Here's the press release on the situation:Security researchers at Proofpoint have uncovered the very first wide-scale hack that involved television sets and at least one refrigerator.Yes, a fridge.
This is being hailed as the first home appliance "botnet" and the first cyberattack from the Internet of Things.
Proofpoint, Inc., (NASDAQ: PFPT), a leading security-as-a-service provider, has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.Color me skeptical. Certainly this is theoretically possible, and I've posted before on the security dangers of "the Internet of Things". Without doubt these smart devices are a sucking chest wound of security fail, and are indeed a target rich environment.
The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.
So why am I skeptical? It starts off with security-by-press-release, which I've seen more than once before in my career. Most of these are all sizzle, no steak, the product of media attention whoring that is sadly evergreen in my business.
But maybe Proofpoint is above boards (although I've never heard of them before; strike two). There is a dismaying lack of technical information from them - a lack of proof points, if you will. Solid security researchers provide lots of proof, and with malware incidents this proof usually includes code recovered from infected systems and IRC logs from the command and control channel. It doesn't seem that there's any of this available.
But the biggest reason why I'm unconvinced is because of the way that most people set up their home networks. You call your Cable company and they ship you a home router. You plug it into the cable (or the nice Installer does it for you), and presto - instant Internet.
What's important is that things are set up by the Cable company, and you have only one IP address. That address is shared by all of the devices in the house. Here at Camp Borepatch, we have a lot of devices (maybe 20) all using the same address. That's all handled by Network Address Translation (NAT) done in the cable box.
That works great when everything connects out to the Internet; it's lousy when things on the 'Net want to connect in, and you have to jump through some decently complicated technical hoops to make that happen. The punchline: almost nobody does.
So what I'm not at all sure about is how a refrigerator (using WiFi to the cable router which does a NAT translation when the fridge connects to the 'Net) - how is that fridge reached by the Evil Bad Guy to infect it? Assume that the fridge is a sucking chest wound of security fail. That fail is all hidden behind the NAT translation which is effectively a diode (a one way gate) - things go out but nothing comes in.
And by "hidden", I mean hidden. You can test this for yourself right now, by running a security scan to see what's seeable from the Internet. Gibson Research (which has been around for a long time) has a free port scanner called Shields Up that will tell you if the Evil Bad Guys can see anything in your house. You should see something like this, which is Camp Borepatch's electronic secure perimeter:
And so, how do you get malware down to that refrigerator? Like they say up in Maine, you can't get theah from heah.
This isn't discussed in Proofpoint's presser. And so I simply don't put much credence in it. Did they see malware generated emails? I have no doubt about that. Do I think that they know enough to tell whether it came from a refrigerator of a plain old infected PC? I reserve judgement on that, waiting for more (and more compelling) information. Bottom line, this smells of too much hype: all sizzle, no steak.
Your mileage may vary, void where prohibited, do not remove tag under penalty of law.
P.S. I'm not the only one who is skeptical.