Rise of the Machines: A Botnet that can Dispense Ice?

It’s finally happened.

And if people around the office think your name is ‘that creepy guy from IT,’ or if you’ve gotten numerous strange looks while trying to explain to people that the mythos behind Terminator is not only plausible, but it is, in fact, inevitable, then this story is for you. And it’s far too cool for school. Literally.

You see, it’s common knowledge that the growing glut of connected devices is as much of a threat as it is a boon, but while bring your own device (BYoD) has represented a new headache for many IT admins, most of us probably tend to forget that tablets and smartphones are only part of the equation. The modern home is becoming a self-actualized network of security devices, thermostats, light switches, set-top boxes, TVs and refrigerators, and they all have an IP address and a connection to the WorldWide Web. And while we spend a great deal of time ensuring that our PCs and mobile devices are secure, we tend to be at a disadvantage when it comes to the aforementioned net appliances.

All that cool stuff that came out of the Terminator movies is sounding a wee bit more eerie this week, after a report from security firm Proofpoint, and it sheds a whole new light on what the future might have in store for us. And no, I’m not suggesting that Cyberdyne Systems will bring Skynet online, effecting a massive revolt of self-aware systems and the ultimate near-demise of humanity. Skynet already went online on August 4, 1997 and it hasn’t happened, so duh. But a massive cyber attack at the beginning of 2014 should have people worried about the gaping security hole that appears to have graduated from speculation to reality.

Proofpoint has identified that attack as coming in part from the Internet of Things (IoT), an interesting phrase that will undoubtedly grow legs in the coming years. “In January 2014, Proofpoint researchers discovered proof of a much-theorized but never before seen Internet of Things (IoT) cyber-attack. Proofpoint has observed what we believe to be an industry first of devices, including some home appliances (TVs, a refrigerator), sending malicious email spam.”

The researchers at Proofpoint were analyzing email threats when they observed the attack, comprised of more than 750,000 malicious emails. And what made it particularly weird was that more than 25 percent of the zombie computers contributing to the attack were not your daddy’s laptop, and they weren’t the iPhone sitting on your desk. They were things, and Proofpoint is calling it a ‘Thingbot-net.’ Between December 23rd and January 6th, Proofpoint discovered, there were three campaigns a day, with each campaign delivering approximately 100,000 spam emails, and of the more than 450,000 unique IP addresses, Proofpoint notes, more than 100,000 were from Thingbots.

Do you want ice with that?

Proofpoint dug into the data and found that “while the majority of mail was initiated by “expected” IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator.” In addition, the firm found:

  • A vast number of the devices are running embedded linux servers (usually busybox)
  • Some use mini-httpd, some apache
  • Some are ARM devices, some are MIPS (or something very similar) others are based on an embedded Realtek chipset (for example, media players)
  • Some are believed to be game consoles
  • Some are NAS devices (one specific brand has open telnet, open ssh and an SMTP server – all unsecurable)
  • Some set-top boxes were also seen as exploited

Now if this doesn’t have you searching for your Terminator Blu-ray collection (maybe you can write it off as business research), we don’t know what will. “This proof of a systematic compromise of IoT devices and its subsequent use of those Thingbots to further attack other networks is something we’ve never seen before.” And the discovery certainly has some chilling implications. “This suggests an unfortunate future for both home users and enterprises, the latter of whom now faces an even larger volume of malicious attack capacity.”

In many ways, this was inevitable. Who among us, especially the tech savvy, don’t have a growing network of connected devices in our homes? And how exactly can we lock them down? We can use gateway-level MAC and IP blocking, but that’s not always practical if you need to take advantage of a device’s features.

At very least, you may want to cripple your refrigerator’s SMTP.

Leave a Reply