It has been claimed that far from keeping tins of spam cool, a Wi-Fi connected smart-fridge had been taken over by hackers who used it to send spam emails instead. According to the security vendor, Proofpoint between December 23 last year and January 6, more than 100,000 internet-connected devices, including media players, televisions and at least one refrigerator, were part of a network of computers used to send 750,000 spam emails.
Hackers have been using virus infected desktop computers for years to send spam emails on their behalf, but this is thought to be the first large-scale deployment of M2M devices to achieve the same effect.
Virus infected computers are usually fairly easy to treat with off-the-shelf anti-virus software and a bit of user education about not visiting weird websites. However, M2M modules are rarely monitored by their users, and tend to appear as isolated sealed boxes, even though they are using the domestic Wi-Fi network to connect to remote servers.
Proofpoint says that its findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into “thingbots” to carry out the same type of malicious activity.
No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.
“Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won’t work to solve the problem,” explained Michael Osterman, principal analyst at Osterman Research.
As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets.