WASHINGTON — Call it the attack of the zombie refrigerators. Computer security researchers said this week they discovered a large “botnet” which infected Internet-connected home appliances and then delivered more than 750,000 malicious emails. The California security firm Proofpoint, Inc., which announced its findings, said this may be the first proven “Internet of Things” based cyber attack involving “smart” appliances.
Proofpoint said hackers managed to penetrate home-networking routers, connected multi-media centers, televisions and at least one refrigerator to create a botnet — or platform to deliver malicious spam or phishing emails from a device, usually without the owner’s knowledge. Security experts previously spoke of such attacks as theoretical. But Proofpoint said the case “has significant security implications for device owners and enterprise targets” because of massive growth expected in the use of smart and connected devices, from clothing to appliances. “Proofpoint’s findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the Internet of Things and transform them into ‘thingbots,’” to carry out the same kinds of attacks normally associated with personal computers. The security firm said these appliances may become attractive targets for hackers because they often have less security than PCs or tablets. Proofpoint said it documented the incidents between Dec. 23 and Jan. 6, which featured “waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide.” More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single device, making the attack difficult to block based on location.