This is the story of my first hack, more than a decade ago. Back then, I was around 12, and I was living with my parents who had a strict one-hour-per-week rule for the Internet. I used to batch-download everything I wanted to read, and make a text file of all the links I wanted to read next week. But this didn’t sit well with me. With just reconnaissance and some coding I managed to use my neighbor’s phone line and my school’s dial-up connection to get online without my parents knowing.
In trying to demonstrate how simply something can get hacked, I have shared this story at companies with wide-ranging security concerns like OpenAI, and smaller startups in the San Francisco Bay Area and Israel.
If you’d rather hear me tell this story, there’s a video recording from one of the times I shared this story at a company:
This story is about a confluence of events. It took place in Thessaloniki, Greece, which is where I grew up.
Before I write more, I have to point out that the statute of limitations has passed in all relevant jurisdictions…
So, I grew up in a condo building that looked like this:
Just kidding, it actually looked like this:
The important thing to know about these buildings is that usually there are two condos per floor. So you get to know your neighbor very very very well. One day, I overheard our neighbor discussing with my parents that of course she doesn’t pay her bills herself—she has an accountant.
To 12-year-old Ian, this was very surprising! My father is the kind of person that would go through the phone bill every month, line-by-line, to ensure there was no fraud or abuse.
Also… as a way to enforce my weekly quota of one hour of dial-up internet per week.
Furthermore, this neighbor used a special locking mechanism for her windows–sharing a floor, it was very easy to peak over the balcony and see if this special mechanism was engaged. I also realized that, just unlike my paranoid family, she only used it when she went on long trips.
Thus far, just by observing (we’ll call this reconnaissance later on), I had two key pieces of information:
A few months after these realizations, a new capability was developed in my “agency”: I became tall enough to reach the unlocked junction box at the entrance of our building 😂.
So, suddenly, I had a new capability which was, literally, just tiptoeing and reaching to the junction box where all the phone lines from the street come into the building, and they get routed to each condo.
In the United States, these junctions boxes look like this:
All you need to know is that those short metal bars in the middle are called bridging clips.
Bridging clips connect the left-hand side to the right-hand side and the left-hand side, with the line to the condos on the right, and the line from the street on the left.
So with some physical access, and some elbow grease it was very easy to reroute anybody’s line into anybody’s condo.
Of course, if this is something you wanted to do covertly and routinely you could build “bridging plugs”—basically a block of wood, some nails, and some copper wire. With such a bridging plug, you could very easily go have your neighbor’s phone line in your condo.
Thus far, we have an “unmonitored” phone–remember that my objective here was to have more than one hour of internet per week.
Having a phone line, the next step was getting someone’s dial-up access. (I’m pretty sure that my father also check the logs from the dial-up we got through his employer). At the time, this is how you connected to the Internet:
At my school, we had two computers running Windows 95 that were able to connect to the Internet.
I used Visual Basic (which may be the most embarrassing part of this post) to make a mock dialog, that looked identical to the Windows 95 Dial-Up dialog.
It was supposed to take the supplied username and password, save it in a text file, and then start the real dial-up connection dialog, hide it, insert the supplied username and password, and “dial”, so that it’d actually try to dial.
The next time I got to use one of the computers with the Internet at my school, I disconnected the dial-up, and ran my mock dialog, and called the teacher over to type the username and the password.
It actually crashed instead of triggering the real dial-up, but it crashed after it saved the username and password in the text file. The teacher just assumed there was some glitch, started the real dial-up connection, and we both went our merry ways.
For many years I used to use the bridging plug, to switch my parents’ phone line for my neighbor’s phone line. Using the school’s dial-up credentials was incredible, because the dial-up provider kindly called you back, so that all phone charges would be paid by the central government instead of each school (or each neighbor).
This is a nice story, and I hope you laughed, but what can we learn?
Just by being observant, and by being a bit willing to imitate horrible UI, I was able to escalate my access and get unmonitored internet access.
Although this happened some 18-19 years ago, there are some infosec principles that are very simple to apply, and would have prevents this type of attack.
Be mindful when sharing any kind of operation detail. You never know who’s listening and why.
There are very few gadgets or pieces of technology, that can withstand an attack if you can get your hands on it. This means some things about insider threats and supply chains, but the important thing to remember is that physical access is king.
If anything in this series of attacks had any kind of access control (e.g. a lock on the junction box, 2FA on the dial-up, or restricting from which phone numbers you could access the dial-up) my chain of attack would have been foiled.
In companies, this often means asking “why do you need this” when someone’s requesting new access, or “why” when someone’s access something, from a new IP, or a new location.
Aside from the specifics, we can learn something more generic from this attack: every attack on information infrastructure takes the following form:
Lockheed Martin popularized this list as a Cyber Killchain. The key is that it’s a chain, and weakening any part of it, weakens the chain. Which is in infosec we often talk about “defense in depth”—to give a practical example: just because you have a firewall at your network’s perimeter doesn’t mean you shouldn’t restrict traffic within your network.
It also means that we should think abstractly about ways we can interfere with an attacker’s cyber killchain, starting from reconnaissance all the way down to persistence.
Depending on the specifics of the attackers your organization faces, you may have to make odd trade-offs, and I’ll be writing about some of the odd trade-offs I’ve made in upcoming posts.
This was the story of my first hack, which happened over 18-19 years ago!
Follow @ianatha for more interesting stories on infosec!