1 00:00:06,480 --> 00:00:08,160 On the morning of May 12th, 2 00:00:08,160 --> 00:00:12,320 NHS staff were about to be confronted by a major outbreak... 3 00:00:16,400 --> 00:00:20,440 ..as an epidemic swept like wildfire across the country. 4 00:00:25,320 --> 00:00:29,440 But the disease didn't infect patients, and it wasn't biological. 5 00:00:31,600 --> 00:00:36,080 Instead it attacked the central nervous system of the NHS itself. 6 00:00:40,320 --> 00:00:42,000 Across the country, 7 00:00:42,000 --> 00:00:45,720 computer systems were knocked out by a highly contagious computer virus. 8 00:00:47,400 --> 00:00:49,880 Hello, can I speak to IT, please? 9 00:00:49,880 --> 00:00:52,160 It became known as WannaCry. 10 00:00:52,160 --> 00:00:55,560 There's a message on my screen, it says my files have been encrypted. 11 00:00:55,560 --> 00:00:57,960 This is the story of a uniquely challenging day 12 00:00:57,960 --> 00:01:00,240 for the National Health Service. 13 00:01:00,240 --> 00:01:03,240 A day when the NHS itself became a patient. 14 00:01:03,240 --> 00:01:07,360 It was attacked by a particularly vicious piece of computer code 15 00:01:07,360 --> 00:01:08,800 which took down its networks, 16 00:01:08,800 --> 00:01:11,440 its computers and anything attached to them. 17 00:01:11,440 --> 00:01:14,680 And that meant patient record systems, CT scanners, 18 00:01:14,680 --> 00:01:16,480 even MRI machines, 19 00:01:16,480 --> 00:01:19,480 putting not just data but also patients' lives at risk. 20 00:01:21,360 --> 00:01:24,840 The surgeon looked very forlorn and very sorry, 21 00:01:24,840 --> 00:01:28,960 and that was when he then told me that he couldn't do the operation. 22 00:01:28,960 --> 00:01:30,960 We were unable to book appointments, 23 00:01:30,960 --> 00:01:33,560 we were unable to see who would be coming in tomorrow, 24 00:01:33,560 --> 00:01:38,160 so we were really paralysed and at a loss of what to do. 25 00:01:38,160 --> 00:01:42,720 Horizon unpicks the science behind the recent widespread cyber attack 26 00:01:42,720 --> 00:01:44,720 that hit our National Health Service. 27 00:01:45,720 --> 00:01:49,200 And, in his first television interview, we meet the 22-year-old 28 00:01:49,200 --> 00:01:53,920 cyber security specialist who stopped it in its tracks. 29 00:01:53,920 --> 00:01:55,480 I checked the message board. 30 00:01:55,480 --> 00:01:59,280 There were maybe 16, 17 reports of different NHS, sort of, 31 00:01:59,280 --> 00:02:01,800 organisations being hit. 32 00:02:01,800 --> 00:02:05,040 And that was sort of the point where I decided, "My holiday's over, 33 00:02:05,040 --> 00:02:06,720 "I've got to look into this." 34 00:02:06,720 --> 00:02:12,560 The outbreak exposed a vulnerability at the heart of the NHS. 35 00:02:12,560 --> 00:02:15,400 I am a doctor, and all of this is a worry. 36 00:02:15,400 --> 00:02:18,520 I want to know what happens, I want to know why it happens, 37 00:02:18,520 --> 00:02:21,720 and I want to know how I can protect my patients 38 00:02:21,720 --> 00:02:24,800 from this new strain of infectious disease. 39 00:02:45,040 --> 00:02:47,240 I found out about the attacks the way most people did, 40 00:02:47,240 --> 00:02:49,720 through news reports. 41 00:02:49,720 --> 00:02:53,200 Now, mercifully, the hospital that I work for wasn't affected, 42 00:02:53,200 --> 00:02:55,640 but as details emerged, it became clear that colleagues all 43 00:02:55,640 --> 00:02:59,000 over the NHS were getting into work that day, 44 00:02:59,000 --> 00:03:01,520 setting up their computers 45 00:03:01,520 --> 00:03:04,280 and being greeted with a screen that looks like this. 46 00:03:04,280 --> 00:03:07,920 Now it's very polite - it tells you what it's done, it's encrypted 47 00:03:07,920 --> 00:03:11,000 all of your data, tells you what you have to do, which is pay some money, 48 00:03:11,000 --> 00:03:13,320 and it tells you that if you pay the money now, 49 00:03:13,320 --> 00:03:15,040 you won't have to pay quite so much. 50 00:03:15,040 --> 00:03:17,560 Otherwise you're going to lose everything. 51 00:03:20,400 --> 00:03:26,480 On 12th May 2017, the cyber attack wrought havoc across the NHS. 52 00:03:26,480 --> 00:03:28,680 It hit many hospital trusts, 53 00:03:28,680 --> 00:03:32,800 and some A&E departments even closed their doors to ambulances. 54 00:03:32,800 --> 00:03:35,040 Operations were cancelled. 55 00:03:35,040 --> 00:03:36,440 Patients were diverted. 56 00:03:37,880 --> 00:03:40,320 But the story of the virus itself 57 00:03:40,320 --> 00:03:43,520 goes back far further than the events of that day. 58 00:04:08,160 --> 00:04:12,200 With all outbreaks, there's always a point of origin. 59 00:04:12,200 --> 00:04:15,040 A moment when the virus first emerges. 60 00:04:23,360 --> 00:04:26,960 DRAMATIC MUSIC PLAYS 61 00:04:49,920 --> 00:04:52,640 Down! Down! Hands on your head! 62 00:04:52,640 --> 00:04:54,320 Down, down, down! 63 00:04:55,520 --> 00:04:57,560 Cuff him! 64 00:05:03,400 --> 00:05:04,800 For over 20 years, 65 00:05:04,800 --> 00:05:08,880 Harold Martin worked as a contractor for US government intelligence. 66 00:05:18,040 --> 00:05:21,000 On the day of his arrest, agents found stolen drives 67 00:05:21,000 --> 00:05:24,120 containing more than 50 terabytes of classified data... 68 00:05:26,160 --> 00:05:29,400 ..allegedly including top-secret hacking tools 69 00:05:29,400 --> 00:05:32,080 stockpiled by the National Security Agency. 70 00:05:42,400 --> 00:05:45,080 Harold Martin's arrest followed a tweet 71 00:05:45,080 --> 00:05:48,280 by a mysterious group calling themselves the Shadow Brokers. 72 00:05:52,560 --> 00:05:55,440 They were offering National Security Agency hacking tools 73 00:05:55,440 --> 00:06:00,280 to anyone prepared to pay the $580 million asking price. 74 00:06:02,720 --> 00:06:04,520 According to reports, 75 00:06:04,520 --> 00:06:07,000 once they found out about the Shadow Brokers' demands, 76 00:06:07,000 --> 00:06:10,320 the NSA triggered an internal investigation and, 77 00:06:10,320 --> 00:06:13,680 just a couple of weeks later, Harold Martin was arrested. 78 00:06:13,680 --> 00:06:15,720 Now, there's no evidence at all 79 00:06:15,720 --> 00:06:18,360 that he passed on information to the Shadow Brokers, 80 00:06:18,360 --> 00:06:21,400 but, interestingly, on the hard drives in his home, 81 00:06:21,400 --> 00:06:24,440 was found the hacking tool, Eternal Blue. 82 00:06:24,440 --> 00:06:28,520 Now, Eternal Blue is a kind of key that allows you to prise open 83 00:06:28,520 --> 00:06:31,960 the Windows 7 operating system, and it is that which allowed hackers to 84 00:06:31,960 --> 00:06:38,240 cause havoc across organisations all over the world, including the NHS. 85 00:06:44,360 --> 00:06:46,040 When it comes to attribution, 86 00:06:46,040 --> 00:06:48,720 in other words identifying the true source of attacks, 87 00:06:48,720 --> 00:06:53,280 the world in cyber is a lot more difficult than, 88 00:06:53,280 --> 00:06:56,440 say for example, physical, because, you know, you can make your attack 89 00:06:56,440 --> 00:06:58,720 appear to come from anywhere in the world. 90 00:07:00,000 --> 00:07:02,680 So, Shadow Brokers is an anonymous entity, 91 00:07:02,680 --> 00:07:04,800 we don't really know who's behind Shadow Brokers. 92 00:07:06,880 --> 00:07:09,960 It's generally assumed in the security research community 93 00:07:09,960 --> 00:07:14,160 that the Shadow Brokers are, in effect, an arm of the Russian state. 94 00:07:22,680 --> 00:07:24,600 35 days before the cyber attack, 95 00:07:24,600 --> 00:07:26,800 it was business as usual across the NHS. 96 00:07:29,640 --> 00:07:33,320 But at this moment, the Shadow Brokers made a fateful decision. 97 00:07:34,720 --> 00:07:36,800 With no buyer coming forward, 98 00:07:36,800 --> 00:07:41,640 they dumped their trove of stolen cyber-weapons online, for free. 99 00:07:43,560 --> 00:07:46,520 They were now available for anyone to use. 100 00:07:50,920 --> 00:07:55,280 Cal Leeming is someone with unique insight into the cyber underworld. 101 00:07:55,280 --> 00:07:58,760 He taught himself to hack, and he started young. 102 00:07:58,760 --> 00:08:00,320 When I was about nine years old, 103 00:08:00,320 --> 00:08:04,160 my grandparents got me my first computer. 104 00:08:04,160 --> 00:08:05,800 A proper computer. 105 00:08:05,800 --> 00:08:09,240 My eyes were opened when I started using these chatrooms 106 00:08:09,240 --> 00:08:11,720 and started talking to this wider audience. 107 00:08:11,720 --> 00:08:16,800 People were talking about being able to share PlayStation games. 108 00:08:16,800 --> 00:08:19,240 They were sharing credit card information. 109 00:08:19,240 --> 00:08:23,080 Attracted to free games as an escape from his hard upbringing, 110 00:08:23,080 --> 00:08:26,240 he soon graduated to something more serious. 111 00:08:26,240 --> 00:08:27,960 There wasn't much money at all. 112 00:08:27,960 --> 00:08:33,200 So I found myself using credit cards that I had got from hacking 113 00:08:33,200 --> 00:08:35,440 to send food deliveries to the house. 114 00:08:36,600 --> 00:08:40,960 So it was a mixture of 50% just utter curiosity 115 00:08:40,960 --> 00:08:42,960 and wanting to learn more, 116 00:08:42,960 --> 00:08:44,600 and the other 50% survival. 117 00:08:46,240 --> 00:08:49,920 At the age of just 12, Cal was arrested. 118 00:08:49,920 --> 00:08:53,120 He became the UK's youngest ever cybercriminal. 119 00:08:53,120 --> 00:08:54,840 It was very, very traumatic. 120 00:08:54,840 --> 00:08:56,560 And they sat me down and said, 121 00:08:56,560 --> 00:09:00,200 "Cal, do you understand what you have done was against the law?" 122 00:09:01,400 --> 00:09:05,520 My answer to them was, "All I've done was typed on a keyboard." 123 00:09:05,520 --> 00:09:07,400 Because that's my mind-set, at the time. 124 00:09:07,400 --> 00:09:09,800 I was like, "Why is it that I'm typing on the keyboard to 125 00:09:09,800 --> 00:09:12,240 "survive and I'm now getting arrested?" 126 00:09:12,240 --> 00:09:15,600 And I thought that was very unfair at the time. 127 00:09:15,600 --> 00:09:18,720 Cal continued to hack until 2005, 128 00:09:18,720 --> 00:09:22,760 when he was caught again for using over 10,000 stolen identities 129 00:09:22,760 --> 00:09:27,400 to purchase goods worth £750,000. 130 00:09:28,520 --> 00:09:33,360 Eventually, when I was 18, I handed myself in, 131 00:09:33,360 --> 00:09:37,800 and the arresting officer in my case gave me a chance 132 00:09:37,800 --> 00:09:40,200 to turn my life around in exchange for going to prison 133 00:09:40,200 --> 00:09:41,480 for a little bit. 134 00:09:43,080 --> 00:09:44,720 I owe that guy a lot. 135 00:09:47,600 --> 00:09:51,640 After serving a 15-month jail sentence, he changed sides, 136 00:09:51,640 --> 00:09:54,280 and now runs a cyber security firm. 137 00:09:56,200 --> 00:09:59,560 Why do hackers do what they do? Why do hackers hack? 138 00:09:59,560 --> 00:10:03,520 People have their own motivations for wanting to get into hacking. 139 00:10:03,520 --> 00:10:06,280 Sometimes it is financial, other times criminal, 140 00:10:06,280 --> 00:10:09,120 and sometimes it's just pure curiosity. 141 00:10:09,120 --> 00:10:13,960 Right now we don't know who started this attack, at least not for sure. 142 00:10:13,960 --> 00:10:16,640 Do you think, at any level, the people who carried out this attack 143 00:10:16,640 --> 00:10:20,680 would have felt slightly appalled that this attack spilt over 144 00:10:20,680 --> 00:10:22,720 into the National Health Service? 145 00:10:22,720 --> 00:10:25,160 That's a difficult one to answer, 146 00:10:25,160 --> 00:10:28,440 because it's not a single group that does all hacking in the world, 147 00:10:28,440 --> 00:10:30,440 it's lots and lots of very tiny groups, 148 00:10:30,440 --> 00:10:32,680 sometimes a single person, sometimes lots of people, 149 00:10:32,680 --> 00:10:34,840 and with each group, within each environment, 150 00:10:34,840 --> 00:10:36,760 you have your own set of rules, 151 00:10:36,760 --> 00:10:39,360 conditions and social etiquette and all these things. 152 00:10:39,360 --> 00:10:43,320 So, in some cases, yes, there are going to be some people 153 00:10:43,320 --> 00:10:46,720 that are outraged, even on the criminal side, that they've... 154 00:10:46,720 --> 00:10:48,120 That it went this far. 155 00:10:48,120 --> 00:10:51,160 And in other cases, they might have purposefully wanted it 156 00:10:51,160 --> 00:10:54,560 to go that far. It depends on the individual. 157 00:10:57,040 --> 00:11:01,720 Whatever their motivation, what we know for sure is that someone 158 00:11:01,720 --> 00:11:05,400 did use the alleged NSA exploit Eternal Blue 159 00:11:05,400 --> 00:11:07,600 to create a devastating cyber-weapon. 160 00:11:08,800 --> 00:11:12,080 Within four weeks of Eternal Blue being released, 161 00:11:12,080 --> 00:11:13,720 the attack was ready. 162 00:11:13,720 --> 00:11:17,560 Eternal Blue was mashed together with other pieces of malicious code 163 00:11:17,560 --> 00:11:20,960 and then unleashed on the world, and it was given a name. 164 00:11:30,800 --> 00:11:33,400 A security patch against Eternal Blue 165 00:11:33,400 --> 00:11:37,080 had been made available by Microsoft. 166 00:11:37,080 --> 00:11:39,480 But on the night before the cyber attack, 167 00:11:39,480 --> 00:11:44,360 any machine that hadn't installed the update was still vulnerable... 168 00:11:44,360 --> 00:11:46,960 including many in the NHS. 169 00:11:51,600 --> 00:11:54,920 Infection was now just a matter of time. 170 00:12:03,680 --> 00:12:05,640 On the morning of the cyber-attack, 171 00:12:05,640 --> 00:12:10,360 22-year-old Marcus Hutchins was in the middle of his holiday. 172 00:12:10,360 --> 00:12:12,400 If there was any surf, I might have been surfing. 173 00:12:12,400 --> 00:12:16,480 It's so dynamic, the waves are never the same on two days. 174 00:12:18,120 --> 00:12:22,360 Marcus works remotely for an LA-based cyber intelligence company. 175 00:12:22,360 --> 00:12:25,920 I track malware. I track malicious code that affects users, 176 00:12:25,920 --> 00:12:28,080 and I find ways to track and stop it. 177 00:12:29,240 --> 00:12:31,080 And despite being on leave, 178 00:12:31,080 --> 00:12:34,600 he was still monitoring the global malware outbreak. 179 00:12:34,600 --> 00:12:37,320 I woke up, I checked the message board, there were a couple of 180 00:12:37,320 --> 00:12:41,240 reports of ransomware infections, but I didn't think much of it. 181 00:12:41,240 --> 00:12:42,880 From his home in Devon, 182 00:12:42,880 --> 00:12:47,520 his curiosity would play a crucial role as the day's events unfolded. 183 00:12:51,800 --> 00:12:53,960 In London, Patrick Ward had spent the night 184 00:12:53,960 --> 00:12:56,080 in St Bartholomew's Hospital. 185 00:12:57,280 --> 00:12:58,920 Like thousands of others, 186 00:12:58,920 --> 00:13:01,200 in operating theatres across the country, 187 00:13:01,200 --> 00:13:03,280 he was in for planned surgery, 188 00:13:03,280 --> 00:13:06,440 in his case to correct a serious heart problem. 189 00:13:06,440 --> 00:13:08,640 They woke me at six o'clock, 190 00:13:08,640 --> 00:13:11,680 as they do in hospital, 191 00:13:11,680 --> 00:13:18,840 and one of the nurses came round and shaved my chest, ready for, 192 00:13:18,840 --> 00:13:20,840 obviously, the opening of the chest cavity. 193 00:13:22,080 --> 00:13:25,720 I was nervous, but I was very excited, very... 194 00:13:25,720 --> 00:13:31,400 confident about the operation and what was going to happen. 195 00:13:31,400 --> 00:13:34,640 I'd...yeah, mentally got myself in the right place 196 00:13:34,640 --> 00:13:37,200 to have open heart surgery, 197 00:13:37,200 --> 00:13:39,760 and was, yeah, fantastic, ready to go. 198 00:13:39,760 --> 00:13:42,280 PHONE RINGS 199 00:13:42,280 --> 00:13:46,800 The condition I have is hypertrophic cardiomyopathy, 200 00:13:46,800 --> 00:13:50,120 which is an enlarged heart. 201 00:13:50,120 --> 00:13:52,400 It means I struggle to do normal things, - walk, 202 00:13:52,400 --> 00:13:56,200 I can't do any sporting activities, lifting heavy objects 203 00:13:56,200 --> 00:13:59,040 obviously puts a big strain on the heart. 204 00:13:59,040 --> 00:14:01,680 It makes me feel extremely useless. 205 00:14:01,680 --> 00:14:06,680 I've had some very dark moments over the last couple of years, 206 00:14:06,680 --> 00:14:09,400 so I'd like to, yeah, get back to leading 207 00:14:09,400 --> 00:14:12,880 a normal fit and healthy life. 208 00:14:12,880 --> 00:14:16,520 But before surgery could start, Patrick needed some tests. 209 00:14:16,520 --> 00:14:18,560 They wanted to check out my arteries, 210 00:14:18,560 --> 00:14:22,440 so they sent me down for a cardio angiogram in the morning. 211 00:14:22,440 --> 00:14:25,480 So after having the angiogram and some drugs, I was very... 212 00:14:25,480 --> 00:14:30,120 I was even more relaxed and ready for the afternoon operation. 213 00:14:32,960 --> 00:14:35,000 While Patrick waited for theatre, 214 00:14:35,000 --> 00:14:39,360 in Devon, Marcus was keeping an eye out for global cyber-attacks. 215 00:14:42,000 --> 00:14:46,200 I checked the message board. There were maybe 16, 17 reports 216 00:14:46,200 --> 00:14:50,240 of different NHS, sort of, organisations being hit. 217 00:14:50,240 --> 00:14:53,200 And that was the point where I decided my holiday is over. 218 00:14:57,760 --> 00:14:59,800 By late morning, the attack had begun. 219 00:14:59,800 --> 00:15:03,160 Somehow, a worm had got into the NHS. 220 00:15:03,160 --> 00:15:04,840 And on the other side of the world, 221 00:15:04,840 --> 00:15:07,680 somebody was tracking the progress 222 00:15:07,680 --> 00:15:08,560 of the outbreak. 223 00:15:11,400 --> 00:15:15,200 Marcen Kochinski runs a cyber security firm in California. 224 00:15:15,200 --> 00:15:19,400 Their software is installed on machines across the world. 225 00:15:19,400 --> 00:15:23,760 Every time we disinfect a machine, it pings that information back 226 00:15:23,760 --> 00:15:26,800 to the labs teams. Real-time information was streaming in, 227 00:15:26,800 --> 00:15:28,640 regarding these specific attacks. 228 00:15:28,640 --> 00:15:31,880 We were able to actually create a live map, 229 00:15:31,880 --> 00:15:35,640 where the infection is spreading. Very similar to a human infection 230 00:15:35,640 --> 00:15:39,400 spreading worldwide. We were able to do that from a computer perspective. 231 00:15:39,400 --> 00:15:41,120 So, we started detecting the attack. 232 00:15:41,120 --> 00:15:45,920 Actually, our first detection was, according to this, Thursday. 233 00:15:45,920 --> 00:15:48,720 We call that, kind of, day minus one, day one. 234 00:15:48,720 --> 00:15:52,600 And one of the first computers that we disinfected was in Russia, 235 00:15:52,600 --> 00:15:54,240 which was very interesting for us to see. 236 00:15:59,920 --> 00:16:01,720 But then, you look at Friday and Saturday 237 00:16:01,720 --> 00:16:04,160 and through the rest of the weekend, 238 00:16:04,160 --> 00:16:06,520 the map just completely explodes. 239 00:16:06,520 --> 00:16:11,120 We see infections all over the world, predominantly in Europe, 240 00:16:11,120 --> 00:16:14,400 but also in the US and they do not relent. 241 00:16:16,560 --> 00:16:19,960 They were witnessing the largest and fastest-spreading outbreak 242 00:16:19,960 --> 00:16:22,200 anyone had seen in recent years. 243 00:16:23,120 --> 00:16:24,680 The threat spread so quickly 244 00:16:24,680 --> 00:16:26,320 that we actually would have to go 245 00:16:26,320 --> 00:16:27,520 down to the milliseconds 246 00:16:27,520 --> 00:16:29,000 to see when it first appeared 247 00:16:29,000 --> 00:16:30,160 in the UK. 248 00:16:30,160 --> 00:16:32,080 We think it is sometime Friday morning. 249 00:16:33,200 --> 00:16:35,080 But we really have to slow this down 250 00:16:35,080 --> 00:16:37,560 and look at the millions of data points we have here to isolate 251 00:16:37,560 --> 00:16:39,080 the day we saw it in the UK first. 252 00:16:40,920 --> 00:16:43,440 The first outbreak Marcen detected in London 253 00:16:43,440 --> 00:16:47,240 showed up in the afternoon at 18 minutes past one. 254 00:16:51,440 --> 00:16:54,960 Across the country, hospitals like this found themselves 255 00:16:54,960 --> 00:16:57,600 either in the grip of the attack or desperately trying to switch off 256 00:16:57,600 --> 00:17:01,320 systems in an attempt to prevent possible infection. 257 00:17:01,320 --> 00:17:04,680 One of London's largest, most capable hospital trusts, 258 00:17:04,680 --> 00:17:06,600 St Bartholomew's and the Royal London, 259 00:17:06,600 --> 00:17:09,520 found itself amongst the most severely affected. 260 00:17:09,520 --> 00:17:12,800 So, NHS staff put into place contingency plans, 261 00:17:12,800 --> 00:17:15,720 working tirelessly to keep everything running. 262 00:17:15,720 --> 00:17:17,160 But there were consequences. 263 00:17:20,520 --> 00:17:23,680 The surgeon, he had been to see me, to say, "Pat, I'll be with you 264 00:17:23,680 --> 00:17:27,040 "at one o'clock-ish, after I've done my rounds." 265 00:17:27,040 --> 00:17:30,400 He then came back again and said, "How are you doing? Everything OK?" 266 00:17:30,400 --> 00:17:33,200 I said, "Yeah, fine. I'm here, ready and waiting. 267 00:17:33,200 --> 00:17:36,160 "I'm not going anywhere." And he said, "Great. We're all ready. 268 00:17:36,160 --> 00:17:38,840 "Everybody is getting organised for you down in theatre. 269 00:17:38,840 --> 00:17:41,680 "The team are there, they are looking forward to meeting you." 270 00:17:41,680 --> 00:17:43,320 This was 10 o'clock, 12 o'clock 271 00:17:43,320 --> 00:17:44,920 and then, at half past one, 272 00:17:44,920 --> 00:17:51,440 he turned up again and looked very, yeah, forlorn 273 00:17:51,440 --> 00:17:54,480 and very sorry. And that was when he then told me 274 00:17:54,480 --> 00:17:56,080 that he couldn't do the operation. 275 00:17:57,920 --> 00:18:00,920 With computer systems down, the surgeon was unable to access 276 00:18:00,920 --> 00:18:03,600 Patrick's angiogram and blood results. 277 00:18:03,600 --> 00:18:06,120 Without them, the operation could not go ahead. 278 00:18:08,000 --> 00:18:12,120 I was numb. It is the only way I can describe it. 279 00:18:12,120 --> 00:18:14,440 Yeah, I just felt nothing. I was absolutely... 280 00:18:14,440 --> 00:18:18,000 I couldn't believe it. I was just absolutely flabbergasted. 281 00:18:21,480 --> 00:18:23,760 It wasn't until the Monday, really, 282 00:18:23,760 --> 00:18:27,160 that the realisation of "What do I do?" 283 00:18:27,160 --> 00:18:30,720 I didn't have any idea as to whether I'd have to wait another year 284 00:18:30,720 --> 00:18:34,680 for the operation. There was just no information available. 285 00:18:34,680 --> 00:18:36,760 It's very frustrating. 286 00:18:36,760 --> 00:18:40,160 Speak to my wife, she will tell you how grumpy I have been 287 00:18:40,160 --> 00:18:43,560 since the operation was cancelled. Not having a date, 288 00:18:43,560 --> 00:18:48,480 something to aim for. So it was extremely, extremely frustrating. 289 00:18:51,360 --> 00:18:53,960 This is what makes me angriest about this whole thing. 290 00:18:53,960 --> 00:18:57,840 This cyber attack isn't about an abstract piece of technology, 291 00:18:57,840 --> 00:18:59,880 it's not about ransoms or ransomware. 292 00:18:59,880 --> 00:19:03,760 It's not about firewalls or patches. It's about people and their lives 293 00:19:03,760 --> 00:19:06,600 and how it affects them. It is about being forced, as a doctor, 294 00:19:06,600 --> 00:19:09,640 to look someone like Patrick in the eye and to let him down 295 00:19:09,640 --> 00:19:11,240 at the worst possible moment. 296 00:19:14,280 --> 00:19:15,720 And Patrick wasn't alone. 297 00:19:15,720 --> 00:19:18,960 The cyber attack had become national news. 298 00:19:18,960 --> 00:19:22,720 The NHS is the victim of a major cyber attack. 299 00:19:22,720 --> 00:19:27,080 At least 25 hospital trusts and GP surgeries have been affected. 300 00:19:27,080 --> 00:19:30,160 Routine operations at some hospitals are being cancelled, 301 00:19:30,160 --> 00:19:32,400 ambulances diverted and patients sent home. 302 00:19:35,840 --> 00:19:37,640 I went out to lunch. I got back. 303 00:19:37,640 --> 00:19:42,360 I then saw lots of reports from different sectors of the NHS. 304 00:19:42,360 --> 00:19:44,800 They were all just simultaneously saying, "We're being hit." 305 00:19:48,320 --> 00:19:50,760 I thought, "This one thing is hitting all these sectors, 306 00:19:50,760 --> 00:19:52,680 "so it's got to be something pretty big", 307 00:19:52,680 --> 00:19:54,120 so I went and I looked into it. 308 00:19:57,160 --> 00:20:00,000 I asked a friend of mine in the industry if he had a sample 309 00:20:00,000 --> 00:20:02,040 of the actual malware that was going around 310 00:20:02,040 --> 00:20:03,280 and he sent it to me. 311 00:20:03,280 --> 00:20:07,120 I use virtualisation software, which basically makes a computer 312 00:20:07,120 --> 00:20:10,320 within your computer, so that it wouldn't affect me 313 00:20:10,320 --> 00:20:11,880 and I saw what it did. 314 00:20:15,080 --> 00:20:16,160 Marcus wasn't alone. 315 00:20:19,080 --> 00:20:21,320 Cal, too, set to work examining the malware. 316 00:20:23,920 --> 00:20:27,080 I wanted to find out from him what made this cyber attack 317 00:20:27,080 --> 00:20:28,440 so ruthlessly effective. 318 00:20:31,480 --> 00:20:33,520 So, what we've got is a machine 319 00:20:33,520 --> 00:20:36,560 that is going to effectively act as patient zero. 320 00:20:36,560 --> 00:20:40,640 We've got a second machine to reconstruct how this 321 00:20:40,640 --> 00:20:45,680 particular variant of WannaCry spreads across multiple machines. 322 00:20:45,680 --> 00:20:51,080 In here is what I have dubbed, "The internet in a box." 323 00:20:51,080 --> 00:20:54,760 To make the malware reveal itself, we have to make it believe 324 00:20:54,760 --> 00:20:57,920 these computers are connected to the real internet 325 00:20:57,920 --> 00:21:02,280 and this box provide the necessary dummy signals, whilst protecting 326 00:21:02,280 --> 00:21:03,640 the outside world from harm. 327 00:21:05,000 --> 00:21:09,400 What we're going to do now is run the WannaCry ransomware. 328 00:21:14,600 --> 00:21:15,520 There you go. 329 00:21:15,520 --> 00:21:17,000 And that's the screen of doom. 330 00:21:19,000 --> 00:21:21,120 So, this is this machine out of action. Exactly. 331 00:21:26,520 --> 00:21:28,080 With the files locked up, 332 00:21:28,080 --> 00:21:29,360 the clock is ticking. 333 00:21:31,400 --> 00:21:33,640 But as the victim decides whether or not to pay, 334 00:21:33,640 --> 00:21:35,880 the malware is already planning its next attacks. 335 00:21:37,920 --> 00:21:39,880 This particular strain has two components. 336 00:21:39,880 --> 00:21:41,400 It has the ransomware itself, 337 00:21:41,400 --> 00:21:43,800 which is what we see here, and it has the worm component, 338 00:21:43,800 --> 00:21:47,240 which was taken from Eternal Blue, 339 00:21:47,240 --> 00:21:51,120 which is a government weapons-grade exploit. 340 00:21:51,120 --> 00:21:54,800 This machine here is actually giving us a bit of insight. 341 00:21:54,800 --> 00:21:57,800 And what this is showing us is that it is trying 342 00:21:57,800 --> 00:21:59,840 to spread across the network. 343 00:21:59,840 --> 00:22:03,240 You don't really think about it, do you? All the output from 344 00:22:03,240 --> 00:22:05,560 a machine isn't just what you see on your screen. 345 00:22:05,560 --> 00:22:08,400 There is a lot of silent chatter going on in the background. Exactly. 346 00:22:08,400 --> 00:22:11,440 If you imagine a big room of people and you shout out, "Who's here?!" 347 00:22:11,440 --> 00:22:14,000 And everyone puts their hand up. That is effectively what 348 00:22:14,000 --> 00:22:16,720 these machines are doing. It shouts out and says, "Who's here?!" 349 00:22:16,720 --> 00:22:21,080 and then, the machines reply. What it then tries to do is it hit 350 00:22:21,080 --> 00:22:24,520 each of those machines with this payload. This worm is now spreading 351 00:22:24,520 --> 00:22:27,480 out across the network and in an instance where you have got... 352 00:22:27,480 --> 00:22:32,760 There we go. And as you can see, it's now spread onto this machine. 353 00:22:36,680 --> 00:22:40,480 Eternal Blue had been expertly designed to silently move 354 00:22:40,480 --> 00:22:45,360 from one machine to another across a local area network or LAN. 355 00:22:45,360 --> 00:22:49,360 Groups of computers joined together inside a business or a hospital. 356 00:22:51,440 --> 00:22:54,880 With the LAN infected, it spread to the internet. 357 00:22:58,720 --> 00:23:02,800 If you imagine you have got your big internet cloud down here 358 00:23:02,800 --> 00:23:05,680 and each dot represents a machine and there is billions 359 00:23:05,680 --> 00:23:09,520 of these machines, OK? And what it does is 360 00:23:09,520 --> 00:23:13,000 the attack will make a direct connection to your machine 361 00:23:13,000 --> 00:23:17,880 and if you are exposing this port to the internet, someone could 362 00:23:17,880 --> 00:23:23,760 infect your machine without needing to have local access to it 363 00:23:23,760 --> 00:23:25,880 or be on the same network. 364 00:23:25,880 --> 00:23:29,920 What is even more disturbing from there is, 365 00:23:29,920 --> 00:23:33,200 if you look at the research tools that actually analyse the internet, 366 00:23:33,200 --> 00:23:36,920 you can go and query today, right now, how many of these machines 367 00:23:36,920 --> 00:23:39,600 on the internet have got this vulnerable service open. 368 00:23:39,600 --> 00:23:43,120 Through the internet, anyone can go and try and exploit them 369 00:23:43,120 --> 00:23:45,880 and there are hundreds and hundreds and hundreds of thousands 370 00:23:45,880 --> 00:23:47,080 of these machines. 371 00:23:49,320 --> 00:23:51,360 The malware sought out these weaknesses 372 00:23:51,360 --> 00:23:53,640 and wormed its way into all manner of networks. 373 00:23:53,640 --> 00:23:58,920 From companies like Nissan in the UK to Renault in France, 374 00:23:58,920 --> 00:24:02,520 from a postal service in Russia to a German railway operator. 375 00:24:06,600 --> 00:24:11,280 And to be clear, this does not depend upon any human interaction? 376 00:24:11,280 --> 00:24:16,200 It's automatic propagation. There is no human interaction here required 377 00:24:16,200 --> 00:24:21,840 at all. And that is why the ransomware itself was 378 00:24:21,840 --> 00:24:25,200 relatively low-key, to be fair. There wasn't anything particularly 379 00:24:25,200 --> 00:24:29,280 special about it, but when combined with 380 00:24:29,280 --> 00:24:35,800 a government weapons-grade exploit, the impact has been devastating. 381 00:24:39,920 --> 00:24:43,160 No-one needed to click on a link or open a dodgy e-mail. 382 00:24:43,160 --> 00:24:46,400 The worm spread all by itself, 383 00:24:46,400 --> 00:24:50,800 exploding across networks in a matter of hours. 384 00:25:02,880 --> 00:25:06,360 Across the country, the surprisingly virulent attack meant that 385 00:25:06,360 --> 00:25:08,560 several hospitals were beginning to struggle. 386 00:25:08,560 --> 00:25:11,800 And wherever the ransomware was found, they would switch off 387 00:25:11,800 --> 00:25:14,440 machines in an attempt to contain the outbreak. 388 00:25:14,440 --> 00:25:18,280 Nevertheless, some of those networks went dark. 389 00:25:18,280 --> 00:25:20,960 Now, even that was not a complete disaster, 390 00:25:20,960 --> 00:25:22,920 because in the NHS, we have contingency plans 391 00:25:22,920 --> 00:25:25,440 for almost every conceivable emergency, 392 00:25:25,440 --> 00:25:28,280 from power outages, terrorist attacks, 393 00:25:28,280 --> 00:25:30,320 even a cyber attack of this kind. 394 00:25:34,600 --> 00:25:38,600 So, what was it that forced some accident and emergency departments 395 00:25:38,600 --> 00:25:42,880 to close their doors that day? A&E relies upon support 396 00:25:42,880 --> 00:25:47,240 from state-of-the-art technologies and specialities. 397 00:25:47,240 --> 00:25:50,200 And these were some of the hardest hit, 398 00:25:50,200 --> 00:25:54,040 among them, doctors and their systems in radiology. 399 00:25:54,040 --> 00:25:57,320 It is packed with the latest kit. 400 00:25:57,320 --> 00:26:01,560 X-rays, MRI scanners and CT machines that allow doctors 401 00:26:01,560 --> 00:26:05,640 to investigate the hidden extent of injury inside the body. 402 00:26:05,640 --> 00:26:08,680 When time is critical, such as with a stroke, 403 00:26:08,680 --> 00:26:12,960 radiologists like Navin Ramachandran help us to make quick, accurate, 404 00:26:12,960 --> 00:26:14,360 life-saving decisions. 405 00:26:17,000 --> 00:26:18,240 When a patient comes in, 406 00:26:18,240 --> 00:26:20,440 they turn up with typical symptoms, 407 00:26:20,440 --> 00:26:23,320 you can see they may not be able to feel an area, they may not be able 408 00:26:23,320 --> 00:26:24,520 an area, they may not 409 00:26:24,520 --> 00:26:27,000 be able to speak. That gives us an idea that there is something 410 00:26:27,000 --> 00:26:29,960 going on in the brain, but it doesn't necessarily tell us 411 00:26:29,960 --> 00:26:31,400 what the underlying cause is. 412 00:26:31,400 --> 00:26:34,080 So, it could be, if we look at this case, 413 00:26:34,080 --> 00:26:38,440 where a vessel to a part of the brain has got blocked off 414 00:26:38,440 --> 00:26:41,920 by a clot and that area is the part that has been 415 00:26:41,920 --> 00:26:44,840 deprived of blood currently. The treatment is to give 416 00:26:44,840 --> 00:26:46,880 a clot-busting drug as fast as possible, 417 00:26:46,880 --> 00:26:50,120 but there is jeopardy involved. You have to be sure precisely 418 00:26:50,120 --> 00:26:52,360 what type of stroke you're dealing with. 419 00:26:53,560 --> 00:26:56,200 The one thing you have to be aware of is that, once in a while, 420 00:26:56,200 --> 00:26:58,880 patients that come in with exactly the same symptoms, 421 00:26:58,880 --> 00:27:01,920 they are getting the same symptoms not because of the blocked vessel, 422 00:27:01,920 --> 00:27:04,520 but because of a bleeding vessel. In this case, this vessel 423 00:27:04,520 --> 00:27:09,000 has bled. With this patient, if you give them the clot-busting drug, 424 00:27:09,000 --> 00:27:12,280 that is catastrophic and can lead to death. 425 00:27:12,280 --> 00:27:15,920 And these two patients would look very similar at presentation? 426 00:27:15,920 --> 00:27:19,080 Without doing these scans, you really wouldn't know the difference? 427 00:27:19,080 --> 00:27:21,920 Exactly. The only thing that makes it possible is having access 428 00:27:21,920 --> 00:27:24,640 to these scans, to allow others to triage people into the right 429 00:27:24,640 --> 00:27:27,480 treatment pathway. The same is true for the whole 430 00:27:27,480 --> 00:27:31,440 of emergency medicine, from car accidents to cancer. 431 00:27:31,440 --> 00:27:34,000 Radiology is an essential front line asset. 432 00:27:35,680 --> 00:27:37,840 The whole department relies on computers. 433 00:27:37,840 --> 00:27:40,480 They run the scanning machines, display the images 434 00:27:40,480 --> 00:27:42,120 and send them on to doctors in A&E. 435 00:27:44,040 --> 00:27:45,920 If these computers were infected, 436 00:27:45,920 --> 00:27:50,280 hospital managers would have little choice but to close A&E. 437 00:27:50,280 --> 00:27:52,000 It simply wouldn't be safe to stay open. 438 00:27:53,720 --> 00:27:56,560 We were very lucky in that it didn't hit our services at all. 439 00:27:56,560 --> 00:28:00,280 We have had fully digital systems for over 10-15 years, 440 00:28:00,280 --> 00:28:03,240 whereas most of the rest of the hospital still uses paper. 441 00:28:03,240 --> 00:28:05,880 But we were completely unaffected. 442 00:28:05,880 --> 00:28:07,480 No change to the day. 443 00:28:07,480 --> 00:28:12,800 Some hospitals, like mine, UCLH, got away unscathed, 444 00:28:12,800 --> 00:28:15,200 but for those unlucky enough to be affected, 445 00:28:15,200 --> 00:28:18,280 there was still enough flex in the system to compensate. 446 00:28:18,280 --> 00:28:20,600 Nevertheless, patients were on the move, 447 00:28:20,600 --> 00:28:23,560 being transferred from hospital to hospital. 448 00:28:27,000 --> 00:28:29,560 The infection continued to spread 449 00:28:29,560 --> 00:28:33,240 and began to show up in GP surgeries across the country. 450 00:28:42,480 --> 00:28:45,800 So, this is one of the consulting rooms we are going into now. 451 00:28:45,800 --> 00:28:49,760 Dr George Farrelly is a GP working at a surgery in Tower Hamlets. 452 00:28:49,760 --> 00:28:52,520 This is our standard desktop PC and so on. 453 00:28:52,520 --> 00:28:54,480 Each consulting room has one of these. 454 00:28:57,280 --> 00:28:59,920 We have 15 machines. We do consultations with this. 455 00:28:59,920 --> 00:29:03,160 We access people's notes, we are able to make appointments, 456 00:29:03,160 --> 00:29:06,960 we send prescriptions to the chemist and plan care. 457 00:29:09,480 --> 00:29:11,000 So, this is our reception area. 458 00:29:13,640 --> 00:29:18,200 A lot happens here. This is like the information hub of the practice. 459 00:29:18,200 --> 00:29:21,440 We take our computer system a little bit for granted, I think, 460 00:29:21,440 --> 00:29:22,680 and only realised 461 00:29:22,680 --> 00:29:25,240 how reliant we are on it when we lose it. 462 00:29:33,480 --> 00:29:35,680 On Friday, 12th of May, we got a phone call 463 00:29:35,680 --> 00:29:38,960 from a neighbouring practice and they told us that they had been hit 464 00:29:38,960 --> 00:29:41,800 by some virus. 465 00:29:41,800 --> 00:29:45,520 So, we printed out the appointment for that day, 466 00:29:45,520 --> 00:29:47,640 which would give us some information, just in case 467 00:29:47,640 --> 00:29:48,880 we had the same problem. 468 00:29:52,320 --> 00:29:56,400 I was in a meeting with some colleagues discussing patients 469 00:29:56,400 --> 00:30:01,040 and the PC we were using suddenly blanked out. 470 00:30:05,640 --> 00:30:09,640 We had to shut all our computers down, to hopefully stop any more 471 00:30:09,640 --> 00:30:12,240 of them becoming infected. 472 00:30:12,240 --> 00:30:13,840 It was complete paralysis. 473 00:30:15,360 --> 00:30:19,160 Along with the hospitals, some GP surgeries were now struggling, too. 474 00:30:20,680 --> 00:30:25,960 They connect with the rest of the NHS via a network known as N3. 475 00:30:27,840 --> 00:30:31,040 N3 is the NHS's national broadband network, 476 00:30:31,040 --> 00:30:33,360 connecting all NHS locations 477 00:30:33,360 --> 00:30:36,800 and its 1.3 million employees across England. 478 00:30:38,240 --> 00:30:40,680 It's one of the largest networks in Europe, 479 00:30:40,680 --> 00:30:44,120 with in excess of 51,000 connections. 480 00:30:45,360 --> 00:30:48,200 N3 allows us to communicate with our colleagues 481 00:30:48,200 --> 00:30:50,040 who we share care with other people. 482 00:30:50,040 --> 00:30:53,480 For example, when we send e-mails to each other 483 00:30:53,480 --> 00:30:56,800 from our NHS net e-mail account, it's more secure. 484 00:30:56,800 --> 00:31:01,200 Our security antivirus and so on is done centrally, 485 00:31:01,200 --> 00:31:03,160 it's not something we worry about. 486 00:31:03,160 --> 00:31:05,440 We never have to do patches ourselves. 487 00:31:09,880 --> 00:31:12,560 They didn't know it at the time, 488 00:31:12,560 --> 00:31:16,200 but the N3 network was actually unaffected. 489 00:31:16,200 --> 00:31:20,320 However, Windows 7 machines without the patch WERE going down. 490 00:31:21,600 --> 00:31:24,120 So some teams disconnected their computers... 491 00:31:25,360 --> 00:31:28,600 ..cutting off access to essential clinical systems, 492 00:31:28,600 --> 00:31:30,280 deepening the disruption. 493 00:31:32,480 --> 00:31:34,120 The people who've done this 494 00:31:34,120 --> 00:31:36,960 don't understand the implications of what they're doing. 495 00:31:38,160 --> 00:31:40,320 They hadn't thought them through. 496 00:31:40,320 --> 00:31:43,320 My guess is their project is to make money 497 00:31:43,320 --> 00:31:46,920 and they just send this stuff out and it lands wherever it lands 498 00:31:46,920 --> 00:31:48,840 and they don't give any thought to it. 499 00:31:52,600 --> 00:31:55,640 What they DID give some thought to is how they got paid. 500 00:31:59,080 --> 00:32:01,920 With the ransomware hitting thousands of computers, 501 00:32:01,920 --> 00:32:05,760 the hackers needed a secure, globally accepted form of payment 502 00:32:05,760 --> 00:32:07,800 that ideally would be untraceable. 503 00:32:09,600 --> 00:32:12,280 They decided to use Bitcoin - 504 00:32:12,280 --> 00:32:16,320 an entirely electronic form of so-called cryptocurrency. 505 00:32:18,880 --> 00:32:20,400 I've never used Bitcoin. 506 00:32:21,840 --> 00:32:24,080 But it's easy enough to buy some on a phone. 507 00:32:25,280 --> 00:32:28,720 And once loaded, you can spend it in all manner of places. 508 00:32:34,440 --> 00:32:37,640 So, can I get a flat white and a mint tea, please? Sure. 509 00:32:37,640 --> 00:32:41,520 I've come to a cafe in east London to meet Sarah Meiklejohn, 510 00:32:41,520 --> 00:32:43,400 an expert in Bitcoin, 511 00:32:43,400 --> 00:32:47,360 to find out why it's such an attractive currency for hackers. 512 00:32:50,040 --> 00:32:53,320 Perfect. Can I pay with Bitcoin? Sure. 513 00:32:53,320 --> 00:32:57,160 OK. And I just... £3.50, please. You just scan this. 514 00:32:57,160 --> 00:32:59,320 OK, I'll lean over and scan that. 515 00:33:00,800 --> 00:33:04,080 That's it. And it's as easy as that. That's it. 516 00:33:04,080 --> 00:33:06,320 Perfect, thank you very much. Thank you. Thank you. 517 00:33:06,320 --> 00:33:07,880 Marvellous, right. 518 00:33:09,160 --> 00:33:11,920 Explain to me, then, as a complete non-initiate, 519 00:33:11,920 --> 00:33:14,440 what Bitcoin is and how it works. 520 00:33:14,440 --> 00:33:19,000 Right, so, Bitcoin is basically a purely digital form of currency. 521 00:33:19,000 --> 00:33:22,160 So it's just a currency, like the dollar, the pound. 522 00:33:22,160 --> 00:33:26,320 The main differences are that it's not backed by any government, 523 00:33:26,320 --> 00:33:29,680 there's no central bank involved in generating Bitcoins 524 00:33:29,680 --> 00:33:32,760 and you don't need a bank account to use it. 525 00:33:32,760 --> 00:33:34,560 If I want to use Bitcoin, you know, 526 00:33:34,560 --> 00:33:36,240 I want to send people Bitcoins, 527 00:33:36,240 --> 00:33:38,600 I'm going to download a piece of software, 528 00:33:38,600 --> 00:33:39,640 and in doing that, 529 00:33:39,640 --> 00:33:43,040 I'm going to join Bitcoin's peer-to-peer network. 530 00:33:43,040 --> 00:33:46,600 So this network is basically collectively responsible for 531 00:33:46,600 --> 00:33:48,760 playing all the traditional roles 532 00:33:48,760 --> 00:33:51,080 that we're used to in traditional banking. 533 00:33:51,080 --> 00:33:54,040 The recent WannaCry attack, which affected many organisations, 534 00:33:54,040 --> 00:33:56,680 including the National Health Service, 535 00:33:56,680 --> 00:34:01,160 was conducted using Bitcoin as the currency of ransom. 536 00:34:01,160 --> 00:34:03,200 Why did they use Bitcoin? 537 00:34:03,200 --> 00:34:06,240 Opening a Bitcoin wallet, saying we're open for business, 538 00:34:06,240 --> 00:34:09,880 we can accept Bitcoins, takes very little time and effort, 539 00:34:09,880 --> 00:34:13,440 and then getting paid in Bitcoin equally takes very little effort. 540 00:34:13,440 --> 00:34:16,200 If I want to pay someone on the other side of the world, 541 00:34:16,200 --> 00:34:17,840 I can do that using Bitcoin 542 00:34:17,840 --> 00:34:20,240 and they'll get the payment instantaneously. 543 00:34:22,240 --> 00:34:25,520 It's the convenience and speed that makes it easy for hackers 544 00:34:25,520 --> 00:34:27,000 to gather their ransom. 545 00:34:27,000 --> 00:34:31,440 But as cyber security expert Mikko Hypponen explains, 546 00:34:31,440 --> 00:34:35,640 Bitcoin also offers a certain level of anonymity. 547 00:34:37,320 --> 00:34:40,080 The only thing we can see is that someone is sending money 548 00:34:40,080 --> 00:34:43,800 from one address to another address, and these addresses are 549 00:34:43,800 --> 00:34:47,240 these long lists of numbers and letters which look really random. 550 00:34:47,240 --> 00:34:51,520 They are tied to a user, but we have no idea who these users are. 551 00:34:51,520 --> 00:34:55,600 What was invented to ensure an individual's privacy 552 00:34:55,600 --> 00:34:58,840 had unforeseen consequences. 553 00:34:58,840 --> 00:35:03,240 So we very quickly started seeing Bitcoin being used in online crime. 554 00:35:03,240 --> 00:35:05,320 First, in online drug trade, 555 00:35:05,320 --> 00:35:08,000 cos when you're buying illegal drugs online, 556 00:35:08,000 --> 00:35:10,200 you don't want to use your credit card 557 00:35:10,200 --> 00:35:14,200 because the credit card will lead back to you and Bitcoins don't. 558 00:35:14,200 --> 00:35:17,240 And then we started seeing ransom attacks. 559 00:35:17,240 --> 00:35:19,400 Ransomware has been around for years and years, 560 00:35:19,400 --> 00:35:21,160 way before Bitcoin. 561 00:35:21,160 --> 00:35:23,920 But the megatrend which really made ransomware 562 00:35:23,920 --> 00:35:27,080 such a big problem is cryptocurrencies, like Bitcoin. 563 00:35:27,080 --> 00:35:30,920 By allowing transactions to take place between pseudonyms 564 00:35:30,920 --> 00:35:32,800 rather than real identities, 565 00:35:32,800 --> 00:35:35,800 Bitcoin became the go-to currency for cyber crime. 566 00:35:38,680 --> 00:35:42,360 But it turns out that the details of Bitcoin's original design 567 00:35:42,360 --> 00:35:45,920 could, for some criminals, actually be their undoing. 568 00:35:47,800 --> 00:35:51,640 Bitcoin was invented by a figure called Satoshi Nakamoto 569 00:35:51,640 --> 00:35:53,280 around six years ago. 570 00:35:53,280 --> 00:35:56,520 It's based on an innovation called blockchain, 571 00:35:56,520 --> 00:36:01,160 and blockchain basically means a public ledger of transactions. 572 00:36:02,400 --> 00:36:05,680 When a transaction is made between two Bitcoin users, 573 00:36:05,680 --> 00:36:09,800 the details of that transaction are locked into a permanent ledger, 574 00:36:09,800 --> 00:36:12,320 known as the blockchain. 575 00:36:13,840 --> 00:36:17,840 And the blockchain data isn't kept on a single computer or server - 576 00:36:17,840 --> 00:36:20,360 it's distributed across the entire network. 577 00:36:22,120 --> 00:36:25,520 Which means, even if an individual machine goes down, 578 00:36:25,520 --> 00:36:27,200 it can never be erased. 579 00:36:29,720 --> 00:36:33,320 So the entire history of every Bitcoin transaction 580 00:36:33,320 --> 00:36:37,080 is accessible to all users now and for ever. 581 00:36:38,560 --> 00:36:39,800 Until this point, 582 00:36:39,800 --> 00:36:42,840 what I understood by Bitcoin was that it was fully anonymous 583 00:36:42,840 --> 00:36:45,720 and therefore it's the perfect currency 584 00:36:45,720 --> 00:36:48,120 in which the underworld can operate. 585 00:36:48,120 --> 00:36:49,560 Is that not true? 586 00:36:49,560 --> 00:36:51,960 No, it's definitely not true. 587 00:36:51,960 --> 00:36:55,440 Bitcoin exchanges are what's responsible for trading Bitcoin 588 00:36:55,440 --> 00:36:58,320 with traditional, government-backed currencies. 589 00:36:58,320 --> 00:37:01,920 But the second you send your Bitcoins to this exchange, 590 00:37:01,920 --> 00:37:06,440 you've created a link between your activities in the Bitcoin network 591 00:37:06,440 --> 00:37:09,440 and your identity as a real person. 592 00:37:09,440 --> 00:37:12,120 The second I know that a given pseudonym 593 00:37:12,120 --> 00:37:14,960 belongs to a criminal or belongs to anyone, 594 00:37:14,960 --> 00:37:18,600 I can then start trying to understand what that user 595 00:37:18,600 --> 00:37:20,040 has done with that money. 596 00:37:20,040 --> 00:37:21,840 We've seen in the past 597 00:37:21,840 --> 00:37:24,040 that attackers have stolen Bitcoins 598 00:37:24,040 --> 00:37:26,320 and then they've sat on them for years, 599 00:37:26,320 --> 00:37:29,960 probably because they don't really know what to do with them next. 600 00:37:29,960 --> 00:37:31,520 Attribution is hard, 601 00:37:31,520 --> 00:37:33,200 this could have been anybody in the world 602 00:37:33,200 --> 00:37:34,440 carrying out this attack. 603 00:37:34,440 --> 00:37:36,280 If you're looking for my opinion, 604 00:37:36,280 --> 00:37:38,920 it's some script kiddie in a basement somewhere, 605 00:37:38,920 --> 00:37:40,320 not a government agency. 606 00:37:40,320 --> 00:37:42,600 And if he's got any sense whatsoever, 607 00:37:42,600 --> 00:37:46,160 he'll take his hard disk, smash it up with a sledgehammer 608 00:37:46,160 --> 00:37:48,120 and burn it in a bonfire. 609 00:37:48,120 --> 00:37:50,480 And he will not, whatever he does, 610 00:37:50,480 --> 00:37:53,880 go and try spend of those Bitcoins that ended up in his wallets, 611 00:37:53,880 --> 00:37:56,720 cos if he does, there's quite a number of governments 612 00:37:56,720 --> 00:37:58,760 would like to offer him some hospitality 613 00:37:58,760 --> 00:38:00,560 for quite a long period of his life. 614 00:38:06,120 --> 00:38:08,560 As the ransomware continued to spread, 615 00:38:08,560 --> 00:38:11,600 thousands of people faced the same dilemma - 616 00:38:11,600 --> 00:38:14,440 should they pay the ransom or not? 617 00:38:16,480 --> 00:38:20,960 It's a question that Moti Cristal has given a lot of thought. 618 00:38:26,800 --> 00:38:29,680 I'm a negotiator, by profession. 619 00:38:29,680 --> 00:38:31,920 I started my career in the political negotiations 620 00:38:31,920 --> 00:38:33,760 between Israel and the Arab world. 621 00:38:33,760 --> 00:38:36,000 And later on, I do hostage negotiations 622 00:38:36,000 --> 00:38:37,960 in high-intensity conflicts. 623 00:38:44,440 --> 00:38:46,800 In a hostage situation, you negotiate with a person 624 00:38:46,800 --> 00:38:49,200 but if you have the opportunity 625 00:38:49,200 --> 00:38:53,440 to talk him to come to the window and then shoot him in the head 626 00:38:53,440 --> 00:38:56,920 because he just killed three kids, you will do it, 627 00:38:56,920 --> 00:38:59,560 and without any moral hesitation. 628 00:38:59,560 --> 00:39:03,440 But in the cyber world, you cannot do that. 629 00:39:03,440 --> 00:39:06,840 The reliance on talk is 630 00:39:06,840 --> 00:39:09,520 significantly more important. 631 00:39:09,520 --> 00:39:13,160 Extortionists, like the people behind WannaCry, 632 00:39:13,160 --> 00:39:17,760 are increasingly abandoning the real world and moving online. 633 00:39:17,760 --> 00:39:20,560 It's lower risk and more profitable. 634 00:39:20,560 --> 00:39:22,680 But whilst the setting may have changed, 635 00:39:22,680 --> 00:39:25,360 Moti's job remains the same, 636 00:39:25,360 --> 00:39:29,240 and much of his work is now in cyber crime. 637 00:39:29,240 --> 00:39:32,800 There's always a human being behind the keyboard. 638 00:39:32,800 --> 00:39:36,120 So at the end of this ransomware attack, 639 00:39:36,120 --> 00:39:40,160 there are people that have feelings, 640 00:39:40,160 --> 00:39:43,000 logics, emotions... 641 00:39:43,000 --> 00:39:44,960 There's always a human being 642 00:39:44,960 --> 00:39:48,040 to whom you can, and you should try to, connect. 643 00:39:50,880 --> 00:39:55,000 No-one has been able to reach out to those behind WannaCry. 644 00:39:55,000 --> 00:39:57,080 But perhaps Moti can help shed light 645 00:39:57,080 --> 00:40:00,440 on how these criminal organisations think. 646 00:40:00,440 --> 00:40:03,400 In October 2015, he was called in 647 00:40:03,400 --> 00:40:06,000 to negotiate for a financial institution 648 00:40:06,000 --> 00:40:08,960 that had been attacked by another piece of malware. 649 00:40:10,040 --> 00:40:12,680 The hackers attempted to portray themselves 650 00:40:12,680 --> 00:40:17,000 as an arm of the Russian state, APT28. 651 00:40:18,840 --> 00:40:20,440 Moti reached out to them. 652 00:40:22,400 --> 00:40:24,640 You know, I teased them. 653 00:40:24,640 --> 00:40:27,720 I said, "Are you really APT28, 654 00:40:27,720 --> 00:40:30,160 "the Russian...proclaimed Russian team?" 655 00:40:30,160 --> 00:40:31,560 "Yes, correct." 656 00:40:31,560 --> 00:40:34,520 And I said, "If you are APT28, 657 00:40:34,520 --> 00:40:40,560 "why you start to do this low stuff of extortion 658 00:40:40,560 --> 00:40:44,760 "instead of the very fascinating cool government stuff?" 659 00:40:46,000 --> 00:40:49,040 Through this kind of engagement, over many months, 660 00:40:49,040 --> 00:40:52,320 Moti created a dialogue with the attackers. 661 00:40:52,320 --> 00:40:54,720 We already start moving towards a deal 662 00:40:54,720 --> 00:40:57,160 and they write to me. 663 00:40:57,160 --> 00:40:59,960 "The way we can do it..." 664 00:40:59,960 --> 00:41:01,640 Pay attention to the language - 665 00:41:01,640 --> 00:41:04,280 "the way WE can do it," we're already a team. 666 00:41:04,280 --> 00:41:07,120 "..is two equal payments. 667 00:41:07,120 --> 00:41:12,000 "After the first one, we tell you exactly how you were breached 668 00:41:12,000 --> 00:41:14,840 "and which systems are most vulnerable." 669 00:41:14,840 --> 00:41:16,480 So suddenly, after the first payment, 670 00:41:16,480 --> 00:41:20,440 they start actually to be my consultant, my advisers. 671 00:41:20,440 --> 00:41:23,400 They start to tell me how my system was breached, 672 00:41:23,400 --> 00:41:25,720 which is very valuable information. 673 00:41:25,720 --> 00:41:28,360 "This is something we never do. 674 00:41:28,360 --> 00:41:32,280 "But consider it as a gesture..." 675 00:41:32,280 --> 00:41:34,600 And then I immediately reply, 676 00:41:34,600 --> 00:41:38,400 "I never recommend moving forward 677 00:41:38,400 --> 00:41:40,400 "based on a virtual contract," 678 00:41:40,400 --> 00:41:41,680 I'm telling them. 679 00:41:41,680 --> 00:41:45,080 "But with you, I feel we have this otnoshenya." 680 00:41:45,080 --> 00:41:47,520 The Russian word for relationship. 681 00:41:47,520 --> 00:41:50,600 To signal them that, "we are on the same page, 682 00:41:50,600 --> 00:41:52,680 "I do appreciate this." 683 00:41:54,040 --> 00:41:57,720 Though the ransom was paid, by negotiating with the hackers, 684 00:41:57,720 --> 00:42:02,160 Moti successfully ensured that the company's data were not released. 685 00:42:04,200 --> 00:42:07,840 But for those facing the ransom on the 12th of May attack, 686 00:42:07,840 --> 00:42:10,680 was paying the right thing to do? 687 00:42:10,680 --> 00:42:14,160 There are several costs involved when you pay the ransomware. 688 00:42:14,160 --> 00:42:16,040 And I do think, most important, 689 00:42:16,040 --> 00:42:18,040 is that you feel bad 690 00:42:18,040 --> 00:42:20,800 that, actually, you surrendered 691 00:42:20,800 --> 00:42:23,000 to this type of criminal. 692 00:42:23,000 --> 00:42:25,240 So if you pay, you feel bad. 693 00:42:26,480 --> 00:42:28,680 And there's another risk to paying. 694 00:42:28,680 --> 00:42:31,600 You open yourself up to further cyber attacks. 695 00:42:31,600 --> 00:42:33,640 I do believe, in the darknet, 696 00:42:33,640 --> 00:42:35,480 dark in the darknet, 697 00:42:35,480 --> 00:42:37,200 people do exchange lists 698 00:42:37,200 --> 00:42:38,680 of people who paid. 699 00:42:38,680 --> 00:42:40,160 Why? Because that's, again, 700 00:42:40,160 --> 00:42:41,760 a human pattern. 701 00:42:41,760 --> 00:42:45,600 If you've paid once, you might pay again and again. 702 00:42:55,880 --> 00:42:59,240 Ransoms paid in Bitcoin, hostage negotiators... 703 00:42:59,240 --> 00:43:01,880 It's all fine if you're a high-net-worth individual 704 00:43:01,880 --> 00:43:03,960 or a private mega-corporation, 705 00:43:03,960 --> 00:43:06,400 but none of that is going to work in the NHS. 706 00:43:06,400 --> 00:43:07,760 Even if it could pay - 707 00:43:07,760 --> 00:43:09,800 which it can't, because there's no money - 708 00:43:09,800 --> 00:43:11,880 it wouldn't be allowed to pay. 709 00:43:11,880 --> 00:43:15,080 The best you can hope for in that situation as a hacker 710 00:43:15,080 --> 00:43:17,560 is that you don't inadvertently kill somebody 711 00:43:17,560 --> 00:43:20,200 and, instead of the local cyber crime division, 712 00:43:20,200 --> 00:43:23,600 suddenly find the murder squad kicking down your front door. 713 00:43:25,240 --> 00:43:27,880 Those hospitals and GPs that had been infected 714 00:43:27,880 --> 00:43:30,920 had no option but to keep their computers off 715 00:43:30,920 --> 00:43:33,760 and hope that something could stop the spread. 716 00:43:35,720 --> 00:43:38,160 And incredibly, an answer was found, 717 00:43:38,160 --> 00:43:41,960 thanks to a bit of luck and Marcus's inquisitive nature. 718 00:43:48,240 --> 00:43:49,600 By late afternoon, 719 00:43:49,600 --> 00:43:52,680 he'd spotted something curious in the malware's code. 720 00:43:52,680 --> 00:43:56,800 It was trying to connect to one specific web address. 721 00:43:56,800 --> 00:43:58,800 A domain. 722 00:44:00,800 --> 00:44:03,080 I saw this domain was not registered, 723 00:44:03,080 --> 00:44:06,800 so my first idea was to just go and reserve it, just in case. 724 00:44:06,800 --> 00:44:11,160 By registering it, we could track the infection across the globe. 725 00:44:11,160 --> 00:44:13,160 Straight after registering the domain, 726 00:44:13,160 --> 00:44:15,400 we were seeing thousands of queries per second. 727 00:44:15,400 --> 00:44:20,800 Maybe 100,000 unique infections within the first hour. 728 00:44:20,800 --> 00:44:22,520 It was sort of, like, a bingo moment. 729 00:44:23,840 --> 00:44:27,200 He didn't yet realise it, but by registering the domain, 730 00:44:27,200 --> 00:44:29,520 at a cost of just $10, 731 00:44:29,520 --> 00:44:32,080 Marcus wasn't just tracking the infection - 732 00:44:32,080 --> 00:44:34,920 he was also preventing it from spreading. 733 00:44:34,920 --> 00:44:37,760 The plan was to track it and then look for a way to stop it, 734 00:44:37,760 --> 00:44:40,400 but it actually turned out the tracking it was stopping it. 735 00:44:44,880 --> 00:44:47,960 It was like finding a vaccine. 736 00:44:47,960 --> 00:44:51,560 For now, WannaCry could do no further damage. 737 00:44:53,520 --> 00:44:56,080 The NHS didn't realise it yet 738 00:44:56,080 --> 00:44:58,680 and were still relying on emergency systems, 739 00:44:58,680 --> 00:45:01,320 but the cyber attack was over, 740 00:45:01,320 --> 00:45:04,560 the malware defeated. 741 00:45:04,560 --> 00:45:07,440 "Kill switch" was, sort of, the term the media ran with. 742 00:45:07,440 --> 00:45:09,640 It sort of makes a lot of sense, cos it is a kill switch. 743 00:45:09,640 --> 00:45:11,040 It stops the malware. 744 00:45:11,040 --> 00:45:13,400 It seems silly that simply registering a domain 745 00:45:13,400 --> 00:45:16,280 would stop a global cyber attack, but it happened. 746 00:45:17,760 --> 00:45:20,600 In the days following the cyber attack, 747 00:45:20,600 --> 00:45:23,120 the NHS slowly came back online. 748 00:45:23,120 --> 00:45:25,320 Machines were given the patch, 749 00:45:25,320 --> 00:45:29,360 backup data was used to restore the encrypted files, 750 00:45:29,360 --> 00:45:32,000 and news of Marcus's cure spread. 751 00:45:32,000 --> 00:45:33,800 Well, as we've been hearing, 752 00:45:33,800 --> 00:45:36,880 the global cyber attack was halted almost by accident. 753 00:45:36,880 --> 00:45:39,920 It was a 22-year-old in the UK who checked the code 754 00:45:39,920 --> 00:45:43,960 and found a reference to an unregistered website name. 755 00:45:43,960 --> 00:45:46,040 With systems restored, 756 00:45:46,040 --> 00:45:48,840 Patrick finally got the news he was waiting for. 757 00:45:48,840 --> 00:45:53,000 I'd gone back to work, then I had a phone call to say 758 00:45:53,000 --> 00:45:57,800 that they had managed to get an operation date for me 759 00:45:57,800 --> 00:46:00,640 for next week, which... 760 00:46:00,640 --> 00:46:04,280 I was with a customer and I was, yeah, absolutely delighted. 761 00:46:07,120 --> 00:46:11,200 I can't describe the people who did the ransomware. 762 00:46:11,200 --> 00:46:14,280 I'm sure that wasn't in their thought process, 763 00:46:14,280 --> 00:46:18,920 to attack individual people, 764 00:46:18,920 --> 00:46:22,240 but that's the result of exactly what's happened. 765 00:46:27,640 --> 00:46:29,120 In a detached sort of way, 766 00:46:29,120 --> 00:46:32,480 you've got to have at least a bit of respect for the malware. 767 00:46:32,480 --> 00:46:34,760 As poorly constructed as it was, 768 00:46:34,760 --> 00:46:36,720 it still did a lot of damage. 769 00:46:36,720 --> 00:46:39,200 That's not unlike a real infection. 770 00:46:39,200 --> 00:46:41,680 Real viruses have a lot of flaws, 771 00:46:41,680 --> 00:46:43,880 and yet still go on to wreak havoc. 772 00:46:43,880 --> 00:46:48,200 Like a real infection, the malware was able to hide, 773 00:46:48,200 --> 00:46:50,040 evade natural defences, 774 00:46:50,040 --> 00:46:52,440 avoid surveillance, go dormant, 775 00:46:52,440 --> 00:46:53,600 and then go on to cause 776 00:46:53,600 --> 00:46:55,480 all of that chaos. 777 00:46:55,480 --> 00:46:57,120 But like a real infection, 778 00:46:57,120 --> 00:46:58,360 there was, in the end, 779 00:46:58,360 --> 00:46:59,760 a way to fight it, 780 00:46:59,760 --> 00:47:01,240 and so the NHS survived... 781 00:47:02,400 --> 00:47:03,800 At least this time. 782 00:47:15,360 --> 00:47:18,840 WannaCry soon disappeared from the front pages, 783 00:47:18,840 --> 00:47:22,280 but at a gathering of cyber security experts 784 00:47:22,280 --> 00:47:26,080 a fortnight after the attack, it was still making waves. 785 00:47:29,200 --> 00:47:32,160 WHISPERS: This is a long-planned cyber security conference. 786 00:47:32,160 --> 00:47:35,840 It predates the NHS cyber attack by many months, 787 00:47:35,840 --> 00:47:38,360 but it's clearly dominating the agenda here. 788 00:47:38,360 --> 00:47:40,360 Every single speaker has mentioned it. 789 00:47:40,360 --> 00:47:43,400 I wanted to know why, in this country, 790 00:47:43,400 --> 00:47:46,120 it was the NHS that seemed to bear the brunt 791 00:47:46,120 --> 00:47:48,520 of the ransomware infection. 792 00:47:48,520 --> 00:47:53,880 Thank you. I'm Kevin Fong. I'm a doctor in the NHS. 793 00:47:53,880 --> 00:47:58,600 We still can't quite understand how worried we should be 794 00:47:58,600 --> 00:48:01,680 or how vulnerable we continue to be. 795 00:48:01,680 --> 00:48:04,080 We had the person responsible 796 00:48:04,080 --> 00:48:05,880 for one of the trusts 797 00:48:05,880 --> 00:48:10,040 talking about her experiences and day-to-day life 798 00:48:10,040 --> 00:48:12,040 of running IT in the NHS. 799 00:48:12,040 --> 00:48:16,240 It really stuck with me and resonated that, actually, 800 00:48:16,240 --> 00:48:21,360 the amount of budget that she had to protect the IT 801 00:48:21,360 --> 00:48:23,040 was vanishingly small. 802 00:48:23,040 --> 00:48:26,280 They have one support person for 1,000 machines 803 00:48:26,280 --> 00:48:27,440 and things like that. 804 00:48:27,440 --> 00:48:31,560 That's just not a sustainable investment. 805 00:48:31,560 --> 00:48:33,800 I think the NHS really does need to think about 806 00:48:33,800 --> 00:48:35,600 its balance of investment. 807 00:48:35,600 --> 00:48:37,680 It must put more money into this. 808 00:48:37,680 --> 00:48:43,160 It's always a hard trade-off, to think patients versus IT, 809 00:48:43,160 --> 00:48:46,400 you know, but actually, you've got to have that infrastructure 810 00:48:46,400 --> 00:48:49,040 to be able to do a good job on the patients, I would say. 811 00:48:50,440 --> 00:48:55,560 Spending varies across the NHS, but it's been reported that in 2015, 812 00:48:55,560 --> 00:49:00,600 seven trusts spent nothing at all on IT security. 813 00:49:00,600 --> 00:49:04,280 If this is true, surely this needs urgent attention, 814 00:49:04,280 --> 00:49:08,440 now that weaknesses have been exposed by the WannaCry attack. 815 00:49:08,440 --> 00:49:11,200 I was shocked by what happened to the NHS. 816 00:49:11,200 --> 00:49:15,040 I think the shock is more in the vulnerability of the hospitals 817 00:49:15,040 --> 00:49:18,080 than it was in the way that the attack was executed. 818 00:49:19,800 --> 00:49:22,640 We are always afraid of the next attack 819 00:49:22,640 --> 00:49:24,840 hitting critical infrastructures, 820 00:49:24,840 --> 00:49:29,440 so now health care systems were hit, 821 00:49:29,440 --> 00:49:33,720 we are afraid that the electricity, the water departments, 822 00:49:33,720 --> 00:49:38,160 you know, those types of infrastructures being hit... 823 00:49:38,160 --> 00:49:41,320 That didn't happen, but it can happen, 824 00:49:41,320 --> 00:49:44,320 so I think that this is what we're kind of waiting for. 825 00:49:47,440 --> 00:49:50,840 I think there has to be a recognition that it's not an IT 826 00:49:50,840 --> 00:49:53,800 or a computer issue, this is about everyday life now. 827 00:49:53,800 --> 00:49:57,080 In a world where everything's online and where there are ever more 828 00:49:57,080 --> 00:50:01,760 online threats and where government agencies involved in security 829 00:50:01,760 --> 00:50:04,520 are much more interested in adding to the threat level 830 00:50:04,520 --> 00:50:07,000 than in adding to the defence level, 831 00:50:07,000 --> 00:50:08,640 there's an awful lot of conflicts there 832 00:50:08,640 --> 00:50:10,200 that we're going to have to manage. 833 00:50:12,520 --> 00:50:16,840 This attack affected Russian banks, Chinese universities, 834 00:50:16,840 --> 00:50:20,440 Spanish telecoms companies, even FedEx. 835 00:50:20,440 --> 00:50:23,120 The vulnerabilities were there for all of us 836 00:50:23,120 --> 00:50:26,560 across countries and continents, private and public sector, 837 00:50:26,560 --> 00:50:28,680 all walks of life. 838 00:50:28,680 --> 00:50:32,840 The NHS was simply one in a long list of casualties. 839 00:50:32,840 --> 00:50:36,480 Collateral damage in a global cyber war. 840 00:50:41,560 --> 00:50:44,200 The new reality is that we're all at risk. 841 00:50:44,200 --> 00:50:47,280 It's not only businesses and governments - 842 00:50:47,280 --> 00:50:49,880 anyone who's connected could be a target. 843 00:50:52,720 --> 00:50:56,560 As the world of network technology gets ever more complex, 844 00:50:56,560 --> 00:50:59,800 it opens up whole new realms of vulnerability. 845 00:51:02,080 --> 00:51:05,480 It's no longer just our computers that are at risk. 846 00:51:05,480 --> 00:51:08,200 Our homes and offices are now filled with devices 847 00:51:08,200 --> 00:51:11,640 that are online and ripe for hacking. 848 00:51:13,040 --> 00:51:17,520 Which one are you pinning our hopes on being...? The... Yeah, that one. 849 00:51:17,520 --> 00:51:20,880 Ken Munro leads a team of ethical hackers 850 00:51:20,880 --> 00:51:24,240 that test the security of internet-enabled household devices, 851 00:51:24,240 --> 00:51:26,240 the so-called internet of things, 852 00:51:26,240 --> 00:51:28,520 to find out where their weak spots are 853 00:51:28,520 --> 00:51:31,040 and to see how much havoc they could wreak. 854 00:51:31,040 --> 00:51:34,480 This is kind of the most fundamental aspect of hacking. 855 00:51:34,480 --> 00:51:38,640 You're in there at the nitty-gritty, at the level of the circuit board. 856 00:51:38,640 --> 00:51:42,040 Yeah, so that's what's different about the internet of things. 857 00:51:42,040 --> 00:51:43,760 Unlike, say, an eCommerce site, 858 00:51:43,760 --> 00:51:47,000 which is safely hosted in a data centre on a server somewhere, 859 00:51:47,000 --> 00:51:49,840 with the internet of things, you can go and buy the kit, 860 00:51:49,840 --> 00:51:51,040 you can dismantle it. 861 00:51:51,040 --> 00:51:54,200 You can find the chips and the hardware and then connect to it. 862 00:51:54,200 --> 00:51:55,960 So literally put logic probes, 863 00:51:55,960 --> 00:51:58,080 electric wires onto the circuit cables 864 00:51:58,080 --> 00:52:00,760 and then pull off the software and reverse-engineer 865 00:52:00,760 --> 00:52:03,000 how it works from 1s and 0s. 866 00:52:03,000 --> 00:52:05,040 Once you've got that, you can find security flaws. 867 00:52:07,600 --> 00:52:13,160 As Ken discovered, some devices are far easier to hack than others. 868 00:52:13,160 --> 00:52:16,440 This is your hackable shop of horrors. 869 00:52:16,440 --> 00:52:18,840 What have you got here? 870 00:52:18,840 --> 00:52:21,600 Probably the first one we look at, this is My Friend Cayla, 871 00:52:21,600 --> 00:52:24,160 she's an interactive kids' doll. 872 00:52:24,160 --> 00:52:26,000 She works over Bluetooth with an app, 873 00:52:26,000 --> 00:52:28,200 but the manufacturer forgot to put security 874 00:52:28,200 --> 00:52:30,640 on the Bluetooth connection, so, as a result, 875 00:52:30,640 --> 00:52:33,040 it means that someone could be sat on the street outside, 876 00:52:33,040 --> 00:52:35,720 could be listening to what's going on in the room, 877 00:52:35,720 --> 00:52:37,000 so snooping on your child, 878 00:52:37,000 --> 00:52:39,560 or potentially speaking to the child through the speaker. 879 00:52:39,560 --> 00:52:41,000 Our interest was we wanted to see 880 00:52:41,000 --> 00:52:43,320 if we could bypass her protection measures. 881 00:52:43,320 --> 00:52:44,960 You can't make her swear. 882 00:52:44,960 --> 00:52:47,240 But, of course, we discovered you could hack her, 883 00:52:47,240 --> 00:52:48,720 and she swears like a docker now. 884 00:52:48,720 --> 00:52:52,280 RECORDED MESSAGE: Hey, calm down or I will kick the shit out of you. 885 00:52:53,680 --> 00:52:55,840 Creepy, but it's a really serious issue. 886 00:52:55,840 --> 00:52:58,040 The German telecommunications regulator 887 00:52:58,040 --> 00:53:01,120 has now classified her as a covert bugging device 888 00:53:01,120 --> 00:53:02,520 and has banned her. 889 00:53:02,520 --> 00:53:04,560 It's illegal to own her in Germany now. 890 00:53:04,560 --> 00:53:07,920 All right, OK. So this is a wireless kettle, 891 00:53:07,920 --> 00:53:11,280 but I don't actually care if someone hacks my kettle. 892 00:53:11,280 --> 00:53:13,280 I mean, what can they possibly do with that? 893 00:53:13,280 --> 00:53:15,120 This is a Wi-Fi kettle, though. 894 00:53:15,120 --> 00:53:17,800 How else would you boil a kettle from the car home? 895 00:53:19,400 --> 00:53:21,840 So this is the scary bit. This is the Wi-Fi Module. 896 00:53:21,840 --> 00:53:24,560 We're going to show you how we managed to hack that. 897 00:53:24,560 --> 00:53:26,120 Imagine I'm outside your house. 898 00:53:26,120 --> 00:53:28,320 If I want to get your Wi-Fi key from your kettle, 899 00:53:28,320 --> 00:53:30,040 it's really surprisingly easy. 900 00:53:30,040 --> 00:53:32,080 All I need to do, I'm going to connect to it. 901 00:53:32,080 --> 00:53:33,440 I need to put a password in. 902 00:53:33,440 --> 00:53:35,360 You think, "Password - great security." 903 00:53:35,360 --> 00:53:37,800 Unfortunately, the password on these kettles is, 904 00:53:37,800 --> 00:53:39,240 believe it or not, six zeros. 905 00:53:39,240 --> 00:53:41,960 Once I connect to it, all I have to do is send one command, 906 00:53:41,960 --> 00:53:45,000 and I can retrieve your wireless network encryption key. No! 907 00:53:45,000 --> 00:53:48,120 That's the key that secures all of your traffic on your Wi-Fi network. 908 00:53:48,120 --> 00:53:50,280 So if I was a malicious hacker on your network, 909 00:53:50,280 --> 00:53:54,360 I can now intercept everything you do on your home wireless network. 910 00:53:54,360 --> 00:53:57,160 Online banking, your social media - 911 00:53:57,160 --> 00:53:59,200 everything you do, we can see, 912 00:53:59,200 --> 00:54:01,640 because we've got your wireless network key. 913 00:54:01,640 --> 00:54:03,760 I can see a thermostat over here. 914 00:54:03,760 --> 00:54:06,520 I think I have something similar in my house. 915 00:54:06,520 --> 00:54:09,560 What's the problem with a wireless thermostat? 916 00:54:09,560 --> 00:54:12,000 Unfortunately, we found some pretty shocking security 917 00:54:12,000 --> 00:54:14,240 on some brands of Smart thermostat. 918 00:54:14,240 --> 00:54:16,920 This one we managed to actually hold it to ransom. 919 00:54:16,920 --> 00:54:19,920 So just like you've heard with the NHS ransomware issue, 920 00:54:19,920 --> 00:54:22,600 holding critical devices to ransom, actually, 921 00:54:22,600 --> 00:54:25,200 we've found you can even hold your SmartStat to ransom, 922 00:54:25,200 --> 00:54:29,400 to lock you out of heating unless you pay cash. So... 923 00:54:29,400 --> 00:54:31,720 That would be quite unpleasant, but in the end, 924 00:54:31,720 --> 00:54:33,960 surely you just take it off the wall and reset it. 925 00:54:33,960 --> 00:54:35,560 I'm not so worried about that. 926 00:54:35,560 --> 00:54:38,280 What I'm more worried about is actually taking control 927 00:54:38,280 --> 00:54:40,320 of lots of Smart thermostats. 928 00:54:40,320 --> 00:54:42,680 Imagine you've got several hundred thousands of these 929 00:54:42,680 --> 00:54:45,720 and someone finds a way to compromise them, which we have. 930 00:54:45,720 --> 00:54:48,360 They could switch them on and off, synchronously. 931 00:54:48,360 --> 00:54:51,000 You can create unexpected power spikes 932 00:54:51,000 --> 00:54:52,600 using people's thermostats. 933 00:54:52,600 --> 00:54:56,280 So, in theory, you could knock out the grid on a bad day, 934 00:54:56,280 --> 00:54:57,440 if you wanted to. 935 00:54:57,440 --> 00:54:59,880 So, I mean, that's fascinating and terrifying. 936 00:54:59,880 --> 00:55:02,120 This is not about what it does to the individual. 937 00:55:02,120 --> 00:55:05,320 This is about what it might do to an entire nation's power grid. 938 00:55:05,320 --> 00:55:06,640 Damn right. 939 00:55:06,640 --> 00:55:09,520 Imagine you were a foreign power and you wanted to soften up 940 00:55:09,520 --> 00:55:11,440 a country on a particular day. 941 00:55:11,440 --> 00:55:14,800 I don't know, maybe an election day. You knocked out the power. 942 00:55:14,800 --> 00:55:17,480 That's going to influence the outcome of an election. 943 00:55:18,600 --> 00:55:19,640 All right. 944 00:55:24,600 --> 00:55:28,680 The internet of things has also arrived in health care. 945 00:55:28,680 --> 00:55:31,640 Devices that regulate drug dosages 946 00:55:31,640 --> 00:55:34,680 can now be operated over the internet, 947 00:55:34,680 --> 00:55:39,080 and some of the latest pacemakers are controlled by Bluetooth. 948 00:55:39,080 --> 00:55:43,320 A recent study revealed that there might be thousands of exploits. 949 00:55:43,320 --> 00:55:47,880 Do you think this fundamentally limits how useful 950 00:55:47,880 --> 00:55:50,840 the digital revolution might be in health care? 951 00:55:50,840 --> 00:55:52,960 Well, I think we've got things out of step. 952 00:55:52,960 --> 00:55:56,200 I think we've got amazing technical advances, 953 00:55:56,200 --> 00:55:58,760 fantastic technological steps forward, which are brilliant, 954 00:55:58,760 --> 00:56:00,280 which allow us to do cool stuff, 955 00:56:00,280 --> 00:56:02,920 that allows us much better diagnostics - brilliant. 956 00:56:02,920 --> 00:56:05,360 But we've got that out of step with the security. 957 00:56:05,360 --> 00:56:06,680 We're in a catch-up game. 958 00:56:06,680 --> 00:56:10,480 Once the security has caught up with the technological advances, great - 959 00:56:10,480 --> 00:56:12,400 we get fantastic medical benefits. 960 00:56:12,400 --> 00:56:15,080 But until then, it's all a little bit dangerous to me. 961 00:56:23,440 --> 00:56:25,480 We can't go back to the Stone Age. 962 00:56:25,480 --> 00:56:28,640 We need digital technology and all of its promise 963 00:56:28,640 --> 00:56:31,120 to push back the frontiers of medicine, 964 00:56:31,120 --> 00:56:33,960 so we have to learn how to protect ourselves. 965 00:56:33,960 --> 00:56:35,400 But there is hope. 966 00:56:35,400 --> 00:56:38,640 Hope, because there are people on our side in this fight. 967 00:56:38,640 --> 00:56:40,080 We've met some of them. 968 00:56:40,080 --> 00:56:42,720 Hope too because of all professions, 969 00:56:42,720 --> 00:56:45,760 medicine should be able to learn how to deal with this, 970 00:56:45,760 --> 00:56:48,800 because this is the feat of host immunity - 971 00:56:48,800 --> 00:56:52,480 of taking the hit from an infection, recognising it, 972 00:56:52,480 --> 00:56:56,200 and then continually evolving your defences until, eventually, 973 00:56:56,200 --> 00:56:58,160 you're impervious. 974 00:56:58,160 --> 00:57:01,400 Hope as well because, despite reports, 975 00:57:01,400 --> 00:57:03,880 the NHS never stopped. 976 00:57:03,880 --> 00:57:07,400 Yes, parts of its network were severely affected, 977 00:57:07,400 --> 00:57:10,920 but it kept doing what it always does. 978 00:57:10,920 --> 00:57:14,760 If the last few terrible weeks have taught us anything, 979 00:57:14,760 --> 00:57:18,280 it's that the NHS can take whatever you throw at it. 980 00:57:18,280 --> 00:57:20,640 It has a plan, it will learn 981 00:57:20,640 --> 00:57:23,960 and it will be ready for the next time.