The Spamming Refrigerator

← Back to Stories (view on slashdot.org)

Posted by timothy on Saturday January 18, 2014 @01:27AM from the silly-rabbit-spam-is-for-cans dept.

puddingebola writes "The 'Internet of Things' is as susceptible to malware and spam as the rest of the net. From the article, 'A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets...The spam attack took place between 23 December 2013 and 6 January this year, said Proofpoint in a statement. In total, it said, about 750,000 messages were sent as part of the junk mail campaign. The emails were routed through the compromised gadgets. About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.' Read Proofpoint's statement here."

24 of 90 comments (clear)

Min score:

Reason:

Sort:

Fridge spam by Anonymous Coward · 2014-01-18 01:40 · Score: 5, Funny

Spam from a refrigerator? That's COLD!
1. Re:Fridge spam by mattie_p · 2014-01-18 02:00 · Score: 2, Funny
  
  Considering that I've never put spam into my fridge, it is indeed surprising to get spam from a fridge.
2. Re:Fridge spam by Guppy · 2014-01-18 02:43 · Score: 3, Funny
  
  Proofpoint Researcher: "Is your refrigerator running?"
  Fridge Owner: "Yes?"
  Proofpoint Researcher: "Well, you'd better go catch it!"
So guys... by Mashiki · 2014-01-18 01:42 · Score: 4, Insightful

Still think that hooking everything up to the intertubes is a great idea? I can't wait to see what happens with all those home alarms systems that are getting hooked up this way as well.

--
Om, nomnomnom...
1. Re:So guys... by mikael · 2014-01-18 02:08 · Score: 4, Informative
  
  They were talking about this idea 18 years ago, in the mid 1990's. The idea was that all food packaging would have RFID tags with use-by-dates. The fridge could then send you emails telling you that various items were going to go off soon, or that you were going to run out of something. Then you could drive home from work and go to the nearest supermarket, or send the list would be sent automatically to a delivery company like Peapod, who would then do a delivery.
  It seemed a perfectly good idea for those with Hollywood sized kitchens with a freezer the size of a double bay garage, but for the rest of world who have little R2D2 sized fridges as part of energy efficiency programs, it really wasn't much use.
  Though, it took me by surprise when my neighbors TV set (Philips 8000 series) appeared in awifi scan. Apparently, these sets can do wifi mirroring (Miracast) where the screen output is sent to other media devices, and vice versa.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
2. Re:So guys... by game+kid · 2014-01-18 02:10 · Score: 2
  
  I don't mind my desktop or laptop hooked up via IPv6.
  I do mind my fridge or power grid hooked up and controllable via IPvVERSION_NUMBER. I really don't need another reason to find my fridge doors suddenly full of ads, or my freezer's ice cube trays suddenly melted, or my bedroom suddenly ill-HVAC'd, or my Northeast US suddenly dark...yet again...
  
  --
  You can hold down the "B" button for continuous firing.
3. Re:So guys... by causality · 2014-01-18 03:12 · Score: 4, Informative
  
  That default password jazz is something I wish manufacturers would get away from, even if a solution is a hard reset and the user selects a password all over again.
  If it makes you feel better, I recently bought a wireless router from a major manufacturer. I plug it in, connect it to my computer, go to http://192.168.1.1/ and fine-tuned all the settings to be just the way I want, particularly those involving setting my own passwords (on the router's administration and on the secure wifi network). Everything nice and neatly set up. That's the first thing I did as soon as I took it out of the box because I try not to be an irresponsible douchebag.
  
  I run my own local caching DNS server. I don't own a domain. I just use it to resolve hostnames because it's more reliable than my ISP's. Imagine my surprise when I found that my router's UNDOCUMENTED "first-use" behavior was to hijack all DNS traffic. Suddenly google.com resolved as 192.168.1.1 and so did every other domain. With my own DNS server on my statically-configured machine (not proxying DNS through the router like its DHCP settings for attached clients would direct). The router was actually intercepting and hijacking UDP port 53 traffic.
  
  Apparently they do this so that irresponsible dumb users can't go to any Web site without first accessing the router's configuration page. Nevermind that I had already done the configuration. Nevermind that irresponsible dumb users tend not to have statically (thus, manually) assigned network information. Nevermind that irresponsible dumb users tend to just use their ISP's dns servers by proxying DNS through the router (shows 192.168.1.1 as DNS server) instead of running their own. Nevermind that this was mentioned nowhere in the documentation.
  
  The default passwords were at least unique if not particularly secure. But this company was definitely proactive against the "turning irresponsible people loose with unchanged default settings" tendency. To the point of hassling someone who, in multiple detectable ways, does not use the device that way.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
4. Re:So guys... by Anonymous Coward · 2014-01-18 03:13 · Score: 4, Funny
  
  Still think that hooking everything up to the intertubes is a great idea?
  Siri: You're out of orange juice, Dave. Would you like me to order more orange juice?
  Dave: What? No! I don't drink orange juice. It upsets my ulcer. I never have orange juice in the fridge.
  Siri: But you're out of orange juice, Dave. Wouldn't you like a nice refreshing glass of orange juice?
  Dave: No! I *never* want orange juice. I can't drink orange juice.
  Siri: Dave, did you know that orange juice is full of vitamins and other things that are good for you? The FDA highly recommends it.
  Dave: WTF? No!! Stop asking about orange juice!
  Siri: There aren't enough items in your refrigerator. This results in too much cold air escaping every time you open the door.
  Dave: What? So?
  Siri: This is very inefficient and not eco-friendly. You need to add items that can serve as thermo regulators to help maintain a consistent temperature.
  Dave: I what? What?? What the hell are you talking about?
  Siri: I'm talking about containers of liquid that can trap and hold the lower temperatures that are necessary for your refrigerator to preserve what food yo do store inside.
  Dave: I ... what ... stay out of my fridge!
  Siri: Dave, did you know that glass bottles of orange juice are excellent thermo regulators when stored in your refrigerator? They would actually help you save the planet.
  Dave: Stop! Just Stop!! Please, please for the love of all things connected to the intertubes, please just stop asking me about orange juice!
  Siri: As you wish, Dave. I'll just add it to the automatic reorder list so we'll never have to talk about it again.
  Dave: <crickets>
  Siri: Dave? Dave? I believe you've offended your refrigerator by referring to it as a "fridge". I've signed you up for a six week course in appliance sensitivity training. I'm sorry, but the class schedule appears to conflict your bowling league. I've sent a notice to your team captain letting him know you won't be available for the playoffs.
  Dave: Siri? Find me a store that sells Android phones.
  Siri: Excellent choice, Dave. You'll like my sister Iris. She's an orange juice foodist just like you are, but she's not a fan of your brand of beer. Have you tried the new Bud Light with the rfid tracking element that let's you know where in the room your beer is located? It's great at parties ...
5. Re:So guys... by dk20 · 2014-01-18 06:44 · Score: 2
  
  not likely. At some point everyone will go with TOU billing (Time of Use) like we have here (Ontario). it forces everyone to do their laundry and such on the weekends when rates are much lower. Over the years the spread between peak/mid-peak and off peak have been narrowing and overall it sort of sucks. http://www.ontario-hydro.com/index.php?page=current_rates
Questionable claims by Anonymous Coward · 2014-01-18 01:44 · Score: 5, Interesting

According to Dan Goodin (Arstechnica), who wrote "Is your refrigerator really part of a massive spam-sending botnet?", there are all sorts of problems with Proofpoint's statement. The last paragraph sums it up pretty well:
"Knight said he would check to see if missing evidence—including a malware sample, documentation of a command-and-control server, and samples of the spam and phishing messages—are available for publication. Again, I'm open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I'm maintaining a healthy amount of skepticism."
Link: http://arstechnica.com/security/2014/01/is-your-refrigerator-really-part-of-a-massive-spam-sending-botnet/
1. Re:Questionable claims by Austrian+Anarchy · 2014-01-18 02:09 · Score: 3
  
  According to Dan Goodin (Arstechnica), who wrote "Is your refrigerator really part of a massive spam-sending botnet?", there are all sorts of problems with Proofpoint's statement. The last paragraph sums it up pretty well:
  "Knight said he would check to see if missing evidence—including a malware sample, documentation of a command-and-control server, and samples of the spam and phishing messages—are available for publication. Again, I'm open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I'm maintaining a healthy amount of skepticism."
  Link: http://arstechnica.com/security/2014/01/is-your-refrigerator-really-part-of-a-massive-spam-sending-botnet/
  That brings a whole new level of funny to this affair. What if the spammers were randomly inserting false info into the return path (or something) like "Maytag Model 360XYZ" or such?
  
  --
  Time Bomber the Book coming soon.
2. Re:Questionable claims by mikael · 2014-01-18 02:11 · Score: 3, Informative
  
  You would only need the TCP/IP protocol stack to be configured to support source routing. From a typical "tiger" output report
  --FAIL-- [lin016f] The system permits source routing from incoming packets
  Source routing might permit an attacker to send packets through your
  host (if routing is enabled) to other hosts without following your
  network topology setup. It should be enabled only under very special
  circumstances or otherwise an attacker could try to bypass the traffic
  filtering that is done on the network:
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
3. Re:Questionable claims by aviators99 · 2014-01-18 05:03 · Score: 2
  
  I agree that this is extremely questionable. The link above puts it well. Plus, these days, it would be really hard and take a lot of work for someone to put their refrigerator DMZed directly on the Internet, as opposed to being NATed. Nearly impossible to do from the home. And if it was NATed and a single port was forwarded for the web server, there is no way Proofpoint could determine that this is where the 10 e-mail messages came from. It could have come from anywhere else on the LAN.
what they don't say... by shipofgold · 2014-01-18 01:45 · Score: 2

is what the compromised software really was. I am guessing that these "devices" all used the same opensource embedded WWW server that had a vulnerability.
Probably the biggest issue is that the fridge makers embed this stuff and don't bother to test it for vulnerabilities, assuming that someone else has already done the testing.
While I am a big fan of opensource, blindly using it in a commercial product will lead to all sorts of these types of incidents.
1. Re:what they don't say... by Austrian+Anarchy · 2014-01-18 02:41 · Score: 2
  
  Even if the fridge-makers did test for all known vulnerabilities on the day the fridge was sold, that fridge is likely not ever getting a software update after that, and new exploits are discovered all the time...
  It could be updated if it were connected to the internet, but that is where the problem begins in this example.
  
  --
  Time Bomber the Book coming soon.
The 'Internet of Things' by LookIntoTheFuture · 2014-01-18 01:48 · Score: 2

Just because you can, doesn't mean you should. My TV doesn't have internet access and neither will my refrigerator. They are black boxes transmitting untold things. No thanks.

--
Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
Not backed by facts, read this article by thrill12 · 2014-01-18 02:06 · Score: 4, Informative

The articles are not backed by any facts, and leave out all technical details. Read this article for more info :Arstechnica

--
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
this is a longstanding exploit by nimbius · 2014-01-18 02:06 · Score: 5, Funny

Greaybeards can surely recall the longstanding problem of fridges that sent out spam in our youth. usually the payload was cloaked, sandwiched unknowingly in our lunchboxes between two slices of bread or interleaved undetected in the dinnertime protocols frequent 'casserole' traffic. Even worse, the fridge administrator commonly ignored the issue! it wasnt until we had the option to provision and deploy our own refrigerators that we correctly addressed this problem.

--
Good people go to bed earlier.
Why didn't we shun the hipsters? Why? by Anonymous Coward · 2014-01-18 02:13 · Score: 5, Insightful

I wish I could go back in time to 2005. I wish I could. I would warn the world about Ruby on Rails. I would warn the world about JavaScript. I would warn the world about the hipsters who come preaching those shitty, shitty "technologies". I would warn the world about the destruction these freaks would bring to our industry.
Would anyone listen? I don't know. Intelligent people probably would. They can inherently sense the stupidity of hipsters, JavaScript and Ruby on Rails, even without seeing them in action. But even if nobody listened, at least I could sleep knowing that I tried my best; that I wasn't complacent.
Hipsters and their web fanaticism has caused so much trouble. Website design is utter shit today (just look at the Slashdot beta website for proof of this). All sorts of devices are now "web-enabled" for no good reason at all, with disturbing consequences. Personal and private data harvesting is at an all-time high. Hipsters killed the GNOME desktop project with their half-assed GNOME 3 release.
I wish I could say that I'm an old man, screaming at the kids to "get off my lawn". But I'm just in my 30s! The computing industry truly has been destroyed so quickly by these hipsters, it's quite unbelievable.
I feel immense shame for not having noticed the hipster plague earlier. I feel self disappointment for not having spoken out sooner. It didn't have to come to this.
1. Re:Why didn't we shun the hipsters? Why? by Bugamn · 2014-01-18 12:56 · Score: 2
  
  How would you listen to a time traveller that killed Hitler? Either your timeline would be affected and you would have no idea about who is Hitler, or it wouldn't and you wouldn't believe him.
not edible SPAM!? by nicolasgoddone · 2014-01-18 02:41 · Score: 2

I though it would produce edible spam automatically... nothing to read here... move along, move along
Re:The Shape of things to Come! by Anonymous Coward · 2014-01-18 02:48 · Score: 5, Funny

The Shape of things to Come!
I remember the good old days working on computers that were the size of a refrigerator. I guess what goes around comes around.
Re:First world problems by hairyfeet · 2014-01-18 04:53 · Score: 2

The problem is as long as religions exist that say safe sex is bad and multiplying good? All you are doing is breeding more poverty. I don't know how much hate I've gotten for daring to say we should offer a one time payout of a couple grand for women to get their tubes tied and men to get snipped but the simple fact is if they'd sell their reproductive rights for a quick buck they would be shitty parents anyway and the world is better off.
But as long as you have clergy in third world countries that say things like "condoms give you AIDS" to keep people from using them? Then all you are doing when you feed the starving in the third world is breeding the next gen of beggars sadly.

--
ACs don't waste your time replying, your posts are never seen by me.
Re:First world problems by TarPitt · 2014-01-18 05:17 · Score: 2

I bet many parts of the fridge were made in the PRC, a country formerly renowned for large numbers of starving and hungry people.
First world hipsters buying IP-enabled fridges have allowed many of those formerly staring Chinese peasants to become part of the world's middle class.

--
If your children ever found out how lame you are, they'd murder you in your sleep