One Friday in October 2016, a big chunk of the Internet went missing.
The internet company Dyn, which routes traffic to Twitter, Netflix, and thousands of other sites, had been paralyzed by bogus requests from hundreds of thousands of computers, all infected with a malicious software called Mirai. But these weren’t any old computers. Many were webcams, smart light bulbs, fitness trackers, and other everyday devices that connect to the internet. Collectively, they’re known as the Internet of Things, or IoT.
为推特、网飞和数千个其他网站提供路线流量的英特网公司 Dyn 瘫痪，该公司收到来自数十万台电脑的虚假请求，这些电脑都感染上了一款恶意软件 Mirai。但是其中没有一台老式旧电脑。许多都是和互联网相连接的网络摄像头、智能电灯泡以及其他日常设备。总的来说，它们都被称为物联网或者 IoT。
As these gadgets gain new abilities, like how a wi-fi enabled doorbell might be able to unlock your front door, they also offer fresh opportunities to cybercriminals. So just how worried should you be about that smart toaster? And what can we do to make our stuff safer?
Internet of Things gadgets are vulnerable to the same takeovers as regular computers. But their access to the physical world can make the consequences much bigger. For instance, if your livestreaming dog monitor is hacked, your private data can be exposed — things like pictures of your family or the layout of your house. Or someone could make your kid’s wi-fi enabled talking teddy bear say anything. That’s pretty creepy, but it gets even scarier when you replace the teddy bear with a home security system, a car, or a pacemaker.
The damage isn’t limited to the thing that’s been hacked, either. A lot of these devices, and sometimes even your laptop, assume that they can trust other machines connected to your home wi-fi network. So if your smart water bottle is compromised, the hacker might be able to send commands to the smart lock on your door, too.
Now, there are also serious risks beyond individual owners. The most common thing that hackers do with their machine victims is weaponize them into botnets—armies of enslaved drones. Then, criminals can hide their nefarious activities behind the normal internet traffic of thousands of machines.
For example, in 2014, a massive botnet that included TVs, routers, and at least one smart refrigerator, was caught sending millions of spam emails. And if a botnet like Mirai suddenly floods a company like Dyn with traffic, it can take down web services in a distributed denial-of-service attack. It’s like if your telephone was forced into a pool of a thousand auto-dialers constantly calling a pharmacy: real calls can’t get through, and there are so many involuntary fake calls that the company can’t block them all.
例如，2014年，发现包括电视、路由器以及至少一台智能冰箱在内的大量僵尸网络发送了百万封垃圾邮件。如果一只类似 Mirai 的僵尸网络突然涌入像 Dyn 这样的流量公司，那么在这种分布式的拒绝服务袭击中，网络服务将崩溃。就像是，如果你的电话被迫进入千个自动拨号连接池中并不断给一家药房拨打电话：真实来电无法进入，由于无意识虚假来电太多，公司无法阻拦所有来电。
Now, these issues aren’t unique to the Internet of Things. But IoT devices are extra vulnerable. Manufacturers bring them to market as quickly and cheaply as possible. All too often, the place they cut corners—you guessed it—security.
Many companies grab off-the-shelf software and don’t customize it for each device. For instance, smart light bulbs don’t need printing software, but manufacturers might not bother to delete it from the stock operating system. So if the chunk of code that accepts files for printing mistakenly allows a hacker to inject their own program, you’re in trouble. And these things rarely update automatically; nobody wants to flip the light switch and hear, “Please wait until your lights finish updating.” So even if a security bug is fixed, those app-controlled bulbs may never hear about it.
Plus, any operating system is only as secure as the password you need to log in and make changes. And manufacturers of IoT devices often set passwords to dumb, predictable defaults like “admin1234” and who wants to change the password on their smart egg tray, anyways? To make matters worse, the hardware might have too little memory and processing power to run standard defenses like firewalls, which try to block unwelcome intrusions from the internet. And how would you even know that your smart weight-loss fork is infected with a virus when its only way of communicating is buzzing?
Finally, the sheer scale of the Internet of Things intensifies the problem. Mirai grew way bigger than most botnets simply because there were so many vulnerable IoT devices. So…this can all sound pretty terrifying.
But the truth is that for now, the main threat to an average user is garden-variety data theft. Most of the fancier attacks are too difficult and their payoffs are too low for crooks to bother. After all, if your enemies are so committed that they’ll track down your glucose monitor and hack it. You probably have other things to worry about beyond IoT security. But it may not be long before a hacker can lock your smart thermostat at its max while you’re on vacation, running up your energy bill until you pay a ransom.
If manufacturers don’t start baking security into the design of their products, experts worry that we’re heading for a trainwreck. They suggest a couple of solutions, including being selective with what data to record, and encrypting whatever data is sent around. They also recommend that manufacturers set a unique default password for each device and only accept commands from someone who’s logged in. Automatically monitoring for suspicious activity would help, too.
There are also a few steps you can take to protect yourself from your devices: You can manually check the manufacturer’s website for updates and change any passwords that the software allows you to. Don’t put webcams anywhere you wouldn’t broadcast. Isolate smart devices on separate wi-fi networks from your computers and phones. You can do that with a second router, or on some routers you can just set up a second untrusted “guest network.” And, y’know, consider whether you really need that hairbrush to connect to the internet. Ultimately, though, it’s going to take pressure from all of us.
Manufacturers need to hear that we don’t just want cool features, but guarantees that they’ll keep us safe.