One winter morning in 2015, as he left for work from his home in Silver Spring, Md., Jonathan Margulies pushed the button on his remote to close his garage door. Nothing happened. He tried again. Nothing. The motor was shot.
He ended up replacing it with a “smart” opener that not only lifted and lowered the door, but also connected to the internet. With a swipe on a smartphone, Margulies could operate the opener, and if he left the door open, the opener would send him a text. He could close it from anywhere. It’s particularly appealing to people like Margulies, who occasionally panic, in the crush of rush hour, that they’ve left their homes wide open and defenseless. To some, the smart opener may seem a godsend.
But Margulies, 36, isn’t just any consumer. For more than a decade, he’s worked as a cybersecurity expert, doing vulnerability and security assessments for Sandia National Laboratories and the National Institute of Standards and Technology, and more recently, for the U.S. Department of Justice. One area of his expertise is identifying security flaws in a company’s digital infrastructure or product by thinking and acting like malicious hackers.
Identifying security flaws is the first step in ethical hacking, where good-guy hackers — the kind you want on your side — use what they learn to improve electronic security. They tend to be obsessive, passionate and sleep-deprived. When they see cracks in the virtual world, they want to peek through to discover what’s on the other side.
They’re becoming increasingly important, and visible: In May, another good-guy hacker, an attentive 22-year-old in the U.K., spotted an unfolding global cyberattack named WannaCry and successfully stopped the attack.
For these “white hat” hackers, the key to building a successful defense is to find weaknesses and fix them before someone else breaks in. Given the ubiquity of online communication, plugging security flaws is critical at all scales, whether it’s protecting someone’s bank account or, say, preventing the hacking of political campaigns to influence a national election.
Margulies acknowledges he’s not a great hacker — he’s better at identifying security vulnerabilities than actually replicating the destructive coding and social engineering tactics of malicious hackers. But searching for electronic fault lines is still second nature, even when he’s not at work. “You can’t help trying to break things all the time,” he says. So, there he was, in 2015, with a brand-new gizmo in hand, a new system to break.
He wanted to know: How vulnerable is this new garage door opener? Could someone hack it and enter uninvited? A smart opener connects to his home network, so just as a burglar who gets into a house could rummage from room to room, a malicious intruder who’s taken control of the garage door could access every other connected device in the home — phones, televisions, laptops and all their data.
It’s home invasion, in bed with identify theft.
So Margulies began to map fatal flaws in his new opener’s digital design. Could he, effectively, break into his own house?
Hack All the Things!
Security experts are both thrilled and anxious about the internet of things (IoT), the ever-growing collection of smart electronic gadgets that interact with the world around them. It includes devices like Margulies’ new garage door, as well as refrigerators you can text to see if you’re low on milk and tennis rackets that offer tips on a better backhand — even smart sex toys. The technology research firm Gartner estimates that 6.4 billion such IoT devices were connected online in 2016, and that number doesn’t include smartphones, tablets or laptops.
But buyer beware: Smart devices prize convenience and novelty, not security. “The challenge with IoT is that the market is so enthusiastic right now — connected devices are super cool,” says Ted Harrington, a San Diego-based partner at Independent Security Evaluators, the company that first hacked an iPhone in 2007. “The problem is that this enthusiasm is really overshadowing the security challenges.”
On Oct. 21, 2016, those challenges burst out of the shadows. Three times that day, hackers launched attacks against Dyn, a company that reads the URL you type in a web browser and directs you to a webpage — a kind of digital phone book. The onslaught persisted for six hours, blocking or slowing access to dozens of prominent websites, including Netflix, Twitter and Amazon. This type of event is known as a distributed denial-of-service (DDoS) attack, which means so many devices sent simultaneous requests that Dyn’s system was overwhelmed and broke down. It was the largest attack of its kind in history, but it won’t be the last. (May’s cyberattack, which spread to hundreds of thousands of users in 150 countries, used a different tack to hold computers hostage.)
Turns out, IoT played an important role in the Dyn hack. In the aftermath of the hack, security experts determined that the attackers had hijacked tens of thousands of connected household devices, including surveillance cameras, routers and DVRs, directing them to connect to Dyn at the same time. Such a collection of co-opted, zombie devices is called a botnet, and the owners likely had no idea their gadgets were causing the widespread internet slowdown they complained about on Facebook.
The most disturbing part of the hack was its simplicity. The attackers didn’t need coding chops or Hollywood movie-level hacker prowess. Instead, they commandeered devices just by logging in — using the default username and password provided by the manufacturer, which the owners had never bothered to change.
“Remember when everybody had a VHS player in their living rooms?” asks Mikko Hypponen, a Finnish computer security expert. “It always flashed 12:00 because the time hadn’t been set. It’s expecting you to get the manual and set the time, and you never did.” So it goes with IoT devices, he says. “You go and buy your security camera, you screw it onto the wall, and it works. It is effectively now blinking 12:00. That’s the default password the Dyn attack was using.”
May Wang wasn’t surprised by the attack either. A few years ago, she helped launch Zingbox, a San Francisco-based security firm that focuses on IoT devices. Zingbox hosts an in-house IoT lab where engineers and computer scientists try to break a variety of connected devices. They don’t last long. “Many of them we can hack within minutes,” she says.
It’s not just about changing passwords. (See “Protect Yourself,” page 55.) Wang says the 2016 Dyn attack shows the vulnerability that hides within smart devices. “The whole point of IoT is to connect everyone with everyone else, everything with everything else.”
The primary challenge of IoT security is the trade-off between protection and connection. “We have to assume the good guys and bad guys will be mixed together,” Wang says. “Who’s the bad guy? And who’s the good guy?”
There are real consequences. The wrong answer to that question can prove quite expensive. (See “Who’s Who of Hacks,” this page.)
Hackers Gonna Hack
When good-guy hackers approach a new project, they start by asking simple questions, such as who needs to be protected and who must be kept out. So when Margulies sat down with his garage door opener, he knew where to start. Could it let him control the door while keeping hackers out?
First, he thought about regular garage door openers. They’re easily hacked by buying a replacement remote at a hardware store and, with a few minutes in the victim’s garage, syncing it to the opener. Or, with a little more work, he could digitally eavesdrop on the code sent from the remote to the opener. With such weak security, garage doors have always been more symbolic than protective, he concluded.'
Who’s Who of Hacks
The internet of things isn’t the only vulnerable target. In May, hackers unleashed a cyberattack named WannaCry that crippled hundreds of thousands of computers in 150 countries by exploiting a susceptibility in Microsoft Windows. It was an example of ransomware, malicious computer code that disables a system until the victim pays a hefty fine. In this case, the hackers wanted $300 to unlock infected machines. (Experts advised victims not to pay, as it’s uncertain if they’d get their files back, and it encourages more attacks.)
Ransomware attacks are rising. In January, the St. Louis Public Library network became infected. Library patrons couldn’t check out books, and the library’s computers were disabled. The perpetrators demanded $35,000 in bitcoins, a digital currency that’s difficult to track. Last November, hackers disabled ticketing systems at San Francisco’s public light-rail system and demanded $73,000, also in bitcoins. In March 2016, ransomware crippled hospitals in Maryland and Kentucky. None of these institutions paid the ransom (though some, in other attacks, have); all of them have restored their systems, typically by erasing affected servers or computers and restoring the data from backups.
Even worse, adversaries are starting to play the long game — getting into a network and staying there without being detected. They find a weak entry point into a system, and use it to gain access. “Professional hackers have got that down to a science,” says Brian Varine of the U.S. Department of Justice Security Operations Center. “They get in, and stay in.”
So it went with a 2013 hack of Target stores across the country. Attackers used login credentials for an HVAC company to access Target’s network, and from there they could access cash machines and install software to poach credit card information. Losses to the store were estimated at $420 million. Zingbox co-founder and CTO May Wang describes this as a steppingstone attack: Hackers sneak in through a weak link and lie in wait for a bigger score.
Hacking methods are getting even more insidious, too. In late 2016, Finnish computer security expert Mikko Hypponen’s employer, F-Secure, began tracking a gang of hackers who released a piece of malware called Popcorn. It encrypts a person’s files until the victim pays 1 bitcoin (about $2,900 at press time). Victims who can’t pay can get their files back for free if they infect two of their friends, and the friends pay their ransom.
“Holy hell, that’s devious,” Hypponen says. “It’s almost hard to be angry at these guys when they’re so creative. It’s really nasty, but really clever.”
But smart openers are different. They’re not just a risk for the homeowner — they put a whole community of homeowners at risk. A successful hacker could access thousands of IoT openers and, in theory, send out a signal to open all those doors simultaneously, turning closed doors into invitations. Margulies saw that the opener’s password reset system only required an email address, which was a terrible approach. Any hacker who gets into someone’s email account can simply search for password reset instructions and sail into the system. Margulies also noticed that the only information he had to supply to the company was his street address. That, too, was a bad move: It means that an attacker who gets into the company’s system can simply pull up the list of addresses, a directory of vulnerable openers ripe for the picking.
As a responsible hacker, Margulies emailed his concerns to the manufacturer. He outlined the flaws and the risks they carried — and stashed the internet-connected part of the device in his closet, relying instead on old-school offline functionality.
Knowing whom and what they’re up against is a key part of being a white hat. “We used to have only one enemy,” says Hypponen, who launched his hacking-for-good career in the early 1990s, when few devices were online. His early investigations of computer-based crime focused on malware that spread via floppy disks — magnetic storage devices that look like plastic squares and could store about one-third of a pop song. “The attacker at that time was very, very simple to define,” he says. “All the attacks, all the viruses were being written by bored teenage boys.”
Hypponen received his first home computer when he was 13, in early 1984. His response was powerful and irreversible. “I immediately was lost into it.” Electronic devices and hacking culture have co-evolved in the decades since then, but he says at least one thing hasn’t: People who discover hacking as a vocation know it from a young age.
“I think the best hackers have pretty much always known that they’re good at this,” he says. “They’re probably mathematically gifted, or gifted to do technical stuff. Geek stuff.” Hackers were the kids who walked down the street with their parents’ automatic garage door openers, holding down the button to see which doors would open.
Talented hackers, Hypponen says, analyze a system and see something different from what the designers intended. For example, say you wanted to break into a system through its login screen. But instead of typing a login name, you do something radically different — like copy and paste a massive image in the username box. “Maybe the creator of the website didn’t think of that, and it breaks the system,” says Hypponen. If the hacker is lucky, he says, that crack exposes a vulnerability.
People interested in tinkering with software often end up breaking the law, but nowadays they also have legitimate avenues of expression. Hypponen points to “bug bounties” — reward money offered by companies to hackers who expose flaws. “You can try to break the system, and you have permission to do it,” he says. “Use your skills, scratch your itch. I know people who live on bug bounties.”
F-Secure, the company Hypponen works for, encourages people to try to break into their system. “If we have vulnerabilities in our servers or software, we want you to tell us,” he says. “We want you to sell that information to us, not to others.”
With Our Powers Combined
It’s a change in culture that has benefited people like Samy Kamkar. He began intruding into private online communities as a teenager, and he attended his first DEFCON convention — which has become the best-known underground hacking conference in the world — at age 14. Now 31, the Los Angeles-based Kamkar hosts a popular YouTube channel called Applied Hacking, where he exploits security weaknesses in everyday objects like combination locks, locked cars and locked computers. His views number in the millions.
In one memorable episode, he hacked the wireless doorbell of Matt, his best friend. Kamkar learned how to make the doorbell ring by sending a text. This led to real-time slapstick: Kamkar texts, the doorbell rings, Matt steps outside, repeat. Kamkar calls the hack “Digital Ding Dong Ditch.” After an hour of ghostly ringing, Matt called Kamkar, suspicious.
Kamkar says pure curiosity, not malice, inspires his adventures. “I’ll have an idea or want to understand something,” he says. “What keeps me up at night — in a good way — is, what’s the next thing that can be done? What’s the cutting-edge stuff?”
Hacking may seem a solitary sport, but Kamkar sees value in collaboration, which is why he shares what he learns. “The people I hang out with are friendly hackers,” says Kamkar. “If I’m putting stuff out there other people can use, they will think of something I never will. That will basically catapult me into the future. We’re raising each other up.”
That idea resonates at the IoT Village, an event organized by Ted Harrington’s company, Independent Security Evaluators. There, hackers solve challenges, like finding known vulnerabilities in an IoT device or finding unknown security flaws in new devices. At an IoT Village event last year, one of the prizes was a smart TV — the one the hackers had just hacked.
“We’re getting everyone together who is equally passionate about solving security problems,” Harrington says. “They’re competitive against themselves, and against the status quo.”
Collaboration is necessary to outrace malicious actors in the near future, Harrington, Wang and others say. Medical devices, transportation infrastructure and the electric grid are all vulnerable. Harrington worries botnet and other attacks will get worse before they get better, and he doesn’t think consumers learned any lessons from last year’s Dyn hit. They’re still not going to change their factory-set passwords. Such an attack would still probably be successful today, he says. People won’t get serious about security — updating firmware, disabling unwanted features and unplugging devices when not in use, for instance — until tragedy strikes, “when we see an incident of someone getting hurt or killed with a connected device.” People don’t know how close they come, on a daily basis, to a potentially devastating hack.
That’s why white hats continue to look for flaws and point them out to make things better. Margulies ultimately received a letter back from the garage opener manufacturer, which said it would look into how best to address the security issues. White hats’ work can only go so far; it’s up to consumers to demand security, and to developers to take it seriously.
Harrington says developers need to identify potential hacks and threats early in the design process, especially for IoT objects, and build in protections to the finished product. In addition to better protecting people, this approach will cost companies less money in the end. This isn’t an issue of complexity, he says; it’s an issue of priorities: “It’s not very difficult at all for a manufacturer to adequately build security in.” Even though experts disagree on the best way to build in security, designers could start simply by requiring users to change passwords during setup, collecting less personal data, or even allowing consumers to opt out of data collection.
It’s no secret today’s smart devices aren’t smart on security. Harrington compares the devices to cars: “Volvo has an amazing reputation as being safe. Someone who cares about safety is willing to pay a premium to buy a Volvo,” he says. “Today, in the IoT, you don’t have a choice to buy the Volvo version of a safe product. All you can buy are the ones with shitty airbags.”
Cyberattacks succeed when people don’t take basic precautions. Here are five ways you can protect your digital self.
1. Set that password yourself! Smart devices come with a default password; change it as soon as you can. Hackers know that most people don’t, which means they can easily break in. For your other gadgets: If it has a password, change it. This goes for devices, routers, email accounts and phones.
2. Cover your webcam. Cameras are easy to hack, but there’s an easy fix: Cover the lens with a piece of tape. Then even if you get hacked, they won’t be able to see anything. Last fall, former FBI Director James Comey reported that he does it, as do other government employees.
3. Use two-factor authentication if possible. Many apps now offer this extra layer of security, which requires some kind of additional check that you are who you say you are. Examples include texting a code to a secure phone number in addition to a standard password, or requiring a physical ATM card and PIN.
4. Back up your files. If you do get struck by ransomware, experts advise against paying the attackers, who might not ever help. Instead, regularly back up your data and files on an external, offline hard drive.
5. Keep up with software security updates. The global cyberattack in May exploited a vulnerability in Microsoft Windows — but a patch had been available since March. Machines with the patch were impervious.