A recent DDoS incident whereby campus-wide connected devices including vending machines and streetlamps were used as bots to slow down the university’s network again underscored the importance of cybersecurity in the IoT age.
With Gartner predicting 20.4 billion devices to be online by 2020, the Internet of Things isn’t going away, and in many ways IoT and the data they generate have indeed made our lives better and smarter. But with it come challenges as well, the biggest of which is probably the issue of cybersecurity.
Already we’ve heard about the DDoS attack last October, when IoT devices including network cameras and NVRs were infected with the so-called Mirai malware. The devices then became an army of attackers that launched a series of DDoS attacks against Dyn, an Internet performance management company. The result was a shutdown of service across various websites including Netflix and Amazon.com.
In fact, there was a similar but less known DDoS incident reported by Verizon’s latest Data Breach Digest, whereby campus-wide connected devices including vending machines and streetlamps were used as bots to slow down the university’s network.
According to the report, the school’s on-call IT Incident Commander was informed that the system’s name servers were producing high-volume alerts and showed an abnormal number of subdomains related to seafood. This caused the network to slow down significantly. The IT chief then sought the help of Verizon’s Research, Investigations, Solutions and Knowledge (RISK) team, which identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes.
“Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies,” the person said in the report.
The report went on to say that some of the IP addresses were identified as part of an emergent IoT botnet, which spread from device to device by brute-forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check with command infrastructure for updates and change the device’s password – locking the IT department out of the 5,000 systems, it said.
Deeply troubled by this, the IT commander thought about what to do, even considering “replacing every soda machine and lamp post,” Luckily there was a less drastic method by which the situation was resolved.
“The plan was to intercept the clear-text password for a compromised IoT device and then use that information to perform a password change before the next malware update,” the IT chief said in the report. “With the packet capture device operational, it was only a matter of hours before we had a complete listing of new passwords assigned to devices. With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once.”
Verizon, meanwhile, offered the following tips for preventing IoT devices being hacked.
- Create separate network zones for IoT systems; air gap them from other critical networks where possible.
- Don’t allow direct ingress or egress connectivity to the internet; don’t forget the importance of an in-line proxy or content filtering system.
- Change default credentials on devices; use strong and unique passwords for device accounts and Wi-Fi networks.
- Regularly monitor events and logs; hunt for threats at endpoints, as well as at the network level; scan for open remote access protocols on your network and disable commonly unused and unsecured features and services.
- Include IoT devices in IT asset inventory; regularly check manufacturer websites for firmware updates.