Refrigerators might hold spam to keep it cold in the meat bin. But in the Internet of Things world, can fridges connected to the Web blast malicious email as part of a botnet? And how about TVs or other smart devices? In the stranger side of the Internet of Things, Proofpoint said it uncovered a cyberattack in which compromised refrigerators and TVs sent out malicious email. But Symantec, says it saw no evidence of such an attack.
The phrase “Internet of Things” describes how a variety of household or industrial devices can be connected to the Internet for remote management. Proofpoint “has uncovered what may be the first proven Internet of Things-based cyberattack involving conventional household smart’ appliances,” the security firm said. It was described as “a global attack campaign involving more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that has been compromised and used as a platform to launch attacks.”
But another security firm, Symantec, is debunking this, saying it sees no evidence of this.
“We monitor traffic very extensively on the Internet and we believe we’d see that happening,” says Liam O’Murchu, manager of security response operations at Symantec. “We’d never seen that happening before.” Symantec thinks Proofpoint may have erred in some of its analysis.
A modern refrigerator could have an IP address that might support a function such as testing temperature, but it would send out spam, O’Murchu says. Symantec believes that what Proofpoint likely observed was home-based routers doing network-address translation (NAT) and port forwarding in a configuration where it was actually the compromised home computer generating the spam.
But Proofpoint says it’s sticking with its analysis that “cybercriminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into thingbots’ to carry out the same type of malicious activity.”
However, when asked to name the models of the TVs and refrigerators thought to be sending out spam, Proofpoint responded it’s “not revealing the brand names of the compromised IoT devices.”
Kevin Epstein, Proofpoint’s vice president of information security, says he can’t comment on what Symantec might or might not be seeing, but “we can confirm that we observed IoT devices sending spam.”
Proofpoint is “well-aware of the port-forwarding behavior of these devices that Symantec and others have mentioned,” Epstein commented. “We then checked interface stats and uncovered evidence that the email messages had been proxied via the WAN interface, and didn’t originate from the internal NATted segment.”
Epstein concluded: “In short, we verified that these devices were configured to act as email proxies, and we collected evidence that indicated active email proxying was occurring.” Proofpoint says it’s “confident about what it observed.”But Symantec remains skeptical that refrigerators and TVs have become part of some cyber-criminal botnet empire. But Symantec adds that doesn’t mean it doesn’t think there are security issues associated with the IoT.
Symantec notes that it has discovered worms that infect Linux-based IoT devices such as routers, cameras and entertainment systems. One of them, called Linux.Darlioz, is “interesting because it’s involved in a worm war with another threat known as Linux.Aidra. Darlioz checks if a device is infected with Aidra and if found, removes it from the device.”
Symantec adds, “This is the first time we’ve seen worm writers fight an IoT turf war and is reminiscent of the 2004 worm wars. Considering these devices have limited processing and memory, we’d expect to see similar turf battles in the future. While malware for IoT things is still in its infancy, IoT devices are subject to a wide range of security concerns. So don’t be surprised if in the near future, your refrigerator actually does start sending spam.”
This story, "Could your TV really spam you?" was originally published by Network World.