As the number of Internet-connected devices such as televisions, refrigerators and other conventional household “smart” appliances is expected to grow in the next few years, security specialist Proofpoint claims to have discovered an Internet of things (IoT)-based cyber attack.
The IoT includes every device that is connected to the Internet, from home automation products including smart thermostats, security cameras, refrigerators, microwaves, home entertainment devices such as TVs, gaming consoles to smart retail shelves that know when they need replenishing and industrial machinery.
The rapid adoption of network-connected devices by consumers and businesses will make the so-called Internet of things more attractive to vulnerability finders and cyber-criminals bent on mischief.
The attack that Proofpoint observed and profiled occurred between Dec. 23, 2013, and Jan. 6, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide.
More than one-quarter of the volume was sent by things that were not conventional notebooks, desktop computers or mobile devices, but instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator.
“The Internet of things holds great promise for enabling control of all of the gadgets that we use on a daily basis. It also holds great promise for cyber-criminals who can use our homes’ routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks,” Michael Osterman, principal analyst at Osterman Research, said in a statement.
In November, Symantec posted a brief analysis of a worm, dubbed “Linux.Darlloz,” that targeted a variety of Linux distributions with evidence of variants created for chipsets that are normally found in home routers, set-top boxes and security cameras.
“Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse,” David Knight, general manager of Proofpoint’s information security division, said in a statement. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them.”
The number of IoT devices is growing enormously—research firm IDC predicts that more than 200 billion things will be connected to the Internet by 2020, offering cyber-criminals an easy target in devices that are not as well-protected as conventional computers.
However, IoT devices are typically not protected by the anti-spam and anti-virus infrastructures available to organizations and individual consumers, nor are they routinely monitored by dedicated IT teams or alerting software to receive patches to address new security issues as they arise.
“Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won’t work to solve the problem,” Osterman continued.