Earlier this month, hackers used a massive botnet to spam Dyn, a domain name service provider, and block access to dozens of popular websites. It turns out the worm that recruited the botnet targeted IP-connected devices, including an old brand of webcam popular in warehouses and industrial settings.
Scanning the internet for open ports, the Mirai worm connected to unsecured servers and ran through a common dictionary of passwords, including xc3511
, which unlocked the webcams. (There's a good writeup on the mechanics of the bot here.)
Let me first say that this didn't affect many residential users. Very few people plug their devices directly into their modem; pretty much everyone filters their traffic through a router, which has ample safeguards. Plus, many of the devices targeted by Mirai were super old.
I'm Andrew McGill, a product builder who turns delightful ideas into real things.
I used to make stuff at The Atlantic and POLITICO. Now I build things with people like you.
All the same, I wondered if this was really a big deal. The internet is huge—there are so many IPv4 addresses out there. Even if I had been playing fast and loose with security, weren't the odds astronomically small that a hacker would randomly happen across my server and take notice?
So I devised an experiment.
I decided to set up a honeypot—a purposefully unsecured server that would give hackers the illusion of control, but would actually record their keystrokes and IP addresses. I could have used a Raspberry Pi and connected it to my home router (using port forwarding to bypass security), but in the interest of time, I ended up running a virtual server through Amazon's EC2 service.
I wrote a Node script that mimicked a Telnet login on port 23, asking for a username and password, and delivering a faux shell prompt. To a hacker's scanning script, it would look like a real Telnet server. In honor of one of the internet's first connected devices, I had it masquerade as a web-connected toaster. Here's what the hacker would have seen when they tried to log in:
I set the thing up and stepped away, expecting to wait a while before recording a hacking attempt. Wrong. The first unauthorized login came within an hour, using root:root
as login credentials.
Over the course of the next 12 hours, the server registered around 300 attempted hacks. I wrote about this experiment for The Atlantic here (and talked about it on All Things Considered!)
I admit that this project is flawed in a few ways:
I did get a few tweets that linked to this xkcd comic, the thought being that my experiment is nothing new: Security folks have been setting out unsecured honeypots for years.
That said, I think this story illustrates a few things that most people didn't know:
My toaster experiment isn't a situation most consumers will face. But it's an accurate analog to the plight of the kinds of unsecured devices harnessed by the Mirai botnet, and shows how quickly they can be pulled into a hacker's thrall.