This Is How Quickly the IoT Can Be Hacked
Reporter's experiment shows how fast hackers can find an unsecured device.
Don’t be a toaster
Late last month, several websites were rendered inaccessible by a distributed denial of service (DDoS) attack on Dyn, a company that hosts domain name systems (DNS). Hackers supposedly used a virus called Mirai to bombard Dyn servers using compromised computers (called zombies) acting as a botnet.
Curious as to how easy it would be for hackers to attack devices, Andrew McGill of The Atlantic created a simple experiment to find out. First, he went to Amazon to rent a small server that he disguised as an unsecured, internet-connected toaster. He set it up so he could record the keystrokes of any would-be hackers and waited to see how quickly they will find it. He didn’t have to wait long.
“Well, I had talked to some experts, and I was fully expecting maybe a week, maybe never, certainly not less than a day,” McGill told NPR’s Ari Shapiro. “But it came a lot sooner. It was 41 minutes. [The second attempt was] within 10 or 15 minutes [and the third was] another 10 or 15.”
Keeping the Internet of Things Safe
In principle, if an internet-connected device gets hacked, the malware could easily spread to other devices in the network — easier still given the quick growth of the Internet of Things (IoT). At the end of the day, however, the average consumer shouldn’t be too concerned about being on the receiving end of an attack like the one that sidelined those major websites last month.
“[Your router is] essentially a device that makes sure that incoming connections don’t get through to your devices that would be malicious,” McGill explained. “We have basic security in place in modern devices that screen out the most obvious attacks. Really getting phished, if you will, is more of a problem where you are tricked in surrendering your password or username to a common service.”
Just to be safe, experts recommend that consumers select WPA2 as the security mode for their wifi router, make sure their devices are all running the latest firmwear, and always change default passwords immediately after purchasing a device. Individually, our devices might not be powerful, but as we learned last month, enough of these digital Davids in the wrong hands can cripple an internet Goliath.