“Proofpoint Uncovers Internet of Things (IoT) Cyberattack”

That was the headline on this January 16th press release issued by Proofpoint, Inc. The press release went on to explain how Proofpoint researchers were analyzing a botnet-based spam campaign. Nothing unusual there, botnets composed of exploited computers and servers spew forth billions of spam emails on a regular basis.

Except these were not computers, they were “things”.

In an interesting juxtaposition, a day before the Proofpoint press release, SANS Institute ran a webcast titled: SANS Survey on Securing the Internet of Things. Along with the webcast, the SANS Institute included a comprehensive report sharing the concerns of the survey participants. (My thanks to SANS Institute and John Pescatore, author of the report, for allowing my use of material from the report.)

What is the “Internet of Things”?

Before getting to the survey results, the paper attempted to eliminate confusion. It seems “Internet of Things” is not a universally accepted term. The National Security Telecommunications Advisory Council likes “Industrial Internet,” whereas the National Institute of Standards and Technology prefers “Cyber-Physical Systems.”

The SANS paper also mentions many vendors are going with the “Internet of Everything.” SANS Institute, in deference to simplicity, sided with the “Internet of Things” (IoT), and offered the following list as possible “Things”:

  • PCs, servers, routers, switches and other such devices bought as Information Technology (IT) devices by enterprise IT people, primarily using wired connectivity
  • Medical machinery, SCADA, process control, kiosks and similar technologies bought as appliances by enterprise Operational Technology (OT) people primarily using wired connectivity
  • Smartphones and tablets bought as IT devices by consumers (employees) exclusively using wireless connectivity, and often multiple forms of wireless connectivity
  • Single-purpose devices bought by both consumers, IT and OT people exclusively using wireless connectivity, generally of a single form

It is almost as if the SANS Institute is agreeing with vendors. Their list appears to include “everything.” It’s the last bullet that we’re concerned about today—single-purpose devices.

Your refrigerator might be sending spam

Between December 23, 2013 and January 6, 2014 Proofpoint researchers detected a botnet that was aggressively mailing malicious spam three times each day. Proofpoint believes the 450,000 IP-address strong spam botnet included over 100,000 IoT devices:

“A more detailed examination suggested that while the majority of mail was initiated by “expected” IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator.”

The press release and this blog post did not provide much in the way of proof (more on this later), only mentioning attackers compromised the IoT devices by leveraging misconfigured firmware and default passwords.

The SANS Institute survey did not directly refer to IoT botnets, but survey participants were asked: Where do you consider the greatest risk to be in “Things” connecting to your network and the Internet?

The top two concerns were Internet connection and command and control; two requirements for creating a botnet.

Computers are still easier targets

Why waste that much effort to use IoT devices for spam botnets, when there are millions of vulnerable computers just sitting there for the taking? Perhaps this event was just a “proof of concept” exploration or maybe a dare amongst the bad guys.

Dan Goodin took exception with Proofpoint’s claim. Writing for ArsTechnica, he expressed his reservations:

“The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented.”

Goodin continues by saying the engineering effort to setup a botnet of “Things” would be immense, but possible. Goodin then proceeds to dissect many of the claims made by Proofpoint, asking for clarification, and not getting much. Goodin ends the blog post with:

“Again, I’m open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I’m maintaining a healthy amount of skepticism.”

Maybe not this time, but IoT botnets will happen

When talking to security pundits about protecting IoT devices, a common thread surfaced. The SANS Institute survey also referred to it. Due to the nature of IoT devices, it will be difficult if not impossible to patch vulnerabilities in the field. Which means external security, firewalls for example, upstream of IoT devices will be their only source of protection.

We seem to be repeating the same mistakes we made with the inherent vulnerabilities of our computers on our new Internet connected things.