Is your fridge really a spambot in disguise?

Security-as-a-service provider Proofpoint set the tech news wires buzzing this month with a report claiming to detail the first proven cyber attack based on the internet of things (IoT). But some experts have credible questions about its veracity.

The report details an alleged global attack campaign that saw more than 750,000 malicious emails sent by more than 100,000 connected consumer devices including home routers, multimedia centres, televisions and at least one smart fridge.

Proofpoint said the connected devices were compromised and melded into a botnet, nicknamed a ‘thingbot’ in the report, and used to send mass emails daily. Many of the devices were allegedly accessible via open telnet and SSH ports and had open SMTP servers.

The report specifically details an attack which took place between 23 December and 6 January, and involved the botnet sending malicious email to both enterprises and consumers. According to Proofpoint, more than 25% of the volume of emails were sent by IoT devices, representing an average of 75,000 emails per day. No more than 10 emails were initiated from any single IP address, the report states.

In a statement, Proofpoint general manager for information security David Knight suggested that connected consumer devices will increasingly become prime targets for cybercriminals. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur,” he said. “Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them.”

Knight told ReadWrite that a Proofpoint researcher had uncovered the attack after noticing volumes of spam sent from IP addresses she did not recognise. She pinged one IP and discovered a log-on screen for a smart fridge, and was able to access the system using a common default password.

The report attracted significant attention from both the technology and mainstream media. Considering the projected growth of the IoT sector, the implications are significant and could herald the emergence of more cybercrime activity such as IoT-based DDoS attacks.

But some pundits have questioned the accuracy of the report. Ars Technica's Dan Goodin has criticised it for containing little in the way of credible evidence. Goodin notes that connected devices often share home IP routers, so would share IP addresses with PCs on the same network.

Proofpoint says it was able to determine that the malicious emails were sent by IoT devices and not PCs in some cases by querying the smart devices in IP addresses that sent spam and determining that the devices were equipped with the SMPT protocol. In other cases, the smart devices were directly connected to the internet.

“What Proofpoint is reporting is plausible, but it doesn't add up,” Goodin wrote. “Experienced botnet researchers know that estimating the number of infected machines is a vexingly imprecise endeavour. No technique is perfect, but the scanning of public IP addresses is particularly problematic.”

A Georgia Tech research scientist quoted in the report agreed that there could be plenty of alternative explanations for the malicious emails coming from IP addresses used by IoT devices.

Goodin also questioned why cybercriminals would go to the trouble of compromising smart devices only to send a mere 10 malicious emails, noting that most botnet-infected PCs are manipulated to send as many messages as they are capable of.

Noted security specialist Bruce Schneier has stated that he shares Ars Technica's scepticism of the report. “[Nevertheless] it could happen, and one day it will,” he wrote on his blog, Schneier on Security. In a recent column for Wired, Schneier detailed the often dismal security mechanisms built into IoT devices, due to a combination of old chips and old, rarely updated software. “The result is hundreds of millions of devices that have been sitting on the internet, unpatched and insecure, for the last five to ten years.”

Ultimately then, whether or not a a fridge yet has been hacked to send out spam, there's no question that the security of IoT devices will become a pressing issue in the years ahead.

Image courtesy of Pelle Sten under CC