When Sigourney Weaver's Dana Barrett opened her fridge in Ghostbusters, she found Zuul, the right-hand ghoul of the demigod Gozer, who helped unleash a wave of terror across New York City.
The next time you open your fridge, could you be unleashing a wave of "botnets" that send malicious emails to others?
If a recent claim about smart-appliance hacking is any indication, that could soon be a possibility.
Don't panic: there's not a full-blown attack in your kitchen yet. But the security firm Proofpoint just announced "what may be the first proven internet-of-things-based cyberattack" on 100,000 smart appliances and electronics connected to the internet, including a fridge.
In a blog post last week, Proofpoint said it uncovered a "global campaign" to plant botnets -- malicious software that can give a hacker control of a computer or device -- in tens of thousands of routers, entertainment consoles, televisions and a refrigerator. The malware reportedly transformed the devices into "thingbots" that sent out at least 750,000 harmful spam and phishing emails.
David Knight, head of Proofpoint's information security products group, said the firm tracked the emails back to the appliances by scanning IP addresses. However, Dan Goodin, the security editor at Ars Technica, questioned Proofpoint's methodology, pointing out that it was difficult to distinguish where exactly the emails came from simply by tracking IP addresses.
"Among other things, the intricacies of network address translation mean that the IP address footprint of a home router will be the same as the PC, smart TV, and thermostat connected to the same network," wrote Goodin.
The extent of the botnet attack is questionable. But even if it's not as widespread as Proofpoint claims, the incident highlights future security vulnerabilities in smart appliances as more ordinary household devices are linked to the web.
The virtual security firm McAfee says it tracked 100,000 malware samples every day in 2012 -- a 44-fold increase over 2011. Meanwhile, the number of appliances connected to the internet is surging.
Although more than half of U.S. internet users have reportedly fallen victim to viruses or malware, tools for computer security are well established. Security options for smart televisions, fridges, thermostats and other connected devices are still relatively immature.
Internet-of-things "devices are typically not protected by the anti-spam and anti-virus infrastructures available to organizations and individual consumers, nor are they routinely monitored by dedicated IT teams or alerting software to receive patches to address new security issues as they arise. The result is that enterprises can't expect IoT-based attacks to be resolved at the source; instead, preparations must be made for the inevitable increase in highly distributed attacks, phish in employee inboxes, and clicks on malicious links," wrote Proofpoint.
Proofpoint's claim comes days after Google's high-profile acquisition of Nest, a company with big plans for developing web-connected devices for the home.
In an analysis of the home energy management market, GTM Research reports that five vendors have already surpassed the 1 million customer mark. That number is expected to increase steadily in the coming years, opening up new opportunities for malware infiltration.
"Cyber criminals intent on stealing individual identities and infiltrating enterprise IT systems have found a target-rich environment in these poorly protected internet connected devices that may be more attractive and easier to infect and control than PCs, laptops, or tablets," wrote the company in the blog post.
The reported hack has implications for enterprise security as well. As more HVAC units, lighting networks, and building energy management systems get connected to the cloud, the range of potential security vulnerabilities expands. According to a report from the Carbon War Room, there will be 12.5 billion machine-to-machine connections worldwide by 2022, up from 1.3 billion today.
In May 2013, two security experts from Cylance hacked into Google's building management system in Australia, accessing floor plans, piping layouts, alarm systems and equipment schedules. They used the hack to point out serious holes in software developed by Tridium, a Honeywell-owned firm. (At that time, Tridium had already created a patch for the security hole, but Google had not yet upgraded its software.)
"If Google can fall victim...anyone can," wrote the hackers.
The extent of the latest hack is up for debate. But Proofpoint's David Knight said it offered a stark warning about the future of web-connected appliances.
"Many of these devices are poorly protected at best, and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."