Smart Refrigerators Attack: Documenting the First Ever “Thingnet”

By   ISBuzz Team
Writer , Information Security Buzz | Jan 17, 2014 05:14 am PST

SUNNYVALE—A cyber security firm based in California has documented the spamming campaign of a “zombie” network comprised not only of computers but also of media players, smart TVs, and at least one refrigerator.

Proofpoint, Inc. on Thursday issued a press release explaining the details of the attack.

The campaign occurred between December 23, 2013 and January 6, 2014.  Overall 100,000 Internet-connected “things” were involved, sending over 750,000 spam emails in total.

This attack constitutes the first ever botnet campaign in which hackers have exploited The Internet of Things, a concept where everyday items like alarm clocks, toasters, and showers become connected to and interact with one another over the Internet.  Traditional spamming botnets have generally involved only personal computers; this is the first documented instance in which smart “things” have also been used in an attack.

But not all people celebrate this concept.  Some consumers are set against The Internet of Things and question whether we need products like Internet-compatible refrigerators.

Their skepticism may not be unfounded given today’s “smart” market.  For instance, the Samsung RF4289HARS refrigerator, priced $3,499.99 at Best Buy, has an 8” LCD Digital Display with apps.  But these apps and the display are a missed opportunity:  they fail to adequately interact with the functions of the appliance they are presumably making “smart.”  Rather, consumers can use them to post photos from one’s SD card, connect with family members via Google Calendar, and complete other generic activities online.

More than that, regarding the RF4289HARS specifically, it has to be very close to a router to even connect to the Internet—some estimates report 15 feet at most.  This design shortcoming is neither convenient nor particularly “smart”.

The recent spamming attack only confirms cybersecurity analysts concerns regarding Internet-connected devices.  Unlike computers, media players and smart products are comparatively easier to penetrate, less secure from a design or consumer standpoint, and more numerous in number, all culminating in the general consensus that they can send malicious content almost with no detection of their activity.

What is perhaps even more concerning is that, according to Proofpoint’s report, the hacked devices were not severely compromised to begin with.  Rather, they were either misconfigured or set to default factory passwords, leaving them vulnerable to be hacked.

Clearly, the first ever “thingnet” reveals the inadequacies of the current cyber security model, not to mention the shortcomings of tech manufacturers and consumers to protect Internet-capable products.

Once again, it seems that the human factor is playing catch-up.  On the one hand, technology can protect itself only so far; people need to engage this process, as well.  But on the other hand, people still do not realize what a crucial component they play in bolstering—or in this case undermining—cyber security.

Perhaps after a few more attacks by toaster ovens and hair dryers, people will become “smart” and take more responsibility for protecting their devices.

dave bissonDavid Bisson | @DMBisson

Bio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation.  He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern.  Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.