The Internet of Things isn't safe: thousands of smart gadgets hacked to send spam and phishing emails
Smart things are the future, or at least that's how it appeared to those of us who attended CES 2014. And, while we're excited about home automation and smart appliances, it turns out that those companies building the bits and pieces of the Internet of Things (IoT) need to beef up security. Proofpoint -- a security service vendor that routinely researches large-scale spam and phishing campaigns -- discovered that during the two-week period before CES, a global hacking campaign successfully targeted and manipulated more than 100,000 consumer gadgets, including smart appliances, routers and other devices, into sending out more than 750,000 malicious emails. Apparently, the attacks began on December 23rd and, while roughly three quarters of the emails were sent by traditional computers and mobile devices, more than 25 percent were doled out by gadgets from the IoT.
Most disconcerting is the fact that the smart appliances and such weren't infected with a Trojan Horse or other remote-control software. Instead, security is so lax on those devices that the hackers were able to utilize the existing software running on the devices. Proofpoint believes that many of these gadgets "have open telnet, open SSH and an SMTP (aka "email") servers," which means that, rather than an exploit or viral infection, the hack was accomplished by cracking the default user and password login, then setting up "the existing emailer to send or relay malicious email." In this case, owners of infected devices probably saw no degradation in the functioning of their devices, as firing off a bunch of emails isn't so resource-intensive. Proofpoint pointed out, however, that should such devices be used in a DDoS attack, sluggish performance from your connected gadgets could very well result.
The worst part? All of the devices are still infected, and will remain so until they are taken offline or receive a security update from their manufacturers. Hear that OEMs? Time to step your security game up, for the future of the Internet of Things is at stake -- Craig and Day-Day can probably help you with that.
