Researchers at Proofpoint have uncovered what could be the first significant attack using the ‘Internet of Things.’
According to Proofpoint, the attack leveraged 100,000 consumer gadgets ranging from televisions to home networking routers to at least one refrigerator. The attack occurred between Dec. 23, 2013, and Jan. 6, and typically involved bursts of emails three times a day. Roughly 25 percent came from devices that were not conventional laptops, desktop computers or mobile devices.
“Most gadgets don’t appear to have been infected by remote control software…in the traditional way personal computers are infected,” explained David Knight, general manager of Proofpoint’s Information Security Division. “Most seem to have simply been left open so existing software running on them can be used by attackers. Specifically, a vast number of the devices are running embedded linux servers -usually busybox, some use mini-httpd, some apache. Some are ARM devices, some are MIPS…others are based on an embedded Realtek chipset – eg. media players. We believe some are game consoles.”
The common denominator, Knight said, is that many have open telnet, open SSH and a SMTP server, meaning that an actual exploit by the attacker is not necessary.
“There’s less infection or exploit involved by the attacker than simple ‘open or default user/pass login [and] configuration’, login and set up the existing emailer to send or relay malicious email,” he said. “It’s like someone installing a webserver and email server on a laptop, hooking it up to the internet, and leaving it on with no password or a default password… someone will come along and start using that webserver and email server.”
The targets of the emails included individuals and enterprises alike. According to Proofpoint, no more than 10 emails were sent from any single IP address, which made the attack difficult to block based on location. Origin IP addresses in the malicious emails were checked for spoofing and true origin IP addresses were checked for open or default [username and password] FTP, telnet and HTTP access.
“The results spoke for themselves when the IPs responded with explicit identification, including well-known, often graphically branded… interfaces, file structures, and content such as firmware update files on FTP ports,” Knight said.
“The challenge of an open computer running a well-known linux operating system, webserver, and email server is that it can be repurposed to do many things,” he said. “We saw it sending spam and malicious email…but the attacker with access to these devices could equally well use the devices for DDOS attacks (flooding websites with traffic, so that they crash), or bitcoin mining, or as repositories for stolen intellectual property or software, or… the list goes on. It’s a free online computer with storage space. Its uses are infinite.”
John Pescatore, director of emerging trends at SANS Institute, told SecurityWeek that the security realities facing consumer smart devices are not unlike those that existed for WiFi when it first became popular and home access points were often unsecure.
“The industry got behind first WEP, then WPA, and now it is much more common to find the majority of access points secured and the out of the box instructions emphasizing security,” Pescatore said. “The same needs to happen with all those consumer items – raise the out of the box security level just enough to make it take conscious action to open up the easy attacks paths.”