An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

Nov 1, 2016
Originally published on November 1, 2016 6:46 pm

The Internet can be a dangerous place. Hackers, bots and viruses are prowling the Web trying to turn your machines into zombies.

Last month, a massive network of hacked devices helped temporarily shut down Twitter and other websites. Hackers used a virus called Mirai to target Dyn, a major Internet infrastructure company, in a sophisticated denial-of-service attack — when insecure Internet-connected devices are directed to barrage a target with data until it shuts down.

Andrew McGill, a reporter at The Atlantic, devised an experiment to find out how vulnerable our devices are to hackers. He built a virtual Internet-connected toaster, put it online and waited to see how quickly it would take for hackers to attempt to breach it. They found him much faster than he expected.

"Well, I had talked to some experts, and I was fully expecting maybe a week, maybe never, certainly not less than a day," McGill told NPR's Ari Shapiro. "But it came a lot sooner. It was 41 minutes. [The second attempt was] within 10 or 15 minutes [and the third was] another 10 or 15."


Interview Highlights

On the toaster experiment

Well, I kind of wanted to see if I put something unsecured on the Internet — if I just plugged it in — how long would it take for a hacker to find it and hack into it?

So when this botnet took down all these computers a few weeks ago, there were thousands and thousands of devices that had been compromised, but I always had kind of thought, "You know, if I'm lax with security in my own personal life, it won't be a big deal because the Internet is huge." You know, there's millions, and actually billions, of IP addresses, each one with a computer behind it. Why would a hacker find me?

So I kind of devised this thing where I built a virtual Internet-connected toaster, as I called it, and I put it online and saw how quickly it took for someone to compromise it.

On how hackers found him so quickly

This is the thing: People probably think of a hacker as behind their keyboard and prowling for folks that are vulnerable. Really they write scripts and they write bots that do that prowling for them.

They will actually randomly scan ports, which are essentially ways into computers, across the entire Internet. And the thing is, you know, our technology has advanced to a degree that you can actually reasonably expect to scan the entire Internet in a few hours.

On why certain devices are more vulnerable than others

This is the thing that I always want to make clear to the readers is that if you are plugging in your Internet toaster into your home Wi-Fi or into your home router, you already have a layer of security and that's your router. It's essentially a device that makes sure that incoming connections don't get through to your devices that would be malicious.

This [device] was a little bit different. This mimicked more the simpler devices that were attacked in the Mirai botnet. They're more vulnerable because they don't have that layer of protection between them and the modem, which connects directly to the Internet. So your average consumer has that layer of protection, but that protection can be breached sometimes, too.

On identifying the location of hacking attempts

I could log the IP addresses, and you could actually geo-locate those to see where they're coming from. You know, I don't really trust those because you can easily spoof an IP or have a proxy server to make it look like you're coming from somewhere else, but they were all over the map. There actually was one as close as Ohio, which I thought was funny.

On how to protect your devices from hacking

For the average consumer, we've figured this out to some degree. We have basic security in place in modern devices that screen out the most obvious attacks. Really getting phished, if you will, is more of a problem where you are tricked in surrendering your password or username to a common service. If you plug in your webcam into your router or to your Wi-Fi, you're relatively safe.

I think the biggest security concern for folks at home would be if their router actually is old, it might have an easily guessed password that someone could gain control. Most modern devices don't have that problem, but that certainly is a concern for older devices.

Copyright 2016 NPR. To see more, visit http://www.npr.org/.

ARI SHAPIRO, HOST:

The Internet can be a dangerous place, hackers, bots and viruses prowling the web, trying to turn your machines into zombies. Last month, a massive network of hacked devices helped temporarily shut down Twitter and other websites. Journalist Andrew McGill devised an experiment to find out how bad it is out there. He wrote about his findings in The Atlantic and joins us now. Welcome.

ANDREW MCGILL: Hi.

SHAPIRO: Tell us what your experiment was.

MCGILL: Well, I kind of wanted to see, if I put something unsecured on the internet - if I just plugged it in - how long would it take for a hacker to find it and hack into it? So when this botnet took down all these computers a few weeks ago, there were thousands and thousands of devices that had been compromised.

But I always had kind of thought, you know, if I'm lax with security in my own personal life, it won't be a big deal because the internet is huge. You know, there's millions and actually billions of IP addresses, each one with a computer behind it. Why would a hacker find me? So I kind of devised this thing where I built a virtual internet-connected toaster, as I called it. And I put it online and saw how quickly it took for someone to compromise it.

SHAPIRO: How long did you expect it would take before the first hacking attempt came?

MCGILL: Well, I had talked to some experts. And I was fully expecting maybe a week - maybe never - certainly not less than a day. But it came a lot sooner.

SHAPIRO: How soon was it?

MCGILL: It was 41 minutes.

SHAPIRO: And how soon after that was the second attempt?

MCGILL: Within 10 or 15 minutes.

SHAPIRO: And the third (laughter)?

MCGILL: Another 10 or 15.

SHAPIRO: But with so many devices online, how did they find you so quickly?

MCGILL: Yeah. Well, you know, this is the thing. People probably think of a hacker as behind their keyboard and prowling for folks that are vulnerable. Really, they write scripts, and they write bots that do that prowling for them. They will actually randomly scan ports, which are essentially ways into computers, across the entire internet. And the thing is, you know, our technology has advanced to a degree that you can actually reasonably expect to scan the entire internet in a few hours.

SHAPIRO: You weren't trying to secure this device. Would it have been easy to secure it if you had wanted to?

MCGILL: Yes, absolutely. And this is the thing that I always want to make clear to the readers - is that if you are plugging in your internet toaster into your home Wi-Fi or into your home router, you already have a layer of security. And that's your router. It's essentially a device that makes sure that incoming connections don't get through to your devices that would be malicious. This was a little bit different. This mimicked more the simpler devices that were attacked in the Mirai botnet.

SHAPIRO: That's the botnet that took down Twitter, et cetera a couple of weeks ago.

MCGILL: Correct. They are more vulnerable because they don't have that layer of protection between them and the modem, which connects directly to the internet. So your average consumer has that layer of protection. But that protection can be breached sometimes, too.

SHAPIRO: As you were watching these hacking attempt on your fake toaster, could you tell - oh, that one's coming from China. That one's coming from Russia. That one's coming from North Korea or wherever.

MCGILL: Yeah, I could. I could log the IP addresses. And you can actually geolocate those to see where they're coming from. I don't really trust those because you can easily spoof an IP or have a proxy server to make it look like you're coming from somewhere else. But they were all over the map. There actually was one as close as Ohio, which I thought was funny.

SHAPIRO: Should we all just resign ourselves to getting hacked? Should we be putting up virtual walls? What should we be doing?

MCGILL: I think, again, for the average consumer, we've figured this out to some degree. We have basic security in place in modern devices that screen out the most obvious attacks. Really, getting phished, if you will, is more of a problem, where you are tricked in surrendering your password or username to a common service.

SHAPIRO: Clicking on an attachment or something - phishing with a P-H.

MCGILL: Exactly. If you plug in your webcam into your router or to your Wi-Fi, you're relatively safe. I think the biggest security concern for folks at home would be if their router, actually, is old and might have an easily guessed password - that someone could gain control. Most modern devices don't have that problem. But that certainly is a concern for older devices.

SHAPIRO: Andrew McGill's with the Atlantic. Thanks for joining us.

MCGILL: Thank you. Transcript provided by NPR, Copyright NPR.