Attack Attribution and the Internet of Things
On January 16, 2014, Proofpoint discussed a spam attack conducted via “smart devices which have been compromised.” Among the devices cited by Proofpoint as participating in the “Thingbot” were routers, set-top boxes, game consoles, and purportedly, even one refrigerator. Of course, news about a refrigerator sending spam generates considerable media attention, as it should, since an attack by the Internet of Things (IoT) would represent a high-water mark in the evolution of (in)security on the Internet. However, soon after Proofpoint’s post, Symantec published a response indicating that IoT devices were not responsible for the spam attack in question, and the machines behind the spam attack were all really just infected Windows boxes. So why is determining the identify of the devices used in this spam attack so difficult?
Email is transacted over the Internet using Simple Mail Transfer Protocol (SMTP) and SMTP provides no native facility for independent verification of the sender of an email message beyond the IP address used to deliver the email. Proofpoint extracted the sending IP from the spam, then checked the IP addresses to determine what sort of device was doing the sending. To check the IP, Proofpoint connected back to the sending IP address using various other Internet protocols such as Telnet or Hypertext Transfer Protocol (HTTP). The flaw in this method of attribution is that the devices responding to these subsequent connections are not necessarily the same devices that did the initial spamming.
In their post, Symantec points out that many devices are not directly connected to the Internet. We commonly see multiple devices (tablets, TVs, laptops, etc.) all connected via Network Address Translation (NAT) behind a router. With NAT, devices on the internal network are assigned RFC1918 IP addresses which are private, and non-routable, over the public Internet (A.K.A. Martian). The router multiplexes traffic from the internal network over a single, publicly-routable IP address for external communications. Recipients of the spam email, possessing only the public IP address used for the spam delivery, would have no way to determine if there were one device behind the public IP or thousands.
For some of the IP addresses, Proofpoint “approached the device in the same way as an attacker, using a remote automated system to cause sample email messages to come from the device to our destinations.” Cisco TRAC would recommend against this method of attribution. By connecting to a compromised machine and using it to relay email one could potentially be running up the bill for the victims, as there are many people around the globe who pay for their Internet using metered bandwidth connections. Also if any damage occurred to the device as a result of the activity, inadvertent or not, it could create significant liability problems.
There is no doubt we will eventually see smart devices used in future attacks. The stale code often present in many IoT devices, coupled with the lack of available security updates from vendors, means that the IoT will likely be increasingly exploited for ill-gotten gains. However, in this case, there is still insufficient proof that a refrigerator actually did send a piece of spam.