You've Been Hacked!

On October 21, people across the U.S. suddenly couldn’t access many of their favorite websites, including Twitter, Netflix, and Spotify. It turned out that hackers—people who use computers to gain unauthorized access to online data—had managed to cause a large chunk of the internet to stop working.

The shutdown was the largest cyberattack ever (see Access Denied). And it was all thanks to everyday gadgets, like baby monitors and webcams. The hackers gained access to these innocent-looking objects and turned them into an army to take down the internet.

Most people don’t realize that these devices are connected to the internet, but they are. They even have a nickname: the Internet of Things (IoT). As this web of interconnected devices grows, experts warn that people will become more vulnerable to these attacks in the future.

On October 21, people across the U.S. suddenly couldn’t access many popular websites. Twitter, Netflix, Spotify, and other favorites were blocked. The problem was hackers—people who use computers to gain access to online data without permission. They had caused a large chunk of the internet to stop working.

The shutdown was the largest cyberattack ever seen (see Access Denied). And it was all thanks to everyday gadgets that many people own. The hackers had gained access to innocent-looking objects like baby monitors and webcams. They turned these objects into an army to take down the internet.

Most people haven’t thought about these devices being connected to the internet. But they are. They even have a nickname: the Internet of Things (IoT). This web of linked devices is growing. And experts warn that people could become open to more of these attacks in the future.

The target of the October cyberattack was Dyn, a company headquartered in New Hampshire. Dyn’s work is critical for the internet to function properly. It monitors and manages online traffic to improve the operation of the internet’s infrastructure—all the hardware and software systems that make up the web.

The hackers disrupted this infrastructure by using a distributed denial of service attack. This type of attack uses multiple computers to overwhelm a website’s or company’s servers with information. Servers are centralized computers that store data that can be accessed by other computers. The more computers hackers have under their control, the more damage they can do.

The target of the October cyberattack was Dyn, a company with headquarters in New Hampshire. Dyn’s work is important for the internet to work properly. It tracks and manages online traffic to improve the operation of the internet’s infrastructure. That’s all the hardware and software systems that make up the web.

The hackers found a way to disrupt this infrastructure. They used a distributed denial of service attack. This type of attack uses many computers to swamp a website’s or company’s servers with information. Servers are centralized computers that store data. Other computers can access this data. The more computers hackers can control, the more damage they can do.

Usually, servers like Dyn’s are far too numerous to overpower with a distributed denial of service attack that’s launched using computers. But the Internet of Things has changed hackers’ approach. “All of these IoT devices are essentially computers,” says Matt Green, a cybersecurity professor at Johns Hopkins University in Maryland. “And we’re networking huge numbers of these machines, so they have unprecedented power to do bad things if they’re compromised.”

The hackers used a computer virus to take control of a huge number of IoT devices (see How Computers Get Infected). Computer viruses are programs that can infect a system and replicate, like a biological virus. The hackers soon had a gigantic botnet, or group of infected computers, under their control.

Usually, a distributed denial of service attack won’t work on servers like Dyn’s. The company has far too many servers to overpower. But the Internet of Things has changed hackers’ approach. “All of these IoT devices are essentially computers,” says Matt Green. He’s a cybersecurity professor at Johns Hopkins University in Maryland. “And we’re networking huge numbers of these machines, so they have unprecedented power to do bad things if they’re compromised.”

The hackers used a computer virus to take control of a huge number of IoT devices (see How Computers Get Infected). Computer viruses are programs that can infect a system. They spread by making copies of themselves, like a biological virus. The result was a vast botnet, or group of infected computers. And it was under the hackers’ control.

Computer security and digital privacy experts warn that this is just the beginning. “From the moment we started plugging in our refrigerators and coffee pots and forks and underwear to the internet, we were at risk,” says Woodrow Hartzog, a law professor at Samford University in Alabama. “Every new device is something for hackers to attack and use.”

Computer security and digital privacy experts warn that this is just the beginning. Woodrow Hartzog is a law professor at Samford University in Alabama. “From the moment we started plugging in our refrigerators and coffee pots and forks and underwear to the internet, we were at risk,” he says. “Every new device is something for hackers to attack and use.”

Today, you can control a thermostat or security camera from your smartphone. But in the future, more and more aspects of our modern life will become hooked into the web.

Someday soon, many Americans could find themselves living in “smart cities” (see City of the Future). There, driverless cars will communicate with the road and tell your house when to expect your arrival. Wearable devices that track your mood will tell your speakers what music to play as you walk in the door. And your refrigerator will notice that you ran out of milk and have a fresh order of groceries waiting.

Today, you can control a thermostat or security camera from your phone. But that’s just the beginning. More and more parts of our modern life will soon become hooked into the web.

Someday soon, many Americans could find themselves living in “smart cities” (see City of the Future). Driverless cars will communicate with the road. They’ll tell your house when you’ll get home. Wearable devices will track your mood and tell your speakers what music to play as you walk in the door. And your refrigerator will notice that you ran out of milk. It will have a fresh order of groceries waiting.

This may sound like a far-off dream. But experts predict that the number of internet-connected devices will triple by 2020. At that point, there will be nearly 21 billion IoT gadgets constantly relaying vast amounts of data around the world.

This may sound like a far-off dream. But experts predict that the number of internet-connected devices will triple by 2020. At that point, nearly 21 billion IoT gadgets will be in operation. They’ll constantly send vast amounts of data around the world.

The single biggest problem with most IoT devices is a lack of security features. “Companies are willy-nilly hooking everything up to the internet that they can,” says Hartzog. “But they’re not investing the resources to make sure what they connect is properly protected.”

A single Chinese company called XiongMai Technologies made most of the security cameras and DVRs involved in the Dyn attack, and many of the devices used the same password. “They have obvious default passwords like ‘password’ or ‘123456789’ built into them,” says Green. The computer virus used in the attack was able to guess these quickly. If a virus can hack one, it can hack them all. Once it infected one machine, it scanned for more and spread.

Most IoT devices have the same big problem. They lack security features. “Companies are willy-nilly hooking everything up to the internet that they can,” says Hartzog. “But they’re not investing the resources to make sure what they connect is properly protected.”

One company made most of the security cameras and DVRs used in the Dyn attack. Many of the devices had the same password. “They have obvious default passwords like ‘password’ or ‘123456789’ built into them,” says Green. This made things easy for the computer virus used in the attack. It was able to guess the passwords quickly. If a virus can hack one, it can hack them all. The virus infected one machine, and then it scanned for more and spread.

The IoT is new, but it might already have expanded too widely to fix. “In our rush to put the internet in everything, we’ve forgotten that almost all of our critical infrastructure is online,” says Hartzog.

Without strong regulations, Hartzog says, it will be hard to force companies to secure their IoT devices. That means even bigger attacks on public utilities or financial systems are likely.

The IoT is still new. But it might already have spread too widely to fix. “In our rush to put the internet in everything, we’ve forgotten that almost all of our critical infrastructure is online,” says Hartzog.

Hartzog thinks strong regulations are needed. Without them, it will be hard to force companies to secure their IoT devices. That means even bigger attacks are likely. Hackers could target public utilities or financial systems.

So what can you do? Hartzog says to make sure the IoT devices you buy are from a reputable company that will update its software regularly. If you can’t be sure, try protecting your home’s wireless network, which connects devices to the internet. You can do this by setting up a firewall—a computer program that blocks unauthorized access.

“Cybersecurity is only as good as your weakest link,” Hartzog says. “When our weakest link is a coffee pot no one has thought to update in years, we’re in danger.”

So what can you do? You don’t have to quit buying IoT devices. But Hartzog says to make sure they’re from a trustworthy company that will update its software regularly. If you can’t be sure, take more action. Try protecting your home’s wireless network, which connects devices to the internet. You can do this by setting up a firewall. That’s a computer program that blocks access without permission.

“Cybersecurity is only as good as your weakest link,” Hartzog says. “When our weakest link is a coffee pot no one has thought to update in years, we’re in danger.”