Security researchers have published a report that Ars is having a tough time swallowing, despite considerable effort chewing—a botnet of more than 100,000 smart TVs, home networking routers, and other Internet-connected consumer devices that recently took part in sending 750,000 malicious e-mails over a two-week period.

The "thingbots," as Sunnyvale, California-based Proofpoint dubbed them in a press release issued Thursday, were compromised by exploiting default administration passwords that hadn't been changed and other misconfigurations. A Proofpoint official told Ars the attackers were also able to commandeer devices running older versions of the Linux operating system by exploiting critical software bugs. The 100,000 hacked consumer gadgets were then corralled into a botnet that also included infected PCs, and they were then used in a global campaign involving more than 750,000 spam and phishing messages. The report continued:

The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014 and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location – and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.

The Proofpoint report quickly went viral, with many mainstream news outlets breathlessly reporting the findings. The interest is understandable. The finding of a sophisticated spam network running on 100,000 compromised smart devices is extraordinary, if not unprecedented. And while the engineering effort required to pull off such a feat would be considerable, the botnet Proofpoint describes is possible. After all, many Internet-connected devices run on Linux versions that accept outside connections over telnet, SSH, and Web interfaces.

What's more, in an age of James Bond-like infections that bug thousands of air-gapped computers and cryptographic attacks that hijack Microsoft's Windows update mechanism, a botnet of refrigerators, thermostats, and other smart devices is by no means impossible. Last year, an anonymous guerrilla researcher presented credible evidence that he hijacked more than 420,000 Internet-connected devices. The growing number of these devices and their advances in processing power also make these scenarios increasingly feasible.

Where's the smoking gun?

Still, there's a significant lack of technical detail for a report with such an extraordinary finding. Among other things, Proofpoint provided no details about the software the researchers say compromised the devices; it said it didn't "sinkhole" or otherwise monitor any of the command-and-control servers that would have been necessary to coordinate botnet activities; and it didn't convincingly explain how it arrived at the determination that 100,000 smart devices were commandeered. My doubts lingered even after a one-on-one interview with David Knight, general manager of Proofpoint's information security division.

Knight said Proofpoint knows appliances sent the spam directly because researchers scanned the IP addresses that sent the malicious e-mails and received responses from the Internet interfaces of name-brand devices. I pointed out that many home networks have dozens of devices connected to them. How, I asked, did researchers determine that spam was sent by, say, an infected refrigerator? Isn't it possible that a home network with a misconfigured smart device might also have an infected Windows XP laptop that was churning out the malicious e-mails?

Knight's response: in some cases, the researchers directly queried the smart devices on IP addresses that sent spam and observed that the appliances were equipped with the Simple Mail Transfer Protocol or similar capabilities that caused them to send spam. In other cases, the researchers determined the devices were connected directly to the Internet rather than through a router, making them the only possible source of the spam that came from that IP address.

Again, what Proofpoint is reporting is plausible, but it doesn't add up. Experienced botnet researchers know that estimating the number of infected machines is a vexingly imprecise endeavor. No technique is perfect, but the scanning of public IP addresses is particularly problematic. Among other things, the intricacies of network address translation mean that the IP address footprint of a home router will be the same as the PC, smart TV, and thermostat connected to the same network.

It's also hard to understand why someone would go to all the trouble of infecting a smart device and then use it to send just 10 spam messages. Traditional spam botnets will push infected PCs to send as many messages as its resources allow. The botnet reported by Proofpoint requires too much effort and not enough reward.

None of this is to say that the reported 100,000-strong smart-device botnet doesn't exist. And as most students of logic accept, it's not feasible to prove a negative. Still, the lack of evidence documenting any malware sample or a command and control server should give any reporter pause before repeating such an extraordinary claim. The research methodology is also a red flag.

I contacted Paul Royal, a research scientist at Georgia Tech who specializes in network and system security, and I asked for his take on the Proofpoint report and the additional information provided by Knight. He was skeptical, too.

"The aggregate of the information doesn't paint an adequately compelling picture that what they're asserting occurred actually occurred," Royal said. "When you ask something as simple as how do you know the spam came from gadgets they say: 'Well, we looked at the IP addresses of the systems sending the spam and when we presumably probed them we observed that they were coming from set-top-box-like devices.' The technical analysis of that shows that there could be plenty of other explanations."

Knight said he would check to see if missing evidence—including a malware sample, documentation of a command-and-control server, and samples of the spam and phishing messages—are available for publication. Again, I'm open to the possibility the botnet reported by Proofpoint exists. But until these smoking guns are produced, I'm maintaining a healthy amount of skepticism.