Attacking A Virtual Toaster: An Experiment Shows How Quickly The Internet Of Things Can Be Hacked : All Tech Considered Reporter Andrew McGill set up a fake Internet-connected toaster to see how long it would take hackers to find it. He thought it would take days, but to his surprise it was under attack within minutes.
NPR logo

An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

An Experiment Shows How Quickly The Internet Of Things Can Be Hacked

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


The Internet can be a dangerous place, hackers, bots and viruses prowling the web, trying to turn your machines into zombies. Last month, a massive network of hacked devices helped temporarily shut down Twitter and other websites. Journalist Andrew McGill devised an experiment to find out how bad it is out there. He wrote about his findings in The Atlantic and joins us now. Welcome.


SHAPIRO: Tell us what your experiment was.

MCGILL: Well, I kind of wanted to see, if I put something unsecured on the internet - if I just plugged it in - how long would it take for a hacker to find it and hack into it? So when this botnet took down all these computers a few weeks ago, there were thousands and thousands of devices that had been compromised.

But I always had kind of thought, you know, if I'm lax with security in my own personal life, it won't be a big deal because the internet is huge. You know, there's millions and actually billions of IP addresses, each one with a computer behind it. Why would a hacker find me? So I kind of devised this thing where I built a virtual internet-connected toaster, as I called it. And I put it online and saw how quickly it took for someone to compromise it.

SHAPIRO: How long did you expect it would take before the first hacking attempt came?

MCGILL: Well, I had talked to some experts. And I was fully expecting maybe a week - maybe never - certainly not less than a day. But it came a lot sooner.

SHAPIRO: How soon was it?

MCGILL: It was 41 minutes.

SHAPIRO: And how soon after that was the second attempt?

MCGILL: Within 10 or 15 minutes.

SHAPIRO: And the third (laughter)?

MCGILL: Another 10 or 15.

SHAPIRO: But with so many devices online, how did they find you so quickly?

MCGILL: Yeah. Well, you know, this is the thing. People probably think of a hacker as behind their keyboard and prowling for folks that are vulnerable. Really, they write scripts, and they write bots that do that prowling for them. They will actually randomly scan ports, which are essentially ways into computers, across the entire internet. And the thing is, you know, our technology has advanced to a degree that you can actually reasonably expect to scan the entire internet in a few hours.

SHAPIRO: You weren't trying to secure this device. Would it have been easy to secure it if you had wanted to?

MCGILL: Yes, absolutely. And this is the thing that I always want to make clear to the readers - is that if you are plugging in your internet toaster into your home Wi-Fi or into your home router, you already have a layer of security. And that's your router. It's essentially a device that makes sure that incoming connections don't get through to your devices that would be malicious. This was a little bit different. This mimicked more the simpler devices that were attacked in the Mirai botnet.

SHAPIRO: That's the botnet that took down Twitter, et cetera a couple of weeks ago.

MCGILL: Correct. They are more vulnerable because they don't have that layer of protection between them and the modem, which connects directly to the internet. So your average consumer has that layer of protection. But that protection can be breached sometimes, too.

SHAPIRO: As you were watching these hacking attempt on your fake toaster, could you tell - oh, that one's coming from China. That one's coming from Russia. That one's coming from North Korea or wherever.

MCGILL: Yeah, I could. I could log the IP addresses. And you can actually geolocate those to see where they're coming from. I don't really trust those because you can easily spoof an IP or have a proxy server to make it look like you're coming from somewhere else. But they were all over the map. There actually was one as close as Ohio, which I thought was funny.

SHAPIRO: Should we all just resign ourselves to getting hacked? Should we be putting up virtual walls? What should we be doing?

MCGILL: I think, again, for the average consumer, we've figured this out to some degree. We have basic security in place in modern devices that screen out the most obvious attacks. Really, getting phished, if you will, is more of a problem, where you are tricked in surrendering your password or username to a common service.

SHAPIRO: Clicking on an attachment or something - phishing with a P-H.

MCGILL: Exactly. If you plug in your webcam into your router or to your Wi-Fi, you're relatively safe. I think the biggest security concern for folks at home would be if their router, actually, is old and might have an easily guessed password - that someone could gain control. Most modern devices don't have that problem. But that certainly is a concern for older devices.

SHAPIRO: Andrew McGill's with the Atlantic. Thanks for joining us.

MCGILL: Thank you.

Copyright © 2016 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.