What’s in that Refrigerator—Fish or Phish?

Linda Musthaler
By | January 24, 2014

Posted in: Network Security Trends

Well, here’s a switch. Usually televisions are bringing crap into our households. Now experts have learned that some smart TVs have been sending crap (in the form of spam) out of their owners’ houses.

A recent press release from Proofpoint, Inc. details how the security service provider uncovered an Internet of Things (IoT) based cyberattack that utilized household “smart” appliances. According to Proofpoint, “The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.”

As if IT security professionals didn’t have enough to worry about, now they have to be concerned about refrigerators launching phishing emails instead of storing meals made with fish. (Sorry, I couldn’t resist the pun.)

Nevertheless, the lack of security for the IoT is about to have some serious implications for the enterprise. Proofpoint calls these poorly protected connected devices a target-rich environment because they are easier to infect and control than PCs, smart phones and tablets. Cyber criminals have learned how to infiltrate these home devices to create dangerous “thingbots”  that can be used to send spam and launch attacks. Many of these devices run a form of Linux and there are attack tools readily available for that OS.

Device takeover is enabled by misconfigurations and the use of default passwords that leave the devices exposed on public networks. What’s most concerning is that consumers who own these devices typically have no way to detect that they’ve been compromised and no way to remediate a device that has been infected. The situation is only bound to get worse as more and more devices join the IoT. IDC predicts that more than 200 billion things will be connected to the Internet by 2020.

In an earlier post on Thinking About How to Secure the Internet of Things (IoT), I talked to John Pescatore of the SANS Institute about securing the IoT. Pescatore led an IoT security summit back in October to get industry experts talking about the best ways to secure these various devices. One thing that we don’t want to have happen is to have disparate or competing protocols and technologies for securing “things.” But it’s also clear that we can’t use the same technologies that we use to protect PCs today to protect our things. (Does anyone even make anti-virus software for refrigerators?)

I know that Cisco wants to blanket the world with network-connected things. Let’s figure out how to secure these things before 200 billion of them turn on us.

You May Also Be Interested In: