Reports surfaced last week of a US university being hit by a DDoS attack caused by its own vending machines. When network traffic slowed to a crawl, the IT department found that their DNS servers were being bombarded with look-up traffic requesting seafood-related sub-domains. Upon further investigation, they realised that the traffic was originating from around 5,000 Internet of Things devices around the campus, including light bulbs and vending machines, which had been infected with malware and formed into a botnet.
The malware had managed to brute-force the default and weak passwords on these devices, before changing the passwords and controlling them remotely. Eventually, the IT team was able to intercept network packets containing the plaintext password for the botnet, and from there, write a script that performed a password change before the next malware update, thus taking back control of the infected machines.
While this incident appears to have been more of a student prank than a sophisticated DDoS attack, it still illustrates the dangers of unsecured IoT devices. With a massive campus to monitor and manage, all the university’s IoT devices had been connected to the network for ease of management and improved efficiencies. While these IoT systems were meant to have been isolated from the rest of the network, they had all been configured to use DNS servers in a different subnetwork.
To avoid experiencing similar incidents, companies need to pay close attention to the network settings for their IoT devices and, where possible, separate them from access to the Internet and to other devices. It would also be prudent to include IoT devices alongside regular IT asset inventories and to adopt basic security measures like changing default credentials and rotating a selection of strong WiFi network passwords on a regular basis.
Experts have long warned that the inherent lack of security in many of the devices that make up the Internet of Things would come back to haunt us. It’s no secret that many IoT devices are poorly architected from a security perspective. Many have little or no security in place, with simple default passwords, making it relatively easy for attackers to take control of them for malicious purposes. This makes them effectively sitting ducks, just waiting to be compromised and enslaved into a botnet for use in DDoS events.
While this incident appears to have just inconvenienced users on a campus network, let’s not forget that IoT devices can also act as portals to highly sensitive data. If devices are all connected on the same network, hackers could potentially use them as a means to access other devices within the network. Considering the potential value of sensitive data held by most universities – including both its academic research, and the personal or private data held about its students – the potential for future incidents is very real.
The only proper defence against such attacks is to use a DDoS defense solution that mitigates attacks in real-time. One which can monitor all traffic in real-time, negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches.