Malware Infected Campus Soda Machines And Light Bulbs DDoS A University's Network Into Submission
As with many DDoS attacks involving IoT devices, this one is the result of system administrators being a little
Verizon's "incident commander" got busy sifting through firewall logs and looking for signs of malicious activity.
Infected systems included "everything from light bulbs to vending machines," all of which were supposed to be isolated from the main network but had been connected for ease of management and improved efficiencies. That was mistake number one. Mistake number two was using weak passwords. In short order, the malware spread to thousands of IoT devices "by brute forcing default and weak passwords." Once the malware figured out the password, it would take full control of the device and lock out the university.
"This was a mess. Short of replacing every soda machine and lamp post, I was at a loss for how to remedy the situation," the incident commander noted. "We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak."
Luckily there was a less drastic option available. Instead of replacing every infected machine, the university used a packet sniffer to intercept a clear-text password for an infected IoT device and then used that information to perform a password change before the next malware update. It worked and the university learned some valuable lessons about IoT security, one of them being to create separate network zones for IoT systems and air-gap them from critical networks where possible.