It is a fact that Internet of Things (IoT) devices are extremely vulnerable to exploitation from malicious threat actors, thanks to the phenomena of default login credentials and widespread availability that makes them easy targets. We have also come to know about the capabilities of even a smaller number of infected IoT devices as they turn into an army of botnets and create havoc at any targeted organization’s internet network. The recent incident yet again proves how critical IoT devices could be if their security isn’t improved.
Verizon Enterprise’s RISK (Research, Investigations, Solutions and Knowledge) department researchers were tasked with the investigation of internet blockage at an unidentified US university and they discovered that [PDF] a few thousand infected IoT devices are responsible for cutting off the internet. The attackers reprogrammed the devices in such a way that they started attempting to connect with seafood-oriented websites sporadically.
The attackers hacked 5,000 devices so that these send out DNS queries continuously (DDoS attack) and to fulfill their malicious objectives they used a variety of devices from vending machines to street lamps. The university’s network, resultantly, started to slow down as the malware in the IoT devices started attacking its drink vending machines. When one device was infected, the malware started searching for more vulnerable devices and the chain reaction followed suite. When a single device was infected, the malware modified its admin password making it difficult to remove the infection.
The report explained that “The botnet spread from device to device by brute forcing default and weak passwords – The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes.”
When the IT staff of the university got a hint of the malware attack, they quickly responded by tracking down the new passwords and since these were transmitted in clear text format instead of being encrypted, their job became easier as they were able to intercept them using a packet-sniffing app. After receiving the list of new passwords, they launched a fix, which was an automated antidote that reset all the passwords and broke the chain of the botnets by freeing the devices.
“Short of replacing every soda machine and lamp post, I was at a loss for how to remediate the situation. We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak,” stated the IT admin.
Hacking vending machines is not something new, in fact, there are several videos on YouTube showing how people are hacking these machines for free coffee and snakes but this incident proves that even a handful of infected IoT devices can do a lot of harm. This is why the IT department of the university has urged that companies regularly inspect the network settings for their manufactured IoT devices and keep them separate from Internet access as well as from other devices.
Also, organizations need to use standard IT assets along with IoT devices and employ regular security protections like changing default username and passwords for the devices and keeping strong Wi-Fi network passwords.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.