Proofpoint, a provider of security-as-a-service, has uncovered evidence that cyber criminals have launched an Internet of Things (IoT)-based attack – an event that IT experts have been predicting for some time now.
The attack occurred over the holidays, between Dec. 23, 2013 and Jan. 6, 2014. Bursts of 100,000 emails were sent out three times daily from a number of electronic devices.
Although many of these emails were sent out from the types of device one would expect, such as laptops and mobile devices, more than 25 per cent of the emails came from routers, connected multi-media centres, televisions, and – yes – at least one refrigerator.
In total, the company says, over 750,000 malicious emails were sent out from over 100,000 devices.
Proofpoint notes that in many cases, there was no forcible compromise of the devices; instead, a lack of proper configuration and password security left the devices completely vulnerable to takeover.
And since no more than 10 emails were sent out from any one IP address, anyone finding himself bombarded by these emails would have had his hands full trying to block them.
Proofpoint says that this is just a sign of things to come, and that the odds are not necessarily good for enterprises. IDC has predicted that by 2020, more than 200 billion things will be connected to the Internet, but these objects are not protected by the same security infrastructure afforded to traditional devices.
“Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse,” said David Knight, GM, information security division, Proofpoint. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”