Security researchers have discovered the first broad Internet-of-Things cyberattack, targeting household gadgets and appliances, including at least one refrigerator.
Proofpoint, a vendor that offers data protection services, said Thursday it had uncovered an unprecedented hack that encompassed “more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.”
The large-scale attack is believed to be the first home appliance “botnet,” or a group of computers secretly operated by hackers. And as shown by the tech giant Google’s recent purchase of Nest - maker of “smart” thermostats and smoke alarms that can be controlled via the internet - more and more home devices and products will get individual computer chips and online connections, a phenomenon also known as the Internet-of-Things.
Proofpoint said in a press release that the hack occurred sometime between December 23 and January 6. The hack released waves of malicious email, often sent in spurts of 100,000 three times per day, targeting entities and individuals around the world.
The hack was not exactly refined, nor did it need to be, Proofpoint said, based on user negligence.
“No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use,” Proofpoint said.
The International Data Corporation estimates by 2020, the larger environment surrounding the Internet-of-Things will be comprised of over 200 billion devices connected to the internet, together valued at US$8.9 trillion. In 2012, that ecosystem was valued at $4.8 trillion.
With this rapid growth will come a multitude of items highly vulnerable to cyber-intrusion, according to Proofpoint.
“But [Internet-of-Things] devices are typically not protected by the anti-spam and anti-virus infrastructures available to organizations and individual consumers, nor are they routinely monitored by dedicated IT teams or alerting software to receive patches to address new security issues as they arise.”
With ever more items connected online, privacy is likely to be sacrificed for convenience. Many are raising questions this week about where internet leviathan - and data vacuum - Google is headed with the purchase of Nest.
For US$3.2 billion, Google bought Nest, owned by former Apple officials Tony Fadell and Matt Rogers, in a move that puts the multinational power into the home-hardware business, offering it further access to the behavior of those who use its web services.
Nest is best known for thermostats and fire detectors controllable online and that are capable of self-adjusting based on user-input patterns.
The announcement led to immediate questions about the privacy of Nest customers. In a statement to TechCrunch, Fadell signaled that Nest will only use customer information for “providing and improving Nest’s products and services,” and not for integration with Google’s formidable advertising apparatus.
Yet Google could still use Nest data as input into its overall online advertising and its other web services, sending its ads when a person is at home, for example.