The first evidence of an internet-of-things cyber attack launched through household appliances connected to the internet – including a fridge – has been discovered, Software-as-a-Service provider Proofpoint has claimed.
The global attack took place between 23 December 2013 and 6 January 2014 using botnets to send more than 750,000 malicious phishing and spam emails from domestic appliances as part of a wider campaign. The development raises security concerns surrounding the internet of things.
While the majority of the malicious communications were sent from botnets – networks of infected computers – at least a quarter of the 300,000 emails sent per day originated from devices that were not conventional laptops, desktop computers, smartphones or laptops.
Instead, the cyber attacks were launched using consumer gadgets connected to the internet of things, including media centres, televisions and at least one fridge. In many cases, the infected devices had been left vulnerable to hacking thanks to misconfiguration of passwords or in some cases, simply using the default password of the device.
Many of the attacks targeted enterprises as hackers attempted to make off with information which could be used to commit further cyber crime.
Michael Osterman, principal analyst at Osterman Research, said this event marks a whole new cyber security which organisations must consider.
"The internet-of-things holds great promise for enabling control of all the gadgets that we use on a daily basis," he said.
"It also holds great promise for cyber criminals who can use our homes' routers, televisions, refrigerators and other internet-connected devices to launch large and distributed attacks."
Osterman added that current views on security need to be updated in order to deal with the new threat of "thingbots".
"Internet-enabled devices represent an enormous threat because they are easy to penetrate; consumers have little incentive to make them more secure; the rapidly growing number of devices can send malicious content almost undetected; few vendors are taking steps to protect against this threat; and the existing security model simply won't work to solve the problem," he said.
David Knight, general manager of Proofpoint's Information Security division, added that the vulnerability of consumer devices to cyber threats needs to be addressed.
"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," he said.
"Many of these devices are poorly protected at best, and consumers have virtually no way to detect or fix infections when they do occur.
"Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them," Knight concluded.
Proofpoint took part in a recent Computing web seminar that examined the IT security risk management gap and how to deliver confidence in cyber security. The web seminar is available to view online here.
By eliminating high entry costs for big data analysis, you can convert more raw data into valuable business insight.
A discussion of the "risk perception gap", its implications and how it can be closed