Cyberattack traced to hacked refrigerator, researchers report

Jan 17, 2014
A LG representative shows a smartphone with Home Chat in front of a LG smart refrigerator at the 2014 International CES, January 10, 2014 in Las Vegas, Nevada

Call it the attack of the zombie refrigerators. Computer security researchers said this week they discovered a large "botnet" which infected Internet-connected home appliances and then delivered more than 750,000 malicious emails.

The California security firm Proofpoint, Inc., which announced its findings, said this may be the first proven "Internet of Things" based cyberattack involving "smart" .

Proofpoint said hackers managed to penetrate home-networking routers, connected multi-media centers, televisions and at least one refrigerator to create a botnet—or platform to deliver malicious spam or phishing emails from a device, usually without the owner's knowledge.

Security experts previously spoke of such attacks as theoretical.

But Proofpoint said the case "has significant security implications for device owners and enterprise targets" because of massive growth expected in the use of smart and connected devices, from clothing to appliances.

"Proofpoint's findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into 'thingbots,'" to carry out the same kinds of attacks normally associated with personal computers.

The that these appliances may become attractive targets for hackers because they often have less security than PCs or tablets.

Proofpoint said it documented the incidents between December 23 and January 6, which featured "waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide."

More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single device, making the attack difficult to block based on location

"Botnets are already a major concern and the emergence of thingbots may make the situation much worse," said David Knight at Proofpoint.

"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."

Explore further: Internet of Things poses new security risks

add to favorites email to friend print save as pdf

Related Stories

'Smart' homes open doors to hackers

Jul 30, 2013

Smart homes that let residents control alarms, locks and more over the internet are opening doors for crooks with hacker skills, according to computer security specialists.

Recommended for you

Facebook dressed down over 'real names' policy

Sep 17, 2014

Facebook says it temporarily restored hundreds of deleted profiles of self-described drag queens and others, but declined to change a policy requiring account holders to use their real names rather than drag names such as ...

Yelp to pay US fine for child privacy violation

Sep 17, 2014

Online ratings operator Yelp agreed to pay $450,000 to settle US charges that it illegally collected data on children, in violation of privacy laws, officials said Wednesday.

User comments : 14

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka
5 / 5 (1) Jan 17, 2014
One thing that pops to mind is the people who evangelize for Linux by saying that most people already use it, because it's in televisions and routers and all sorts of embedded devices.

Well, how good is it now when my fridge is infected with malware?

Oh the irony.

My iron is also infected with malware.
pelo88
not rated yet Jan 17, 2014
It's nothing to do with Linux and everything to do with the dumbing down of the router interfaces with default passwords. Newer ones are better but the real fix is a better router operating systems. DD-WRT or devices sold by AeroHive or Cisco Meraki which sport cloud management with threats constantly monitored and fixed while under subscription and they come with 3 years. Both companies have been giving them away in fact.
antonima
5 / 5 (8) Jan 18, 2014
Give me one good reason why you would need an internet enabled refrigerator. I think this scenario lends much to the old adage: if it ain't broke, don't fix it.
Doug_Huffman
not rated yet Jan 18, 2014
The Future of the Internet - And How to Stop It, Jonathan Zittrain
http://blogs.law....rnet.pdf

Yep, don't fix what ain't broke. That just leads to progressive economic stimulation by regulation, like for instance Smart-Meters, highway taxes on mileage, ...
Eikka
5 / 5 (1) Jan 18, 2014
Give me one good reason why you would need an internet enabled refrigerator. I think this scenario lends much to the old adage: if it ain't broke, don't fix it.


So you can write down your shopping list and access it later with your cellphone.

Although you could just write the shopping list down into your cellphone in the first place.
BSD
5 / 5 (2) Jan 18, 2014
My fridge has worked well for the past 20 years without being connected to the Internet, I dare say will work the same for at least the next 5 years too.
Eikka
5 / 5 (1) Jan 18, 2014
It's nothing to do with Linux and everything to do with the dumbing down of the router interfaces with default passwords.


Not only that, but because manufacturers, like the "unwashed public" don't understand Linux and what it is. The evangelists for some odd reason just want people to use it and will use any dishonesty to "sell" it to you, and what they leave out is that your standard Ubuntu installation or equivalent is not secure because nobody has actually tested all the parts that go into it and the user has absolutely no idea what they're doing with it, and gaining that knowledge from public sources is frankly a plain crapshoot.

It's like buying a house with a security system made by 12 different contractors who have never seen each other in person, and then not bothering to turn it on because nobody told you you need to, and the last guy who was in there didn't bother to mention that the basement window latch is broken - but you can apply a patch for it if you know how.
Eikka
5 / 5 (1) Jan 18, 2014
If you follow sites that report on people's exploits on devices, you'd notice that many many manufacturers use Linux as a sort of swiss army knife: "when in doubt, use linux - it's free and you know they say it's safe!"

So you got things like wifi enabled SD memory cards that have a tiny embedded computer that runs linux to operate the wlan connection to your computer, and the security measures they employ are on par to selecting "hidden" in the file attributes dialog of your file browser to hide the system, because none of the people in the company know what they're doing, since really understanding Linux is a bit... shall we say, arcane. It is not a drop-in solution to their problems.

Well, the end result is that anyone can easily replace the system files on the card and turn the memory card into a wifi-enabled spying tool. See: http://haxit.blog...rds.html
alfie_null
5 / 5 (2) Jan 19, 2014
It's like buying a house with a security system made by 12 different contractors who have never seen each other in person . . .

As analogies go . . .

My Microsoft inspired home security system would be built by a single entity. Sometimes the doors won't unlock and I'm stuck outside. Or the alarm goes off and won't shut up. Exactly what has broken is a mystery as nobody outside Microsoft understands (or allowed to understand) how the system was built. Sometimes, Microsoft's solution is to destroy the house and rebuild it.
alfie_null
not rated yet Jan 19, 2014
If you follow sites that report on people's exploits on devices, you'd notice that many many manufacturers use Linux as a sort of swiss army knife: "when in doubt, use linux - it's free and you know they say it's safe!"

I get that you don't approve of Linux. Is there an alternative you prefer? And why do you think your choice is superior?

Is Linux the problem, or is it bad coding practices and sloppy configuration when developing and deploying the application? The people who make embedded gadgets are going to use something, Linux or not.
Msafwan
not rated yet Jan 19, 2014
There are Linux or Window CE or Android that people can use but this article did not say which one was hacked.
ViperSRT3g
1 / 5 (1) Jan 20, 2014
I get that you don't approve of Linux. Is there an alternative you prefer? And why do you think your choice is superior?


He's just stating that the companies who made these "smart" appliances just default with Linux thinking it's the best solution to their problem. Even if they don't have a thorough understanding of the entire operating system.
edward_ponderer
5 / 5 (1) Jan 20, 2014
Per Godel's Theorem, in any system of rules based on certain axioms--assumed or empirical, there are always actions whose legality cannot be proven or dis-proven in the system. That is, there is always something that you can get away with--which blows the fail-safe of the system. Adding this new found axiom to the fail-safe, yet another loophole is guaranteed to be there. According to Einstein and Oppenheimer who served as Godel's witnesses at his citizenship hearing, the morning there of they found him very distressed as he found such in the US Constitution usable to transform the US into a de facto authoritarian regime without any de jure change.

Unchecked, the cleverest opportunist ego is always guaranteed a successful path to exploitation in any classical system whatever the fail-safes. Like the intrinsic security of quantum systems, only when we are unified in mutual responsibility will we be safe from the hacker (and a whole lot worse...) Human relationship is everything.
ODesign
not rated yet Jan 20, 2014
The lesson learned from StuxNet attack was that only state actors have the resources necessary to engineer an embedded device exploit such as a refrigerator(or centrifuge). Most likely this is NSA Activity since they are the only group with demonstrated ability to engineer a virus of this complexity. NSA outsources exploit and penetration research to freelancers (aka hackers) and there's evidence of leekback where the technology ends up in the hands of non-NSA sponsored and monitored hackers. This is most likely the case. NSA will take care of the hacker of this exploit internally and silently since the national defense interests take precedence in this situation. The more serious concern here is that the exploit that cost tens of thousands of NSA research dollars to create or discover was stolen and the discovery of the exploit is now revealed. Now the NSA has one less open back door that they can rely on to penetrate systems, so that's a loss of NSA capability and costing tax $.