University's Smart Vending Machines, Light Bulbs, Other Devices Hacked, Used to Attack School's Network

Institution locked out of 5,000 systems in attack by Internet-connected soda machines and other devices

University's Smart Vending Machines, Light Bulbs, Other Devices Hacked, Used to Attack School's Network
Image: Pixabay
February 14, 2017

Network World reports that a university's smart devices—including vending machines and light bulbs—were hacked and used to attack its network.

The problem first surfaced when students complained to the university's help desk about slow or downright inaccessible network connectivity. Unfortunately, the help desk disregarded the signs of a bigger issue shown by these complaints, so the situation had developed into a complex problem by the time a senior member of the IT security team was informed.

That IT team member, known as the "incident commander," began to suspect a bigger issue after the university network showed that users had apparently developed a sudden, intense interest in domains related to seafood.

The commander observed that "the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet."

This explained why the network was running so slowly, but little else. So the university contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and provided its DNS and firewall logs. The Team found that the school's hijacked vending machines, as well as 5,000 other devices connected to the network, were making DNS requests related to seafood every 15 minutes.

"With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies," the commander explained. "While these IoT [Internet of Things] systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet."

The commander went on to describe how an "emergent IoT botnet" (a network of devices infected with malware and controlled as a group without the knowledge of the owners) "spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device's password—locking us out of the 5,000 systems."

The senior member thought at first that the only way to fix the problem was to replace all the smart devices, including "every soda machine and lamp post." Upon realizing how the botnet was spreading, however, the university intercepted a clear-text malware password for an infected device using a packet sniffer.

Hours letter, the university had a complete list of new passwords assigned to the compromised devices. One of its developers then used these passwords to write a script, allowing the Team to log in, update the password, and eliminate the infection across all the infected devices at one time.