More than 100,000 Internet-connected home consumer devices, including a refrigerator, spammed enterprises and consumers worldwide for about two weeks, between Dec. 23 and Jan. 6, according to security firm Proofpoint.
The devices were part of a botnet that sent out 750,000 spam emails, the company claimed.
The attack apparently featured waves of emails sent in bursts of 100,000 at a time three times daily, with no more than 10 being sent from any one IP address.
“I don’t think any security software company is able to detect such a small amount of emails that have little or no characteristics in common,” Sorin Mustaca, an IT security expert at Avira, told the E-Commerce Times.
Considerable work, including deep analysis, is required to identify the device sending out spam, and security companies “receive millions of emails every month and only perform deep analysis if we have a very strong indication that there is [something] suspicious going on,” Mustaca said.
Proofpoint did not respond to our request to comment for this story.
The consumer gadgets involved in the botnet included home-networking routers, connected multimedia centers, TV sets, and at least one refrigerator, Proofpoint said.
About 25 percent of the spam emails apparently were sent from those devices.
In many cases, the devices were exploited because they had been misconfigured — or default passwords were used, leaving them exposed on public networks and available for takeover and abuse, Proofpoint claimed.
“Who would bother to identify these devices?” Mustaca asked.
“This is less a refrigerator issue than it is a general botnet issue,” Ken Westin, security researcher for Tripwire, told the E-Commerce Times.
Deconstructing the Botnet Report
Proofpoint’s figures make for interesting math. If 750,000 spam emails were sent out — and, say, 25 percent were generated by home appliances and similar devices, that would mean those items sent out 187,500 emails.
About 100,000 such devices were involved, which means each of them could generate no more than two emails. That’s a pathetically small figure for an attack running for two weeks.
“Considering there are not so many Internet-connected devices [out there] these days, I wonder if the effort [to hack them] is worth it,” remarked Mustaca.
Proofpoint “has not provided a lot of proof or offered more information to other security researchers, so it is difficult to verify their findings,” Westin said.
The Possibility of a Hack
Some of the new Internet-connected devices could be fairly easy to compromise, because they are usually not audited for security, and they lack the security protections more traditional devices have. They are rushed to market without the ability to be updated with security patches, and they usually have default passwords, Westin pointed out.
Such devices constitute “the lowest-hanging fruit for the take,” Tommy Chin, technical support engineer at CORE Security, told the E-Commerce Times.
“Botnet owners will attempt to exploit these devices first, since they are normally never monitored,” Chin explained. “A normal person wouldn’t ever try to log in to his or her refrigerator.”
So, when an Internet-connected device is hacked, the chances are “very high” that hackers will maintain access to it for the rest of its useful life, Chin said.
The security and privacy challenges posed by the IoT were first raised in 2010, but action on this issue has been limited.
The United States Federal Trade Commission is looking into the possibility of the IoT being hacked, and it has invited public comment on this issue in addition to holding workshops.
In its comments on the issue, the Center for Democracy &Technology warned that the IoT poses acute privacy and security challenges.
Protection Against IoT Hacks
“It’s going to be very hard for consumers to protect themselves with proprietary hardware such as washers, dryers and fridges, without significant help from the makers of these devices,” Mathieu Baissac, a security expert at Flexera Software, told the E-Commerce Times.
“These devices often run on proprietary or highly configured OSes, so coming up with a consistent solution will be tricky,” Baissac continued. “The best consumers can do is push for producers to include more security and easier updating capabilities.”
Homeowners should look for trusted people in their area, Core Security’s Chin suggested, who are willing to do some security work on the side.