Did your set-top box spam your neighbors over the holidays? Would you know if it did? Security-as-Service provider Proofpoint uncovered three large scale spam campaigns facilitated by unsecured, Internet-connected devices. All kinds of devices were affected and this is only one of many compromises expected as more dumb devices come online.
When we investigated the IP (connected to it over various protocols) we found that in cases where the device replied, the device at the IP identified itself as an IoT-type device (consumer router, home security system, home entertainment system, VoIP phone, Fridge etc. etc.)
Proofpoint says the trouble with many of these Internet-connected devices are unsecured ports or other open points of entry. Improper set up and the use of default passwords made compromising IoT devices even easier. No surprises there, right?
Additionally, the nature of the response indicated that the device had either an insecure default configuration or known vulnerabilities (eg, it was responding without requesting authentication at all, or accepting the generic authentication with which all devices in the class are shipped)
Connected devices are designed for ease of use, not with security in mind. Developing smart devices with little or no security isn’t a very smart move at all. Connecting all your online accounts to all your home appliances might create a whole-house spam bot. Can you imagine what it might be like to find your favorite toaster has been blacklisted for suspicious activity? You might never Tweet your morning toast toppings again.
“Thingbots” are coming online and they work for the bad guys. Securing them can be as easy as keeping firmware updated and changing default passwords. Better still, skip the smart appliances until manufacturers build in better security.