Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cyber Attack Leverages Internet of Things

Researchers at Proofpoint have uncovered what could be the first significant attack using the ‘Internet of Things.’

Researchers at Proofpoint have uncovered what could be the first significant attack using the ‘Internet of Things.’

According to Proofpoint, the attack leveraged 100,000 consumer gadgets ranging from televisions to home networking routers to at least one refrigerator. The attack occurred between Dec. 23, 2013, and Jan. 6, and typically involved bursts of emails three times a day. Roughly 25 percent came from devices that were not conventional laptops, desktop computers or mobile devices.

“Most gadgets don’t appear to have been infected by remote control software…in the traditional way personal computers are infected,” explained David Knight, general manager of Proofpoint’s Information Security Division. “Most seem to have simply been left open so existing software running on them can be used by attackers. Specifically, a vast number of the devices are running embedded linux servers -usually busybox, some use mini-httpd, some apache. Some are ARM devices, some are MIPS…others are based on an embedded Realtek chipset – eg. media players. We believe some are game consoles.”

The common denominator, Knight said, is that many have open telnet, open SSH and a SMTP server, meaning that an actual exploit by the attacker is not necessary.

“There’s less infection or exploit involved by the attacker than simple ‘open or default user/pass login [and] configuration’, login and set up the existing emailer to send or relay malicious email,” he said. “It’s like someone installing a webserver and email server on a laptop, hooking it up to the internet, and leaving it on with no password or a default password… someone will come along and start using that webserver and email server.”

The targets of the emails included individuals and enterprises alike. According to Proofpoint, no more than 10 emails were sent from any single IP address, which made the attack difficult to block based on location. Origin IP addresses in the malicious emails were checked for spoofing and true origin IP addresses were checked for open or default [username and password] FTP, telnet and HTTP access.

“The results spoke for themselves when the IPs responded with explicit identification, including well-known, often graphically branded… interfaces, file structures, and content such as firmware update files on FTP ports,” Knight said.

“The challenge of an open computer running a well-known linux operating system, webserver, and email server is that it can be repurposed to do many things,” he said. “We saw it sending spam and malicious email…but the attacker with access to these devices could equally well use the devices for DDOS attacks (flooding websites with traffic, so that they crash), or bitcoin mining, or as repositories for stolen intellectual property or software, or… the list goes on.  It’s a free online computer with storage space. Its uses are infinite.”

John Pescatore, director of emerging trends at SANS Institute, told SecurityWeek that the security realities facing consumer smart devices are not unlike those that existed for WiFi when it first became popular and home access points were often unsecure.

“The industry got behind first WEP, then WPA, and now it is much more common to find the majority of access points secured and the out of the box instructions emphasizing security,” Pescatore said. “The same needs to happen with all those consumer items – raise the out of the box security level just enough to make it take conscious action to open up the easy attacks paths.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.