“With cyber security,” says Jamie Woodruff, “you get geeks, the guys who find the critical vulnerabilities, the bugs. Then you get the guys who are able to exploit people. That’s my passion.”
In his strong Lancashire accent, Jamie, 23, explains his talent for observing people’s movements, speech and body language to find their weaknesses before targeting them with “social engineering” techniques. “But,” he adds hastily, “I’m bound by a strict code of ethics.”
That’s because he operates as an ethical hacker and certified penetration testing engineer to probe companies’ systems for faults, with permission. The idea is that they get fixed before a less scrupulous party takes advantage.
But that might not always be the case. The average company is the target of more than 100 cyber attacks a year, with a third of these being successful. What’s more, according to research published by Accenture, a third of those successful breeches aren’t discovered by the company itself.
Spotting opportunities
For one of Jamie’s recent projects he monitored a large financial institution for several weeks before eventually spotting a way in. The company would have pizza delivered by a well-known chain every Friday. So, he applied for a job there, got hold of a uniform and “walked straight past security and into the server room”. After using some UV spray to see which buttons had been pressed on a keypad, he bypassed another layer of outdated security and gained access to the company’s supposedly secure information.
To aid similar work he has a stash of ID badges, props and other uniforms from Royal Mail to UPS and FedEx. Disguised as an alarm technician, he gained access to another office building. “I got one employee to make me a brew, to make it seem like I was supposed to be there. I stole all their data within an hour and a half,” he says.
But Jamie’s skills extend beyond the art of disguise. On a recent trip to Norway he responded to a request to showcase “some proper hacking, some really scary stuff” by stealing the conference organiser’s laptop along with his credit card data and passwords, and then using them to start the engine of his host’s Tesla car remotely.
“There’s so much security in Tesla vehicles, but the end-user logging into his account uses the same password for everything. So I got access to the car and started it remotely. If you’re a hacker, you don’t have to steal the keys,” he says.
The same goes for banking apps. He says that a particular bank’s app allows you to call the customer service team from within the app and ask to transfer money without passing any additional security checks. It requires a passcode to get to that stage, but many people still use the same code for the app as they do for the phone it’s on.
Hacking ethics
He is repeatedly at pains to stress he is utterly committed to remaining within the bounds of an ethical code. He also says that when a company tasks him with breaking into its systems, there are always some ground rules.
“So I can’t just crowbar my way in and smash a fire alarm,” he says. Neither can he cause physical damage or distress to employees or other people on the premises. But when I ask whether some of the skills that he employs were learnt on the other side of that ethical line, he’s less forthcoming. “We’ll not go into detail about that one,” he says.
What Jamie will reveal is that he first became interested in computers aged nine, when his dad left him alone with the family’s brand new machine. “I decided to see what was inside the big black box, so took it apart with a screwdriver and all of a sudden was looking at all the components,” he says.
However, when he put it back together, he forgot to replace the fan and so ended up frying the central processing unit. This led to a trip to the computer shop and a chance to begin learning more about the hardware, a process that continued for several years. “Once I understood hardware, I understood the graphics and started writing viruses when I was 12 or 13,” he says, adding quickly: “Obviously nothing malicious.”
Becoming a hacker
But while Jamie continued to experiment and learn with computers, picking up an A* in his IT GCSE, the rest of his time at school was not as successful: “I got Cs, Ds Es and Fs in everything else, and didn’t really care at that time.” He went to Blackburn College for a while, but dropped out and began working at an old people’s home before deciding to have another crack at formal education. Despite having no A levels, he built a bot that automatically sent an application letter to practically every university in the country.
That got him a place at Bangor University and led to his entering a hackathon with a friend. He was singled out as the best performer of the weekend and won a prize, which was the cost of his certification to become an accredited penetration testing engineer. “All of a sudden,” he says, “I had a purpose.”
His exploits since have included hacking his way into Facebook and uncovering major flaws in Kim Kardashian’s site, where data about thousands upon thousands of her fans was at risk. In both instances he alerted the parties in question and changes were made.
I think a massive attack is imminent in the next few weeks
This is part of the reason that he is now a sought-after speaker at conferences and events for the likes of WIRED and BNP Paribas. The people who hire him, he reckons, want to raise awareness about the risks that businesses face in a way that quoting endless statistics doesn’t tend to achieve.
So he tells audiences about technology such as a “pineapple”, a device that can trick laptops or phones into thinking they are connecting to familiar networks such as Starbucks wi-fi, when in fact they’re hooking up to someone who’s going to take their data.
Building awareness
But, he says, one of the biggest weaknesses companies have is their senior people, who are often complacent when it comes to their own information and possessions, but also when it comes to allocating resources to defend against cyber attacks.
Jamie applauds Bank of America for announcing the company’s cyber-security budget would effectively be unlimited, but admits that even for companies with a hefty war chest, “not every risk can be stopped”.
To underline this, he points to the massive distributed denial of service (DDoS) attack that took place on October 21. Judged by some to be the biggest attack of its kind, it brought down numerous websites of reputable international companies, including Amazon, Facebook, The Guardian and PayPal, and even affected connected devices, such as intelligent light bulbs and thermostats. According to a report that Jamie believes to be credible, the attack was carried out with just 10 per cent of the server power available to the network that was responsible.
“Personally, I think that was a test. I think a massive attack is imminent in the next few weeks,” he warns.
The good news is that a solution may be on the way too. At two of this summer’s most high-profile hacker conferences, Def Con and the Black Hat security conference, there was a huge amount of interest in new types of systems that use artificial intelligence to learn when they are under attack and defend themselves.
However, the leading-edge technology isn’t yet widely available or used. And, until it is, you can bet Jamie’s expertise will remain in great demand.