Not Enough Evidence the Internet of Things Botnet Actually Exists

There was a report last week about a spam botnet using "Internet of Things" devices—a refrigerator, even!—but the evidence supporting this claim feels a little circumstantial.
As PCMag.com reported late last week, cloud security company Proofpoint claimed a botnet sent out 750,000 spam messages in waves between Dec. 23 and Jan. 6. While most of the messages were sent by conventional means, such as personal computers and mobile devices, more than 25 percent came from non-traditional sources, including "100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centers, televisions, and at least one refrigerator," Proofpoint said.
Researchers have repeatedly warned that the surging popularity of smart appliances and devices (this year's CES was heavily dominated by "Internet of Things") meant attackers would start taking advantage of these devices to launch attacks. Security Watch even highlighted the vulnerabilities in Internet of Things as part of its look-ahead for 2014. However, Proofpoint's report is not definitive proof that such a botnet already exists.
A Look at Proofpoint's ClaimsTo be clear, there is nothing that jumps out in Proofpoint's report as being impossible. The attackers took advantage of the fact that many of these networked devices still had default passwords or had been configured incorrectly, Proofpoint said. This is nothing new, since researchers have been demonstrating how to install a backdoored firmware onto vulnerable routers since 2008.
Proofpoint warned that the growing popularity of Internet of Things would encourage attackers to try to hack these devices. Considering that many of the devices run some kind of Windows operating system or Linux, and increasingly, Android, this is also very plausible. Several researchers demonstrated attacks against non-PC devices at last year's Black Hat and DEFCON, including cars, Samsung Smart TVs, and home surveillance cameras. Consumers generally don't think about updating the firmware on their wireless routers, let alone their TVs and garage door openers. There is no question that these devices are ripe for compromise.
"The Internet of Everything means everything is hackable," Michael Daly, CTO of cybersecurity and special missions at Raytheon, told Security Watch.
So if a botnet of Internet of Things, or "thingbots," as Proofpoint calls it, is possible, what is the problem? The thing is, Proofpoint's report doesn't provide a lot of details about the botnet itself. There is no information about what kind of command-and-control server the botnet was supposedly using, or even how the researchers came up with the 100,000 number in the first place.
While it's possible that smart devices were connected directly to the Internet, it's not very likley as most home networks have multiple devices connected to the router. It isn't clear at this point how the researchers were able to tell that spam was sent by a compromised refrigerator, rather than, say, a compromised Windows machine on the same network. Consumer routers also generally use Network Address Translation (NAT) so that all the traffic going out to the Internet uses the same public-facing IP address, instead of having each device have its own address.
As an aside, this will change with IPv6, but I wonder whether enough home networks are IPv6-enabled at the moment to make a difference with this report.
Skepticism, Not Disbelief
Proofpoint also mentioned that the botnet restricted the mail sent to just 10 spam messages per IP address. This seems like a whole lot of work for so little gain. Spammers generally blast out as many spam messages as possible—sending small volumes over a period of time is not really part of their traditional M.O.
As it stands, there is nothing that says Proofpoint is incorrect in its claims of the "first proven Internet of Things (IoT)-based cyberattack," but there is not enough evidence to accept this claim at face-value, either. Ars Technica was skeptical about this particular botnet and asked Paul Royal, a research scientist at Georgia Tech who specializes in network and system security, to weigh in. "The aggregate of the information doesn't paint an adequately compelling picture that what they're asserting occurred actually occurred," Royal told Ars Technica.
That said, we need to start thinking of ways to start protecting our devices.
These smart devices can be compromised in the same way mobile devices are: through apps. Just as mobile devices can be compromised if a malicious app is installed, some of these home appliances and networked devices may support apps such as Twitter and Facebook, said Christian Crank, a security researcher at TrainACE. In the case of a set-top TV box or a smart TV, the user may be tricked into downloading something malicious. The average home should not download apps that would allow the appliance to check messages, access contacts, send SMS/MMS messages, or make a call, Crank said. Users should also make it a point to turn on the built-in firewall on their routers.
There is no need to wait till the attackers do successfully compromise our TVs, fridges, and thermostats before we wake up to security.