An Internet-security firm has discovered what they are calling a global cyberattack launched from more than 100,000 everyday consumer gadgets such as home-networking routers, televisions and at least one “smart” refrigerator.
It’s being called possibly the first proven cyberattack to originate from connected appliances — the so-called “Internet of Things.”
Proofpoint said the attack occurred between December 23 and January 6, and featured waves of malicious e-mail targeting businesses and individuals worldwide. In a post on the Proofpoint site, the company said the scam involved more than 750,000 e-mails from more than 100,000 appliances that had been commandeered by “thingbots,” or robotic programs that can be remotely installed on digital devices.
It was not immediately clear Friday which victims were targeted and whether the scammers were successful in collecting any personal information.
“Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse,” said David Knight, general manager of Proofpoint’s Information Security division. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. [We] may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them.”
Recent years have seen an explosion in the number of devices fitted with Internet connectivity, from eyewear to toothbrushes to refrigerators and beyond. Earlier this week, Google paid $3.2 billion to acquire Nest, a company that makes smart home thermostats.
The International Data Corporation (IDC) predicts there will be more than 30 billion connected devices in the world by 2020.
Proofpoint’s findings suggest that just as personal computers can be unknowingly compromised and used to launch large-scale cyberattacks, so can any smart household appliance. And poorly protected “smart” devices may be easier to infect and control than PCs, laptops or tablets.
A sophisticated hack was not needed to compromise the appliances in this attack. Instead, the use of default passwords left the devices completely exposed on public networks, according to Proofpoint.
The company also noted that connected appliances typically aren’t protected by anti-spam or anti-virus software, nor are they routinely monitored for security breaches.