I spent most of last week at a conference in Florida going deep on the security of critical infrastructure – you know: the software that runs power plants and manufacturing lines. (More to come on that!) While there, the security firm Proofpoint released a statement saying that it had evidence that a spam botnet was using “Internet of Things” devices.
The company said on January 16 that a spam campaign totaling 750,000 malicious emails originated with a botnet made up of “more than 100,000 everyday consumer gadgets” including home networking routers, multi media centers, televisions and at least one refrigerator.” Proofpoint claims it is the “first time the industry has reported actual proof of such a cyber attack involving common appliances.”
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
Heady stuff – but is it true? It’s hard to know for sure. As with all these reports, it’s important to recognize that this news came by way of a press release and that these stories are a form of marketing for the firms involved. In Proofpoint’s case, warnings about a massive IoT botnet are an argument for its cloud based threat protection services, which include anti malware and anti spam.
What is almost certainly true is that more non-PC devices are being enlisted in botnets that send spam, participate in denial of service attacks and so on. But this isn’t really news. As far back as 2008, security researchers were warning that hardware like home broadband routers were washing up in massive, global botnet. This 2009 article from DarkReading chronicles psyb0t (no relation to the Korean pop star), which was believed to be the first to specifically target home networking devices.
Other researchers have shown how a halfway knowledgeable hacker could build their own home router botnet, simply by scanning for vulnerable devices made by leading vendors, then exploiting loose controls on device firmware to install bot software. This article describing a presentation on the Router Post-Exploitatation Framework (available here) at the 2012 DEFCON hacker conference is a good example.
But what about televisions and refrigerators? It is certainly plausible that such devices could have been enlisted in a botnet, especially if there were connected directly to the Internet and used a default configuration that lacked authentication controls or used a (documented) default password. As this blog wrote back in June, PCs are already yesterday’s news in the hacking world. The recent Black Hat and DEFCON conferences made much of non-traditional endpoints, including cars, televisions, personal fitness devices and home surveillance cameras.
Under the hood, many of those devices these days run general purpose operating systems like Linux. That means that attacks and tools for those platforms are readily available and that would-be hackers or botmasters don’t need to master the specifics of some arcane, embedded device operating system. Even worse: many of the devices lack auto-update features, while users are unaccustomed to thinking of them as something that might need to be patched. Speaking of Samsung’s SmartTV at Black Hat in August, one researcher described it as “like a Web app riddled with vulnerabilities.”
Finally, Symantec has reported on a malicious program, Darlloz, that it found spreading between traditional Linux-based PCs, but with nascent feature that would make it capable of attacking a “range of small, Internet-enabled devices in addition to traditional computers.” Specifically, Symantec’s team found variants of Darlloz for chip architectures common in devices ranging from home routers and set-top boxes to security cameras.
So, back to that refrigerator botnet. Did it happen? There’s reason to doubt. As Dan Goodin points out over at Arstechnica, many of the smart devices Proofpoint is calling out as part of this global botnet may simply be part of a home network that comprises both traditional PCs and connected devices. The vagaries of home networking make it difficult to finger a specific device as the source of a spam email. Few – if any – would be connected directly to the Internet, and home routers use Network Address Translation (NAT) to obscure the actual IP address of devices connected to it. They doesn’t mean that smart devices were not part of the botnet – just that its easily possible that what looked like a compromised refrigerator was actually a Windows XP laptop on the same network.
It is also worth wondering whether there is much advantage (yet) in targeting smart devices as opposed to run-of-the-mill Windows boxes that still make up the majority of endpoints on earth.
There’s no doubt that Proofpoint is right in warning that “things” will make up an increasing share of the population of compromised devices in the years to come – but worrying about refrigerator botnets is almost certainly premature.