California cyber security firm Proofpoint Inc. says it has uncovered what it believes to be the first successful attempt to use Internet-connected home appliances to deliver more than 750,000 malicious emails to individuals and enterprises around the world.

Proofpoint said it detected the attacks between December 23 and June 6 when waves of emails, 100,000 at a time, three times a day, started pouring out of more than 100,000 everyday consumer gadgets. More than 25% were sent by devices that were not laptops, desktop computers, tablets or smartphones.

The gadgets included routers, televisions, multi-media centers and at least one refrigerator that were connected to the Internet.  

IT experts have long warned that household appliances and consumer gadgets are potential security risks because their computer chips and high-tech systems don’t have the protections built into computers, which are, themselves, still vulnerable to attack. Owners often use default passwords or none at all when setting up their devices, making them easy prey for hackers.

Proofpoint said that security was so weak in the appliances and devices that there was no need for hackers to insert Trojan Horses or other malware. They simply cracked the login and used “the existing emailer to send or relay malicious email.” Consumers would not have noticed any change in the performance of their stuff. But if the hackers get more aggressive and use the devices for Distributed Denial of Service (DDoS) attacks on others, which are more destructive, consumers might notice some sluggishness.   

Proofpoint’s general manager for information security, David Knight, said, “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”

IDC Community Insights, a Research group, predicts that more than 200 billion gadgets will be connected via the internet by 2020. This year was declared a breakthrough year at the Consumer Electronics Show in Las Vegas for the so-called Internet of Things (IoT). Smart thermostats, smoke alarms, contact lens, glucose monitors for diabetics and pacemakers are just a few of the devices coming online, ripe for exploitation by evil programmers and their botnets.

Last year, Trustwave SpiderLabs issued a warning that a Japanese “smart” toilet was vulnerable to hacking that “could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.”

–Ken Broder

To Learn More:

The Internet of Things Isn't Safe: Thousands of Smart Gadgets Hacked to Send Spam and Phishing Emails (by Michael Gorman, Engadget)

Hackers Make the Internet of Things a Fridge Too Far for Security (by Hannah Kuchler, Tech Hub)

Proofpoint Uncovers Internet of Things (IoT) Cyberattack (Press release)

Cyber Criminals Hack a REFRIGERATOR: Will the “Internet of Things” Create a New Bot Army for the Spammers? (by Ellie Fagharifard, The Daily Mail)

Hackers Use “Smart” Refrigerator to Send 750,000 Virus-Laced Emails (Agence France-Presse)