An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

The Internet can be a dangerous place. Hackers, bots and viruses are prowling the Web trying to turn your machines into zombies.

Last month, a massive network of hacked devices helped temporarily shut down Twitter and other websites. Hackers used a virus called Mirai to target Dyn, a major Internet infrastructure company, in a sophisticated denial-of-service attack — when insecure Internet-connected devices are directed to barrage a target with data until it shuts down.

Andrew McGill, a reporter at The Atlantic, devised an experiment to find out how vulnerable our devices are to hackers. He built a virtual Internet-connected toaster, put it online and waited to see how quickly it would take for hackers to attempt to breach it. They found him much faster than he expected.

"Well, I had talked to some experts, and I was fully expecting maybe a week, maybe never, certainly not less than a day," McGill told NPR's Ari Shapiro. "But it came a lot sooner. It was 41 minutes. [The second attempt was] within 10 or 15 minutes [and the third was] another 10 or 15."

Interview Highlights

On the toaster experiment

Well, I kind of wanted to see if I put something unsecured on the Internet — if I just plugged it in — how long would it take for a hacker to find it and hack into it?

So when this botnet took down all these computers a few weeks ago, there were thousands and thousands of devices that had been compromised, but I always had kind of thought, "You know, if I'm lax with security in my own personal life, it won't be a big deal because the Internet is huge." You know, there's millions, and actually billions, of IP addresses, each one with a computer behind it. Why would a hacker find me?

So I kind of devised this thing where I built a virtual Internet-connected toaster, as I called it, and I put it online and saw how quickly it took for someone to compromise it.

On how hackers found him so quickly

This is the thing: People probably think of a hacker as behind their keyboard and prowling for folks that are vulnerable. Really they write scripts and they write bots that do that prowling for them.

They will actually randomly scan ports, which are essentially ways into computers, across the entire Internet. And the thing is, you know, our technology has advanced to a degree that you can actually reasonably expect to scan the entire Internet in a few hours.

On why certain devices are more vulnerable than others

This is the thing that I always want to make clear to the readers is that if you are plugging in your Internet toaster into your home Wi-Fi or into your home router, you already have a layer of security and that's your router. It's essentially a device that makes sure that incoming connections don't get through to your devices that would be malicious.

This [device] was a little bit different. This mimicked more the simpler devices that were attacked in the Mirai botnet. They're more vulnerable because they don't have that layer of protection between them and the modem, which connects directly to the Internet. So your average consumer has that layer of protection, but that protection can be breached sometimes, too.

On identifying the location of hacking attempts

I could log the IP addresses, and you could actually geo-locate those to see where they're coming from. You know, I don't really trust those because you can easily spoof an IP or have a proxy server to make it look like you're coming from somewhere else, but they were all over the map. There actually was one as close as Ohio, which I thought was funny.

On how to protect your devices from hacking

For the average consumer, we've figured this out to some degree. We have basic security in place in modern devices that screen out the most obvious attacks. Really getting phished, if you will, is more of a problem where you are tricked in surrendering your password or username to a common service. If you plug in your webcam into your router or to your Wi-Fi, you're relatively safe.

I think the biggest security concern for folks at home would be if their router actually is old, it might have an easily guessed password that someone could gain control. Most modern devices don't have that problem, but that certainly is a concern for older devices.

Copyright 2023 NPR. To see more, visit https://www.npr.org.