Security experts are both thrilled and anxious about the internet of things (IoT), the ever-growing collection of smart electronic gadgets that interact with the world around them. It includes devices like internet-connected garage door openers, refrigerators you can text to see if you’re low on milk and tennis rackets that offer tips on a better backhand — even smart sex toys. The technology research firm Gartner estimates that 6.4 billion such IoT devices were connected online in 2016, and that number doesn’t include smartphones, tablets or laptops.
But buyer beware: Smart devices prize convenience and novelty, not security. “The challenge with IoT is that the market is so enthusiastic right now — connected devices are super cool,” says Ted Harrington, a San Diego-based partner at Independent Security Evaluators, the company that first hacked an iPhone in 2007. “The problem is that this enthusiasm is really overshadowing the security challenges.”
On Oct. 21, 2016, those challenges burst out of the shadows. Three times that day, hackers launched attacks against Dyn, a company that reads the URL you type in a web browser and directs you to a webpage — a kind of digital phone book. The onslaught persisted for six hours, blocking or slowing access to dozens of prominent websites. This type of event is known as a distributed denial-of-service (DDoS) attack, which means so many devices sent simultaneous requests that Dyn’s system was overwhelmed and broke down. It was the largest attack of its kind in history, but it won’t be the last.
Turns out, IoT played an important role in the Dyn hack. In the aftermath of the hack, security experts determined that the attackers had hijacked tens of thousands of connected household devices, including surveillance cameras, routers and DVRs, directing them to connect to Dyn at the same time. The owners likely had no idea their gadgets were causing the widespread internet slowdown they complained about on Facebook.
The most disturbing part of the hack was its simplicity. The attackers didn’t need coding chops or Hollywood movie-level hacker prowess. Instead, they commandeered devices just by logging in — using the default username and password provided by the manufacturer, which the owners had never bothered to change.