Two excellent security articles have called into question a recent press release alleging that a start up security company had discovered the first botnet based in part on devices in the Internet of Things over the holidays.
On January 16, the security firm Proofpoint said that 750,000 malicious emails had originated from a botnet composed of “more than 100,000 everyday consumer gadgets.” Specifically they claimed the botnet included “home networking routers, multi media centers, televisions and at least one refrigerator.” Proofpoint stated this botnet represented the “first time the industry has reported actual proof of such a cyber attack involving common appliances.”
Writing in Security Ledger, Paul Roberts comments that 2009′s psybot, which used routers, would certainly qualify as the first IoT botnet. He also notes recent vulnerabilities in digital TVs. Mocana first reported these back in 2010.
As for the refrigerator, Dan Goodin writing for Ars Technica questions that claim. Goodin interviewed David Knight, general manager of Proofpoint’s information security division. The article states that according to Knight “the researchers directly queried the smart devices on IP addresses that sent spam and observed that the appliances were equipped with the Simple Mail Transfer Protocol or similar capabilities that caused them to send spam. In other cases, the researchers determined the devices were connected directly to the Internet rather than through a router, making them the only possible source of the spam that came from that IP address.” But Goodin notes that “the intricacies of network address translation mean that the IP address footprint of a home router will be the same as the PC, smart TV, and thermostat connected to the same network.”
In other words, it’s hard to prove any device other than a home router was involved.
Goodin also spoke to Paul Royal, a research scientist at Georgia Tech, who concluded “The aggregate of the information doesn’t paint an adequately compelling picture that what they’re asserting occurred actually occurred. When you ask something as simple as how do you know the spam came from gadgets they say: ‘Well, we looked at the IP addresses of the systems sending the spam and when we presumably probed them we observed that they were coming from set-top-box-like devices.’ The technical analysis of that shows that there could be plenty of other explanations.”