Published in News

Internet of things causes university to tumble

by on14 February 2017


“Don't keep all of your IoT networks in one basket”

Yesterday the security team of a university’s IT staff faced an uphill struggle attempting to identify the origins of a campus-wide internet takeover that was eventually discovered as an assault coordinated through web-capable vending machines and other connected devices.

Although the institution has not been identified by name, the IT security staff contacted the Verizon RISK team (Research, Investigations, Solutions and Knowledge) after it received complaints from a number of students about slow or unresponsive Internet service.

Seafood sub-domain requests point to campus vending machines

According to Verizon’s Data Breach Digest report, the team discovered a flood of requests on the university’s DNS servers “associated with a particularly high number of sub-domains related to seafood” that were originating from over 5,000 discrete systems “making hundreds of DNS lookups every 15 minutes”.

Apparently, the attackers had gained access to the university’s smart vending machines and a variety of other IoT devices, including connected lights, by loading them with botnet software designed to control them as a group that would send such requests through the university’s central IT department servers. The software, according to the report, had also been capable of changing individual machine passwords thereby locking out IT staff from the network of several thousand systems.

Verizon intercepted botnet calls by changing device passwords

Verizon’s team was able to inspect the network traffic using a packet sniffer, “intercept the clear text password for a compromised IoT device,” and then perform a password change prior to the next malware update. While the source of the botnet remains unknown, a senior member of the IT security team was thankfully able to identify the suspicious situation after a sudden influx of seafood requests.

“While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet,” the incident responder explained. “Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute-forcing default and weak passwords.”

“With the packet capture device operational, it was only a matter of hours before we had a complete listing of new passwords assigned to devices. With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once.”

The company’s Data Breach Digest was rather kind and helpful, advising the security team to create separate zones for IoT systems and “air-gap” them from other critical networks where possible. “Don’t keep all your eggs in one basket,” it reads.

Last modified on 14 February 2017
Rate this item
(0 votes)

Read more about: