A US university was recently hit by a DDoS attack made possible after its own IoT devices across campus were hijacked and turned against its network, in a manner reminiscent of the notorious Mirai campaign, Verizon has revealed.
An IT manager at the unnamed institution explained that after analyzing the servers responsible for DNS lookups he/she noticed “an abnormal number of sub-domains related to seafood.”
Suspecting a full-scale DDoS, the IT manager was able to observe 5000 discrete systems making hundreds of DNS lookups every 15 minutes.
The story continued:
“Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.”
It turned out that the IoT systems had become infected with malware which brute-forced default and weak passwords and recruited them into a botnet, before changing the passwords.
In the end, the white hats were able to regain control by intercepting the clear text passwords used for compromised IoT devices over the wire and then using that info to perform a password change before the next malware update.
Stephen Gates, chief research intelligence analyst at NSFOCUS IB, argued that although the incident appears to be more of a prank than a sophisticated attack, it illustrates the dangers of unsecured IoT devices.
“Municipal, industrial, commercial, and now educational infrastructures are becoming more and more vulnerable, because organizations often carelessly deploy IoT without understanding the ramifications of weak IoT security,” he added.
“In this case the damage appears to be limited, and only inconvenienced users on a campus network. Do the same to a transportation system, a chemical plant, a hospital complex, or an ISP, and the damage could be much, much greater.”
Jason Hart, CTO of data protection at Gemalto, added that IoT devices can also act as portals to highly sensitive data.
“No matter how secure one device is, if there is another one that is connected to the same network that isn’t, hackers can manipulate and use this to access other devices within the network or as in this case, stop normal operation of other systems,” he argued.
“In order to prevent this from happening, organizations must ensure they are putting in the right protocols to protect the data at its source.”