Your refrigerator probably hasn't joined a botnet

A mediagenic press-release from Proofpoint, a security firm, announced that its researchers had discovered a 100,000-device-strong botnet made up of hacked "Internet of Things" appliances, such as refrigerators. The story's very interesting, but also wildly implausible as Ars Technica's Dan Goodin explains.

The report is light on technical details, and the details that the company supplied to Goodin later just don't add up. Nevertheless, the idea of embedded systems being recruited to botnets isn't inherently implausible, and some of the attacks that Ang Cui has demonstrated scare the heck out of me.

For more speculation, see my story The Brave Little Toaster, from MIT's TRSF.

Knight said Proofpoint knows appliances sent the spam directly because researchers scanned the IP addresses that sent the malicious e-mails and received responses from the Internet interfaces of name-brand devices. I pointed out that many home networks have dozens of devices connected to them. How, I asked, did researchers determine that spam was sent by, say, an infected refrigerator? Isn't it possible that a home network with a misconfigured smart device might also have an infected Windows XP laptop that was churning out the malicious e-mails?

Knight's response: in some cases, the researchers directly queried the smart devices on IP addresses that sent spam and observed that the appliances were equipped with the Simple Mail Transfer Protocol or similar capabilities that caused them to send spam. In other cases, the researchers determined the devices were connected directly to the Internet rather than through a router, making them the only possible source of the spam that came from that IP address.

Again, what Proofpoint is reporting is plausible, but it doesn't add up. Experienced botnet researchers know that estimating the number of infected machines is a vexingly imprecise endeavor. No technique is perfect, but the scanning of public IP addresses is particularly problematic. Among other things, the intricacies of network address translation mean that the IP address footprint of a home router will be the same as the PC, smart TV, and thermostat connected to the same network.

Is your refrigerator really part of a massive spam-sending botnet? [Dan Goodin/Ars Technica]