over many, many planning meetings Zoë and I worked together to come up with the plan on how we were going to pull this off. The biggest problem we had to work with was the timeframe and it really was a big problem. The audience would be arriving at most probably an hour before the show so it really didn't leave us much time to research them and get the information ready. On top of that we had the added pressure that we were the first act as soon as the show started, we couldn't target the audience as they were sat there, we had to get them in the queue outside or in the waiting area on the way in. The timing was really tight, so much so that we were actually a little worried, but I was confident we could do it. One suggestions was that we could use the names on the tickets to start our research ahead of time but I didn't want to do that, I wanted to do it in real-time and start with zero knowledge to really show just how easy it could be.
To find information on our targets we needed something to go off and their name was obviously the starting point, but how do we get it? We iterated through many ideas like Zoë and I wearing fake "CREW" T-shirts and mingling with the crowd as they queue to get in, asking people to sign a fake check-in sheet, using a little social engineering and just striking up conversations and a whole heap of other things. The problem was though they all took too much time and required us to be located where the audience was going to queue up and not in our hidden room doing the bulk of the research. No, they weren't going to work with our time constraints, we needed something else and that's where the obvious hit us, WiFi. Everyone wants WiFi, everyone loves WiFi and everyone is happy to sign up to WiFi to get it for free.
The WiFi idea was simple and easy but the most important thing was that it didn't require us to be anywhere other than where we needed to be, in our hidden room doing the research. As fate would have it we also had the perfect tools for the job, the WiFi Pineapple. I've talked about the WiFi Pineapple a heap of times on my blog and it really is an awesome piece of kit. I already had a few myself and Darren Kitchen really hooked me up on our filming trip to Vegas with one of their Hak5 Elite Field Kits which was about to become really useful again. The plan was to setup a free WiFi network, place posters around the venue to advertise it and when people joined the WiFi we'd simply ask for their first and last name and they could click Login to get the free WiFi. We now had a reliable way of finding the information we needed to get started with our research.
We rehearsed, we practised, we tested equipment, we had tabs open with all of the tools we were going to use to find information on the targets, we were ready. Nothing gets the nerves going like knowing you're about to try and perform a live 'hack' with 300 people sat in the audience and an insane 300,000 more watching the Facebook Live broadcast, but we were doing it. We had a great location overlooking the whole audience in the theatre so we could even try to identify where in the audience our targets were located to get the microphones ready, this was it!
With the queue outside growing we were already starting to get our first bites on the WiFi network, people were putting their first and last name into that captive portal page and hitting the Login button. It must have been the really legitimate WiFi posters we put up!!
The MkV Pineapple we had right in the centre of the Media Cafe was doing all of the leg work at this point and trying to sustain hundreds of devices on a pretty poor backhaul over the BBC Guest WiFi that I'd authenticated it to. Still, things were a little slow, but it was working!
Zoë and I began our research, furiously scouring the internet for any trace of information we could find on our potential targets. We only had a first and last name to go off from the captive portal which really isn't a lot, do you know how many people there are called Sarah Johnson in the UK?! We needed to narrow it down quickly and the first call was social media. Had they checked in at the event, talked about travelling to London today, mentioned the show in the past, do they like the show's social media pages? All of these were indicators that we had found the right person and we could start researching them. Fortunately, social media makes this a lot easier. Countless people had checked in at the event and that made targetting them really easy. Oh, did I mention that we also setup a real looking event for them to check-in at on Facebook? When you post a new status and check-in anywhere near where we were, the first thing that popped up on the list was the event we'd created and everyone was using it. There were also quite a few people on Twitter with pictures of themselves on the train or using the hashtag for the live show to say they were on the way or looking forward to it. Prior to this moment in time I was really worried about taking a first and last name combination and actually finding the right person, but it turned out to be a lot easier than we'd thought.
Once you've identified someone's social media profile it's generally quite easy to start grabbing further information. Who are their friends, their family, where do they live, where do they work and what interesting facts can we learn about them. Once we know where they live and very often their age, we can start to look through UK Government records like the Births, Marriages and Deaths register to see if we can find their birth certificate. From this we can find out details on their family, their spouse and start to spread laterally from there. Also in the UK if you're a company director or shareholder in a company we can use the Companies House register, another goverment doxing, to find exactly who you are, where you live and what business interests you have. In short, it was all too easy to go from knowing only their first and last name to having a significant quantity of information about them. It's a pretty good job that it was easy going because the theatre was starting to fill up, the audience were coming in...
Given that we were the first act we had very little time left. We quickly began writing out little flash cards on each person that we could run through over the radio. We probably needed 3 or 4 'good' targets that we had enough information on to make it worthwhile plus a couple of spares as backup if we'd mis-identified someone or, quite possibly, someone was too shy to put their hand up and participate in the show. By now they were doing the introduction for the show on stage and Zoë and I were writing out our final information and getting ready to dash back stage for our introduction and reveal at the end of the act. We tested our comms with Joe one last time before he walked out on stage and this was it. The intro went well, the room went quiet and Joe began, you could literally feel the suspense in the room, 'a psychic'?
We had Osman with us and he was going to feed the information to Joe over the radio so that Zoë and I could begin our run downstairs about half way through, but he wanted us there for backup if something went wrong. Osman started calling the first name out over the radio and passed Joe all of the information we'd found and Joe took it and did his thing. The people in the audience he was calling out were visually a little uncomfortable in some cases but this is what we were going for. We didn't want to scare people, but we wanted them to realise just how much information was out there and how easily we could come by it. Half way through and it was going well, but we hit a snag. Joe was calling a name out and no one was answering or putting their hand up, maybe they just didn't want to take part, but then it came in over the production channel which was one of the 4 walkie-talkies we had on our desk: "That's one of the camera men!!". Oops! It seems even the crew aren't immune to our eagle eyes! No problem though, we had backups and Joe brushed over it as someone who didn't want to participate and he didn't want to push them. Zoë and I were done and we began our trip around the theatre to the back stage entrance ready to come out and reveal all while the final targets were called out.
Unfortunately our little interview on the stage didn't make the final cut because there was simply so much content they couldn't fit it into the slot but we did get the bulk of what we wanted to show out there. Being stood up on the stage it was quite obvious that the audience had been a little shocked by how the 'psychic' had worked and Zoë got some really sound advice across on how people can better protect themselves online. I think it's fair to say, mission accomplished!
The rest of the show
I was pretty nervous about being the first act of the show, opening a show like that is a pretty tall order, but I'm happy to say we nailed it. Another great advantage of being the first act is that we then had the best seats in the house to enjoy the rest of the show and we didn't have a single thing to worry about! We got to see all kinds of amazing things but I don't really want to spoil it for you, check out the show on the BBC iPlayer. If you can't watch the iPlayer, or get a UK IP to watch the iPlayer, the show should hit the BBC Click YouTube Channel soon enough. Once the show was over the audience was quickly cleared and we got to invade the stage to have a little post-show celebration of our own.
There were drinks and food and of course everyone was a lot more relaxed than they were that morning but I couldn't stay and party too hard. I had to catch the midnight train (going anywhere...) to Glasgow for a training course the following day so I hitched myself a ride on the overnight sleeper train and spent the next glorious 7 hours recovering from an immensely tiring 3 days in the world's tiniest bed!
More to come
The BBC show was a success, the feedback was great and the production team loved our piece. The great news is that Zoë and I have already wrapped up filming on a very similar project with the other major broadcaster here in the UK, ITV. I can't release any details about that just yet other than saying it used a similar approach to the one we used here but in a completely different setting. I think it went really well and again, we managed to get across the point we wanted to make and most importantly, the information on how people can better protect themselves online. Follow me on Twitter and expect to hear about that in late March, but until then, thanks for watching!