Hacking elite gather in Hong Kong: but this is for a good cause

One of the young ‘white-hat’ hackers, ‘tyy’, manages to break into user accounts of four Chinese bike-sharing companies within half an hour

PUBLISHED : Sunday, 14 May, 2017, 6:02pm
UPDATED : Sunday, 14 May, 2017, 10:34pm

A group of hackers gathered for a cruise departing from Hong Kong on Saturday, armed with laptops, smartphones and various electronic devices.

One claimed he could hack into a children’s smartwatch, calling and impersonating a child’s parent. Another wanted to hack into the user accounts of four bike-sharing companies.

Such a scenario might seem sinister, especially since the gathering occurred on the day after a spate of ransomware attacks spread rapidly across the globe, including Spain, France and Russia.

The virus took control of users’ files. In England, for instance, 48 National Health Service hospitals fell victim.

But the hackers meant no malice – they were so-called “white-hat hackers”, who expose vulnerabilities in the smart devices people use in their everyday lives at the GeekPwn (pronounced Geek-Pawn) hacking contest.

White-hat hackers are ethical and aim to discover vulnerabilities in a system in order to strengthen cybersecurity.

Wang Qi, chief executive of Keen Team, a white-hat hacking collective in China that organises annual GeekPwn competitions, said such events enabled hatters to detect loopholes and prevent cyberattacks that could cripple networks across the globe.

Another such example was last year’s Mirai botnet attack, which saw widespread denial-of-service attacks on network systems executed through various internet of things devices such as printers and IP cameras that had been infected by Mirai malware.

At GeekPwn, every hacker’s success is equivalent to successfully preventing another widespread cyberattack
Wang Qi, chief executive, Keen Team

“We are very proud because we’ve actually helped to eliminate many similar issues,” Wang said. “At GeekPwn, every hacker’s success is equivalent to successfully preventing another widespread cyberattack. We’re helping to safeguard the privacy of millions and preventing the loss of data.”

GeekPwn hackers demonstrate the loopholes they have found in various smart devices by hacking them, and the findings are later submitted to product manufacturers so that the security loopholes can be patched.

Security experts from companies such as Tencent Holdings, Baidu and Xiaomi serve as judges for the competition, overseeing each demonstration and ensuring that the loopholes have been successfully proven.

This year, the hack that drew most attention was by a 25-year-old female known only by her initials “tyy”.

Within half an hour, she demonstrated the ability to break into the user accounts of four Chinese bike-sharing companies – Xiaoming, 100Bike, Yonganxing and Xiangqi – obtaining not only a user’s log-in credentials, but also information such as the user’s bike-renting history and account balance.

With the credentials obtained, “tyy” then took her hack a step further – her assistant in Shanghai was able to log into the users’ accounts with the information provided and rent bikes with them, essentially riding for free with someone else’s money.

“Over the past month, I have researched more than 10 bike-sharing companies and found security loopholes in seven of them, although I only demonstrated four [on Saturday],” she said, adding that even the biggest bike-sharing companies were prone to loopholes.

She also previously discovered that Mobike, for instance, one of China’s two largest bike-sharing companies backed by Tencent Holdings, Foxconn and Temasek Holdings, had a security loophole that would allow her to obtain security credentials.

This was patched within a day of her discovery, however, she said, which she put down to a coincidence as she did not report it to the company – but it still showed even major firms had serious loopholes.

“The biggest impact of such a loophole is user privacy. Money is not so much of an issue – one ride is only 50 cents, it will take a long time to lose 100 yuan [US$15]. But many users ride these bikes to their office and back home – hackers can easily find out their addresses through these loopholes,” she said.

She said loopholes that caused a loss of user privacy were “unforgivable”, especially since they were sometimes due to sloppy programming by the respective firms.

Impact of global cyberattack could strike Hong Kong on Monday morning, security experts warn

“A problem with [ride-sharing] is that the industry is expanding much faster than the technology and technology is also developing more rapidly than their security abilities,” Wang said.

“Security and technology development have not been moving at the same pace. Perhaps now, in technology we have surpassed the United States in certain aspects, but in terms of cybersecurity we are still behind by a decade.”

Such hacking competitions can help draw attention to the need for cybersecurity, but despite the buzz generated at such events, companies often still take “little or no action”, according to Michael Gazeley, chief executive of cybersecurity firm Network Box Corp.

“The internet of things is the rapid injection of data into all our lives. Cameras, microphones, GPS location systems ... are monitoring everything we do, say and type. Users can lose privacy, money and even personal safety,” he said.

“Too few people, companies and organisations seem to actually care much about cybersecurity ... Unfortunately, things will only get worse until people wake up and say ‘no’.”