Hackers used flaws in IoT devices to take down university network

Hackers used flaws in IoT devices to take down university network

Increasing use of IoT may have its downsides, as many devices lacking basic security have been used by hackers to take down networks, according to a report by Verizon.

The company has published a sneak peek into its Data Breach Report 2017, which details an incident at an unnamed university that had connected everything from vending machines to smart bulbs to its systems.

What the university’s IT administrators didn’t realize was that these devices had been compromised and subsequently recruited into a botnet that used up network bandwidth within the university’s infrastructure.

“My phone lit up with a call from the help desk. They had been receiving an increasing number of complaints from students across campus about slow or inaccessible network connectivity,” said the unnamed incident commander at the university.

Investigations unearthed 5,000 systems and IoT devices making requests to the university’s DNS servers every 15 minutes, effectively preventing these systems from working properly. Analysis of the IP addresses and domains found that nearly all were found to be located on the segment of the network dedicated to its IoT infrastructure.

Related: AT&T, IBM, Nokia form IoT Cybersecurity Alliance to tackle device threats

“This botnet spread from device to device by brute-forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems,” said the incident commander.

Unplugging every one of the IoT devices dotted around the campus was not a sensible option. At the time, the university was at a loss for how to remediate the problem. However, a solution was eventually found that could deal with a malware outbreak on its IoT devices. This solution was provided by Verizon’s own security group, the Risk team.

Related: Researchers at Kingston Uni explore ways to make concerts safer

Regaining control

It was determined that previous malware samples had shown that the control password, used to issue commands to infected systems, was also used as the newly updated device password.

“The plan was to intercept the clear-text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update. If conducted properly and quickly, we could regain control of our IoT devices,” said the commander.

The university shut down all network access for its IoT segments once it had intercepted the malware password. Within a matter of hours, the university had a complete listing of new passwords assigned to devices.

“With these passwords, one of our developers was able to write a script, which allowed us to log in, update the password, and remove the infection across all devices at once. The whole process took a matter of minutes and I made a mental note to save that script for later – although I prayed that we would never need it again,” said the incident commander at the university.

Related: Users risk security issues by not updating connected IoT devices

Getting ahead of “black hat hackers”

Stephen Gates, chief research intelligence analyst at network security specialist Nsfocus told Internet of Business that IoT manufacturers should consider hiring, contracting, or working with vulnerability testers to ensure their technologies are secure as possible, and this new functionality should help.

“However, black hat hackers are fully capable of using this type of functionality for their own advantage as well,” he cautioned.

Related: Privacy and IoT: innovative regulations needed to regulate innovation