University hacked by its own vending machines: How IoT almost took entire campus offline

The rapid spread of internet-of-things (IoT) devices, from smart-fridges to web-connected home camera systems, has left many of these products wide open to hackers who can exploit weak security and lax passwords to enslave them into so-called 'botnets'.

These computer bot armies, which in reality are simply a hefty series of infected devices injected with a strain of malware, can easily – and cheaply – be deployed by cybercriminals to direct waves of traffic at a websites' server in order to take it offline.

Explaining the extent of this emerging threat and how it is likely to evolve in the future, a top data breach investigator at Verizon, Laurance Dine, told IBTimes UK about a recent case involving a university which had its IoT network used as a weapon against itself.

"[This was] not a combination of IoT from around the globe to target somebody as a DDoS or botnet attack, this is actually the universities IoT being targeted against the university," he said, referencing a case taken from Verizon's new 'Data Breach Digest' report, released in full later this month.

Dine, who is a US airforce veteran with over a decades-worth of cyber forensics experience, said Verizon was called to investigate after a suspicious amount of web searches within the network were directed to lookup external domains.

Analysis on the university's network later identified over 5,000 devices that were making hundreds of Domain Name Service (DNS) look-ups every 15 minutes. "This was coming from their IoT network, coming from their vending machines and light sensors," he said.

The Verizon team identified a number of domains, which were later identified as being on an "indicator" list for a known botnet, which was spreading from device to device by brute forcing default and weak passwords – a common tactic.

Luckily, the commands were being received without encryption, meaning the team had a way to solve the problem. The researchers were able to intercept the clear-text password for a compromised IoT device and change it before the malware was updated.

"We put a network sniffer on the environment, get the password, change it back and cut off the issue," Dine explained. He said this is the first time he had witnessed this type of attack but warned: "I suspect there will be more."

"It could have shut down the entire university so there would have been no access for the students to do anything," Dine said. "It's very interesting concept of what the future may hold." The issue, he explained, continues to be simple: weak passwords.

Changing default credentials

As referenced, the Mirai botnet was a major cause of concern last year. Hackers were able to exploit routers and home security cameras with little or no password protection and eventually use the power to take down major websites including Reddit, Netflix and Twitter.

More recently, in January, the US Federal Trade Commission (FTC) filed a legal complaint against networking firm D-Link which accused it of having "inadequate" security that left its internet-of-things (IoT) product range at risk of hacking.

"There's people out there that don't have laptops but are going to have refrigerators that will have the same capabilities or will be on a network somewhere," Dine said. "They are not going to know about changing default passwords.

"There's going to be endless amounts of technology that people are going to easily be able to access, so DDoS is going to continue to be a big problem."

The Verizon report, which is due out later this month, sums up the IoT issue concisely: "The underlying problem is that many IoT manufacturers are primarily designing their devices for functionality; and proper security testing often takes a back seat."

Note: The exact university was not named in the report as Verizon has to maintain customer confidentiality. The breach occurred at some point over the past 12 months, the firm said.