Jan. 18--That spam that fills your e-mail inbox might be coming from inside your home -- sent by a TV, a wireless router, or even a refrigerator that's been turned against you.
Computers and smartphones have long been the target of hackers, but a recent online attack exploited security holes in more than 100,000 Internet-connected home devices and used them to transmit about 750,000 spam and phishing e-mails over two weeks in late December and early January, according to Proofpoint, a Sunnyvale spam-detection company that discovered the attack.
More and more devices are connecting to the Web, forming what tech insiders call the Internet of Things. It's a booming sector in the tech industry, with Google snatching up connected-home appliance company Nest for $3.2 billion in cash this week. The Internet of Things is projected to be worth $1.9 trillion and include 26 billion devices by 2020, according to analysts. But each new online gadget, whether it's a phone-controlled thermostat or a Wi-Fi-enabled wristwatch, is a potential target.
The brunt of the recent attack, which spanned Dec. 23 to Jan. 6, still relied on compromised personal computers to send malicious e-mails. But about 25 percent of the messages went out from other connected devices including gaming consoles, wireless speakers, televisions and at least one refrigerator, the company said. Proofpoint said this was the first attack it has seen that used household smart appliances.
The attack used the devices to relay e-mails, but didn't affect their operations in the home.
"Hackers aren't going to go in and turn up your thermostat to 100 degrees, but if they can go in and leverage that device, if they can use it for something else, there's that possibility," said Michele Borovac, a security specialist at Mountain View's HyTrust. "As we see technologies grow and improve and see more things connected to the Internet, we're going to see attacks grow."
Hackers are "wily" and will use whatever opportunities they can find, she said. Basic security checks usually catch compromised machines because their IP addresses show unusual activity, but in this case the attackers escaped detection by never sending more than 10 e-mails from a single IP address.
"We'll probably start to have antivirus software on our devices, on our fridges," Borovac said. "Security has to evolve. I don't think we're quite there yet. Security tends to trail behind innovation."
No routine protections
What makes the attack so alarming is the fact most consumers don't monitor their connected appliances the same way they do their computers and phones, said David Knight, Proofpoint's information security manager. For instance, when is the last time you checked the antivirus software on your television?
"Unlike PCs that have interfaces and antivirus software and all kinds of things that the consumer accesses every day, these devices don't have regular capabilities to be actively updated and protected," Knight said. "Some don't even really have a screen, so how do I know if something's wrong? If my PC's infected it's going to run slowly, I'm going to see something on my screen, but that's not the same for a fridge."
Security for connected devices will probably catch up with the attacks, Knight said, but the vulnerability shouldn't have been a surprise.
"The significance of the news isn't this attack -- these attacks happen all the time, and it wasn't a particularly large one," Knight said. "What was significant was that researchers have been warning that these new connected smart devices were going to be susceptible to these kinds of breaches, and we were able to show that the theory has turned into reality."
Ellen Huet is a San Francisco Chronicle staff writer. E-mail: email@example.com Twitter: @ellenhuet
Copyright 2014 - San Francisco Chronicle