Photo

It took the hackers less than two hours to take over Patsy Walsh’s life.

On a recent Friday, Mrs. Walsh, a grandmother of six, volunteered to allow two hackers to take a crack at hacking her home. How bad could it be?

Mrs. Walsh did not consider herself a digital person. As far as she knew, her home was not equipped with any “smart devices,” physical objects like refrigerators and thermometers that transmit information to the Internet. Sure, she has a Facebook account, which she uses to keep up on friends’ lives, but rarely does she post about her own.

“I don’t post things about myself and don’t really understand why other people do,” Mrs. Walsh said. “The fact you can go from one friend’s profile to their friends’ profiles is creepy. I guess you could find out a lot of information about somebody if you really wanted to.”

Indeed. Days before hackers even set foot in Mrs. Walsh’s home overlooking Mount Tamalpais in Marin County, Calif., they found her Facebook account and — though it was comparatively locked down — uncovered just enough to begin to take over her digital life. The New York Times was invited to witness the hacking, on the condition that Mrs. Walsh’s town not be named.

The twist was that once the hackers found their way in, they discovered someone else had already been there.

The hackers could see that Mrs. Walsh had liked a page organized by Change­.org. That was all they needed to construct some convincing click bait. Within 10 minutes, they composed a fake email from Change­.org asking her to sign a fake petition about land use in Marin County.

When that link led her to a page that asked her to enter her email address and password, she complied. To spare Mrs. Walsh any actual harm, the hackers used a service called Phish5, which does not actually store passwords and is often used by employers to test employees’ ability to spot malicious phishing cons.

Had the two been actual attackers, they would have had all the information they needed to “pwn” Mrs. Walsh — hacker speak for taking over someone’s digital life — from afar, particularly because, Mrs. Walsh confessed, she was guilty of using the same password across many accounts.

All this before they had even set foot in Mrs. Walsh’s home.

Photo

The hackers, Reed Loden, the 27-year-old director of security of HackerOne, a San Francisco security start-up, and Michiel Prins, the 25-year-old co-founder of HackerOne, were greeted warmly when they arrived at her home.

“Welcome Hackers” was scrawled on a heart-shaped chalkboard on the front door, and deviled eggs, tuna sandwiches and fresh iced tea were waiting. Mrs. Walsh said she expected the hackers would wear black, but Mr. Loden and Mr. Prins did not fit that stereotype. Mr. Loden, who hails from Mississippi, ended his sentences with a warm “thank you, ma’am” — his manners intact even while explaining that he had just hacked Mrs. Walsh’s power of attorney form.

“They’re very polite,” Mrs. Walsh noted. (Later, she invited both to Thanksgiving dinner.)

Over an hour and a half, they discovered a way to open the Walshes’ garage door. It was simply a matter of using a “brute force attack” against an older door opener. The process entailed testing thousands of code combinations until hitting the correct one. Earlier this year, the hacker Samy Kamkar demonstrated how to do this in less than 10 seconds using a Mattel toy.

Mr. Loden and Mr. Prins also found a way to intercept Mrs. Walsh’s television. A service worker had not installed her DirecTV securely, with a password, which meant anyone with knowledge of the device’s I.P. address could control the television remotely.

In this case, the hackers used their access to purchase a three-hour pass to an array of adult channels — the names of which would not be suitable for print here.

Still, Mrs. Walsh was not impressed. “What’s so wrong about getting into my TV?” When Mr. Loden pointed out that someone could blast pornography in her living room in the middle of a dinner party, Mrs. Walsh conceded, “I can see how that would be a little shocking to guests.”

Photo

From there, the hackers made their way to the back of Mrs. Walsh’s house, where her PC was waiting. With her passwords posted on the nearby router, their task was easy. Within minutes, they had not only broken into Mrs. Walsh’s email account, but also that of her daughter — who at some point had allowed the computer’s browser to auto-fill her password. (As a courtesy, the hackers made sure to send Mrs. Walsh’s daughter an email from her own account with the subject line: “Reminder: Change my password.”)

They searched Mrs. Walsh’s email for the term “SSN” and within seconds had access to her Social Security number, her PayPal account, her air miles account and her insurance information. They had even gotten their hands on her power of attorney form.

What’s worse, they weren’t the only ones with access to all of the above. Mr. Loden and Mr. Prins ran a scan for malicious programs running on Mrs. Walsh’s machine and found roughly 20, including InstallBrain, an installer that can download malicious programs on demand, like one that helps attackers mine for Bitcoin. And others like DefaultTab, FunWebProducts, SearchProtect, SlimCleaner and Supreme Savings that can change a victim’s home page, spy on search and browsing histories, or replace ads on websites like Facebook and Google with intrusive programs.

After they were through “pwning” Mrs. Walsh, the two hackers sat down with their victim for a debriefing. Critical points were that Mrs. Walsh needed a new garage door opener, a password for her television and a password manager to help her set unique and far more complicated passwords for each of her accounts.

The hackers advised her to turn on two-step authentication, a service that sends a second, one-time password to users’ phones when they try to log in from an unrecognized machine. They also gave her a quick lesson in phishing attacks and a lecture on the importance of installing software updates.

Best to switch on automatic updates, they said, for core services like Apple’s iOS operating system, Google’s Chrome browser and Windows. And, they said, her PC needed to be completely wiped. The good news was they promised to return to do this for her, possibly when they visit for Thanksgiving dinner.