Security researchers have published a report that Ars is having a tough time swallowing, despite considerable effort chewing—a botnet of more than 100,000 smart TVs, home networking routers, and other Internet-connected consumer devices that recently took part in sending 750,000 malicious e-mails over a two-week period.
The "thingbots," as Sunnyvale, California-based Proofpoint dubbed them in a press release issued Thursday, were compromised by exploiting default administration passwords that hadn't been changed and other misconfigurations. A Proofpoint official told Ars the attackers were also able to commandeer devices running older versions of the Linux operating system by exploiting critical software bugs. The 100,000 hacked consumer gadgets were then corralled into a botnet that also included infected PCs, and they were then used in a global campaign involving more than 750,000 spam and phishing messages. The report continued:
The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014 and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.
The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented. And while the engineering effort required to pull off such a feat would be considerable, the botnet Proofpoint describes is possible. After all, many Internet-connected devices run on Linux versions that accept outside connections over telnet, SSH, and Web interfaces.