Malware Infected Campus Soda Machines And Light Bulbs DDoS A University's Network Into Submission
A full-blown Skynet situation might be the thing of science fiction (we hope, anyway), but that doesn't mean bizarre things involving machines can't happen. As proof of this, Verizon teased an entry in its upcoming 2017 Data Breach Digest that describes a recent DDoS attack on an unnamed university involving vending machines, light bulbs, and 5,000 Internet of Things (IoT) devices.
As with many DDoS attacks involving IoT devices, this one is the result of system administrators being a little too lax with security on these seemingly benign devices. The university in question dismissed complaints from students across campus about slow or inaccessible network connectivity. When things took a turn for the worse, the university called in the cavalry—Verizon's RISK (Research, Investigations, Solutions, and Knowledge) team, in this case.
Verizon's "incident commander" got busy sifting through firewall logs and looking for signs of malicious activity.
"Within hours, I had more feedback than I could handle and began the review process. The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lokups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure," the incident commander said.
Infected systems included "everything from light bulbs to vending machines," all of which were supposed to be isolated from the main network but had been connected for ease of management and improved efficiencies. That was mistake number one. Mistake number two was using weak passwords. In short order, the malware spread to thousands of IoT devices "by brute forcing default and weak passwords." Once the malware figured out the password, it would take full control of the device and lock out the university.
"This was a mess. Short of replacing every soda machine and lamp post, I was at a loss for how to remedy the situation," the incident commander noted. "We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak."
Luckily there was a less drastic option available. Instead of replacing every infected machine, the university used a packet sniffer to intercept a clear-text password for an infected IoT device and then used that information to perform a password change before the next malware update. It worked and the university learned some valuable lessons about IoT security, one of them being to create separate network zones for IoT systems and air-gap them from critical networks where possible.
As with many DDoS attacks involving IoT devices, this one is the result of system administrators being a little too lax with security on these seemingly benign devices. The university in question dismissed complaints from students across campus about slow or inaccessible network connectivity. When things took a turn for the worse, the university called in the cavalry—Verizon's RISK (Research, Investigations, Solutions, and Knowledge) team, in this case.
Verizon's "incident commander" got busy sifting through firewall logs and looking for signs of malicious activity.
"Within hours, I had more feedback than I could handle and began the review process. The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lokups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure," the incident commander said.
Infected systems included "everything from light bulbs to vending machines," all of which were supposed to be isolated from the main network but had been connected for ease of management and improved efficiencies. That was mistake number one. Mistake number two was using weak passwords. In short order, the malware spread to thousands of IoT devices "by brute forcing default and weak passwords." Once the malware figured out the password, it would take full control of the device and lock out the university.
"This was a mess. Short of replacing every soda machine and lamp post, I was at a loss for how to remedy the situation," the incident commander noted. "We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak."
Luckily there was a less drastic option available. Instead of replacing every infected machine, the university used a packet sniffer to intercept a clear-text password for an infected IoT device and then used that information to perform a password change before the next malware update. It worked and the university learned some valuable lessons about IoT security, one of them being to create separate network zones for IoT systems and air-gap them from critical networks where possible.
