Can TVs and refrigerators really spew botnet spam?

Refrigerators might hold spam to keep it cold in the meat bin. But in the Internet of Things world, can fridges connected to the Web blast malicious e-mail as part of a botnet? And how about TVs or other smart devices? In the stranger side of the Internet of Things, Proofpoint said it uncovered a cyberattack in which compromised refrigerators and TVs sent out malicious e-mail. But Symantec, says it saw no evidence of such an attack.

The phrase "Internet of Things" describes how a variety of household or industrial devices can be connected to the Internet for remote management. Proofpoint "has uncovered what may be the first proven Internet of Things-based cyberattack involving conventional household smart' appliances," the security firm declared about a week ago. It was described as "a global attack campaign involving more than 750,000 malicious e-mail communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that has been compromised and used as a platform to launch attacks."

But another security firm, Symantec, is debunking this, saying it sees no evidence of this.

+More on Network World: 21 more crazy and scary things the TSA has found on travelers | Verizon rolls out certificate services for the Internet of Things' | What to expect of the Internet of Things in 2014 +

"We monitor traffic very extensively on the Internet and we believe we'd see that happening," says Liam O'Murchu, manager of security response operations at Symantec. "We'd never seen that happening before." Symantec thinks Proofpoint may have erred in some of its analysis.

A modern refrigerator could have an IP address that might support a function such as testing temperature, but it would send out spam, says O'Murchu. Symantec believes that what Proofpoint likely observed was home-based routers doing network-address translation (NAT) and port forwarding in a configuration where it was actually the compromised home computer generating the spam.

But Proofpoint says it's sticking with its analysis that "cyber-criminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into thingbots' to carry out the same type of malicious activity."

However, when asked to name the models of the TVs and refrigerators thought to be sending out spam, Proofpoint responded it's "not revealing the brand names of the compromised IoT devices."

Kevin Epstein, Proofpoint's vice president of information security, says he can't comment on what Symantec might or might not be seeing, but "we can confirm that we observed IoT devices sending spam."

Proofpoint is "well-aware of the port-forwarding behavior of these devices that Symantec and others have mentioned," Epstein commented. "We then checked interface stats and uncovered evidence that the email messages had been proxied via the WAN interface, and didn't originate from the internal NATted segment."

Epstein concluded: "In short, we verified that these devices were configured to act as e-mail proxies, and we collected evidence that indicated active e-mail proxying was occurring." Proofpoint says it's "confident about what it observed."But Symantec remains skeptical that refrigerators and TVs have become part of some cyber-criminal botnet empire. But Symantec adds that doesn't mean it doesn't think there are security issues associated with the IoT.

Symantec notes that it has discovered worms that infect Linux-based IoT devices such as routers, cameras and entertainment systems. One of them, called Linux.Darlioz, is "interesting because it's involved in a worm war with another threat known as Linux.Aidra. Darlioz checks if a device is infected with Aidra and if found, removes it from the device."

Symantec adds, "This is the first time we've seen worm writers fight an IoT turf war and is reminiscent of the 2004 worm wars. Considering these devices have limited processing and memory, we'd expect to see similar turf battles in the future. While malware for IoT things is still in its infancy, IoT devices are subject to a wide range of security concerns. So don't be surprised if in the near future, your refrigerator actually does start sending spam."

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags TSAsymantecsecurityWide Area Networkanti-malware

More about IDGLinuxProofpointSymantecVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place