University suffers cyber attack from its own vending machines and lamp posts

A university was recently victim to a cyber attack from its own vending machines and lampposts (among other devices), according to a preview of Verizon’s 2017 Data Breach Digest.

Thousands of Domain Name Service (DNS) lookups

The university’s network of Internet of Things (IoT) devices was breached by an unknown actor, who used the 5000 devices to conduct thousands of DNS lookups.

A member of the university’s IT security team said:

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.

After reading Verizon’s RISK Team’s report, the senior IT security team member said:

Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.

Packet sniffer to the rescue

The good news for the university is that the devices did not need to be replaced, but could be recovered by using a packet sniffer to intercept a cleartext malware password for a compromised IoT device. As the security team member explained:

With the packet capture device operational, it was only a matter of hours before we had a complete listing of new passwords assigned to devices. With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once.