What is believed to be the first proven Internet of Things-based cyberattack involving conventional household “smart” appliances, including at least one refrigerator and TVs, has been identified by the California-based data protection solution provider Proofpoint, Inc. – highlighting the security challenges existing for both suppliers and consumers with the introduction of these products.

The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets, including home networking routers and connected multi-media centers that had been compromised and used as a platform to launch attacks.

Just as personal computers can be unknowingly compromised to form robot-like “botnets” that can be used to launch large scale cyberattacks, Proofpoint’s findings reveal that cyber criminals have begun to commandeer smart appliances and other components of the IoT and transform them into “thingbots” to carry out the same type of malicious activity.

Proofpoint profiled the attack to have occurred between December 23, 2013 and January 6, 2014, and it featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide. More than 25% of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices, i.e. everyday consumer gadgets. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.

“Botnets are already a major security concern and the emergence of thingbots may make the situation much worse,” said David Knight, general manager of Proofpoint’s Information Security division. “Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”

IoT includes every device that is connected to the internet – from home automation products including smart thermostats, security cameras, refrigerators, microwaves, home entertainment devices like TVs, gaming consoles to smart retail shelves that know when they need replenishing and industrial machinery. But IoT devices are typically not protected by the anti-spam and anti-virus infrastructures available to organizations and individual consumers, nor are they routinely monitored by dedicated IT teams or alerting software to receive patches to address new security issues as they arise. The result is that enterprises can’t expect IoT-based attacks to be resolved at the source; instead, preparations must be made for the inevitable increase in highly distributed attacks, phish in employee inboxes, and clicks on malicious links, says a Proofpoint statement.