Over the holiday season, the research team at security company Proofpoint (where I work) found what’s believed to be an Internet first: conventional household appliances, including televisions and at least one refrigerator, were sending email solicitations for fake pharmaceuticals.
Worse, email recipients who clicked on the fake links may have had their computers exposed to hostile software with the capability to steal information.
So what, exactly, had happened, how did Proofpoint figure it out, and what should appliance owners around the world do now?
So what happened?
Between December 23rd 2013 and January 6th 2014, attackers sent waves of malicious email, in bursts of 100,000 emails three times per day, targeting enterprises and individuals worldwide. The attackers used a little-documented feature of most basic email (SMTP) servers called an “open relay.” If not guarded, this feature enables any attacker to send their email through the targeted email server to the end destination, but have the email appear to originate at the server. So attacker “Bob” can send bad email to “Sally” through unwitting server owner “Jim’s” open relay—and the email to “Sally” will appear to have originated with “Jim.”
What was unusual about this attack was that the servers with the open relays were owned by people not even aware they had an email server—because the servers were a hidden, embedded part of so-called “smart appliances,” such as internet-connected televisions and home storage drives.
The result was that this set of malicious email campaigns sent more than 750,000 emails through devices, with no more than 10 emails were initiated from any single device. This made the attack difficult to block, which is what attracted Proofpoint’s attention.
How did Proofpoint figure it out?
As part of ongoing operations, Proofpoint examines large email ‘spam’ (unsolicited advertising) and ‘phish’ (malicious email) campaigns. Data is gathered from points worldwide, including customer submission and Proofpoint’s own networks of endpoints.
In short, they said, “Hi! I’m a fridge!”
When this campaign hit, Proofpoint’s systems alerted researchers that an unusually large number of not-previously-seen internet-connected servers appeared to be sending bad email—and many of these servers weren’t identifying themselves as computers.
When the research team remotely queried these servers, the servers responded with explicit identification, including well-known, often graphically branded interfaces, file structures, and content.
In short, they said, “Hi! I’m a fridge!”
In many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use. The research team quickly realized they had a significant potential problem on their hands.
“Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur.” said David Knight, General Manager of Proofpoint’s Information Security division. “Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”
Research firm IDC predicts that more than 200 billion smart “things” will be connected to the Internet by 2020. But these Internet of Things (IoT) devices are typically not protected by the anti-spam and anti-virus infrastructures available to organizations and individual consumers, nor are they routinely monitored by dedicated IT teams or alerting software to receive patches to address new security issues as they arise.
The result is that companies can’t expect IoT-based attacks to be resolved at the source; instead, preparations must be made for the inevitable increase in highly distributed attacks, phish in employee inboxes, and clicks on malicious links—and consumers are still largely on their own.
What should consumers do?
As individual “smart device” owners, all is not lost. There are some basic steps everyone can take to protect themselves and their smart appliances from such attacks.
1. Be sure your device is running the latest firmware. Many devices like Televisions have an option to “update firmware” buried deep in their setup screens.
2. Be sure to change default username and passwords. Most devices ship with a standard preset username/password pair, which should be reset to a unique key. Proofpoint’s team was horrified at how many devices had the default username/password pair still in place—or no password at all.
3. Be sure your home router is configured to by default to not have all ports open. Ask your local technology expert if necessary, but Proofpoint says your device should be run in NAT (network address translation) mode, with firewall on, and no ports opened that aren’t explicitly configured.
That all said, we’re clearly entering a brave new world—so if in doubt, you can always simply pull the (ethernet) plug.