Don’t say we didn’t warn you. Bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks, Internet security firm Proofpoint said on Thursday.
It’s apparently the first recorded large-scale Internet of Things hack. Proofpoint found that the compromised gadgets—which included everything from routers and smart televisions to at least one smart refrigerator—sent more than 750,000 malicious emails to targets between December 26, 2013 and January 6, 2014.
The hack came to light over the relatively quiet holiday period when a security researcher at Proofpoint noticed a spike in thousands of malicious messages sent from a range of IP addresses she didn’t recognize, David Knight, a Proofpoint executive in charge of information security products, told me in an interview.
Curious, she began pinging the devices and soon realized that they weren’t PCs, the usual platform for launching this sort of attack. Instead, many were otherwise unidentified devices running a standard version of Linux. Pinging one device brought up a login screen that said: Welcome To Your Fridge. She typed in a default password—something like “admin” or “adminadmin,” Knight said—and suddenly had access to the heart of someone’s kitchen.
As the age of Smart Everything dawns, it’s also bringing online a host of largely unsecured smart devices like TVs, refrigerators and even toasters. Those devices are often trivial for knowledgeable hackers to compromise, opening new opportunities for malicious actions of various kinds—of which the malware attack Proofpoint identified may be among the mildest.
“Embedded operating systems deployed in firmware tend to be old, not patched very frequently, and there are known vulnerabilities to virtually all of them,” Knight said. Proofpoint’s investigation highlights how vulnerable connected devices are and how easy it is for hackers to take advantage of them.
Hacking The Home
Craig Heffner, a security researcher that teaches a class on exploiting connected devices, told ReadWrite in December that his students are usually surprised by the lack of security in connected home devices.
“If you look at the vulnerabilities being published, they’re not sophisticated,” he said. “Usually, the vendor put a back door in the product and someone took advantage.”
Worse, connected home devices often running on outdated software may be difficult or even impossible to patch. Security expert Bruce Schneier detailed the wild insecurities of the Internet of Things in a recent column for Wired:
[I]t’s often impossible to patch the software or upgrade the components to the latest version. Often, the complete source code isn’t available. Yes, they’ll have the source code to Linux and any other open-source components. But many of the device drivers and other components are just “binary blobs” — no source code at all. That’s the most pernicious part of the problem: No one can possibly patch code that’s just binary.
Malware isn’t the only thing people have to worry about. Knight said hackers could use compromised smart devices to launch distributed denial of service (DDoS) attacks aimed at knocking target Websites offline, mine bitcoins, or store stolen or otherwise illicit data.
Knight suggests the first step in protecting your gadgets is to change the default passwords. Beyond that, if you don’t need your device connected to the Internet, then don’t connect it.
“Don’t plug it in if you don’t plan to use it,” he said. “If you do put it on the Internet, try and make sure you put it behind your personal router and firewall in your environment.”