October 2017^ DISCOVER^51ALISON MACKEY/DISCOVER
of smart electronic gadgets that
interact with the world around them.
It includes devices like Margulies’ new
garage door, as well as refrigerators
you can text to see if you’re low on
milk and tennis rackets that offer tips
on a better backhand — even smart
sex toys. The technology research firm
Gartner estimates that 6.4 billion such
IoT devices were connected online in
2016, and that number doesn’t include
smartphones, tablets or laptops.
But buyer beware: Smart devices
prize convenience and novelty, not
security. “The challenge with IoT is
that the market is so enthusiastic right
now — connected devices are super
cool,” says Ted Harrington, a San
Diego-based partner at Independent
Security Evaluators, the company that
first hacked an iPhone in 2007. “The
problem is that this enthusiasm is really
overshadowing the security challenges.”
On Oct. 21, 2016, those challenges
burst out of the shadows. Three times
that day, hackers launched attacks
against Dyn, a company that reads the
URL you type in a web browser and
directs you to a webpage — a kind of
digital phone book. The onslaught
persisted for six hours, blocking or
slowing access to dozens of prominent
websites, including Netflix, Twitter
and Amazon. This type of event is
known as a distributed denial-of-service(DDoS) attack, which means so many
devices sent simultaneous requests that
Dyn’s system was overwhelmed and
broke down. It was the largest attack
of its kind in history, but it won’t be the
last. (May’s cyberattack, which spread
to hundreds of thousands of users in
150 countries, used a different tack to
hold computers hostage.)
Turns out, IoT played an important
role in the Dyn hack. In the aftermath
of the hack,
security experts
determined
that the
attackers had
hijacked tens
of thousands
of connected
household
devices, including surveillance
cameras, routers and DVRs, directing
them to connect to Dyn at the same
time. Such a collection of co-opted,
zombie devices is called a botnet, and
the owners likely had no idea their
gadgets were causing the widespread
internet slowdown they complained
about on Facebook.
The most disturbing part of the
hack was its simplicity. The attackers
didn’t need coding chops or Hollywood
movie-level hacker prowess. Instead,
they commandeered devices just
by logging in — using the defaultusername and password provided by
the manufacturer, which the owners
had never bothered to change.
“Remember when everybody had a
VHS player in their living rooms?” asks
Mikko Hypponen, a Finnish computer
security expert. “It always flashed 12:00
because the time hadn’t been set. It’s
expecting you to get the manual and
set the time, and you never did.” So it
goes with IoT devices, he says. “Yougo and buy your security camera, you
screw it onto the wall, and it works.
It is effectively now blinking 12:00.
That’s the default password the Dyn
attack was using.”
May Wang wasn’t surprised by
the attack either. A few years ago,
she helped launch Zingbox, a San
Francisco-based security firm that
focuses on IoT devices. Zingbox hosts
an in-house IoT lab where engineers
and computer scientists try to break
a variety of connected devices. They
don’t last long. “Many of them we can
hack within minutes,” she says.IDENTIFYING SECURITY FLAWS IS THE
FIRST STEP IN ETHICAL HACKING, WHERE
GOOD-GUY HACKERS USE WHAT THEY LEARN
TO IMPROVE ELECTRONIC SECURITY.05101520252016 2017 2018 2020IoT units installed (in billions)Year6.4
billion8.4
billion11.2
billion20.4
billionSource: Gartner, January 2017Business
Consumer31%
projected
increase
from 2016
to 2017Consumers
will represent
63%
of total use
in 2017THE GROWING INTERNET OF THINGS
Technology research group Gartner estimates
a huge increase in IoT devices installed over
the next several years.