By Staff Writer A university in the US has seen everything from light bulbs to vending machines, which had been connected to its campus network for ease of management and improved efficiencies, being use by other botnet Internet of Things (IoT) controlled devices and hackers to attack its infrastructure. The University was locked out of the network infrastructure systems. “This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password—locking the university officials out of the 5,000 systems,” disclosed US-based telco Verizon, in a recent report titled “IoT Calamity: The Panda Monium”. The report is written by Verizon from the perspectives of senior members of the university’s IT Security Team, who rotated weekly as on-call “Incident Commanders”. What is IoT? IoT, the “Internet of Things,” is a term that describes a network of physical objects connected to the internet. These may be discrete items like light bulbs or larger systems like building automation solutions. Embedded in each device are electronics capable of network connectivity along with sensors or other features. IoT possesses a huge potential to forever change the way we interact with the world through technology. The proliferation of IoT devices essentially leads to increased automation, big data analytics, and artificial-intelligence-based decision making in our daily lives. Security is often an afterthought when it comes to IoT solutions—and that means devices are often vulnerable to a wide array of threats, argues Verizon.
The Case of the Botnet BarrageThe University Incident Commander explained: “This week was my turn and as I sat at home, my phone lit up with a call from the help desk. They had been receiving an increasing number of complaints from students across campus about slow or inaccessible network connectivity. As always seemed to happen, the help desk had written off earlier complaints and it was well after 9 PM when I was finally pulled in.” Even with limited access, the help desk had found several concerns. The name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to most the internet. The Verizon Risk Team concluded: The security system analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. This was a mess. Short of replacing every soda machine and lamp post, I was at a loss for how to remediate the situation. We had known repeatable processes and procedures for replacing infrastructure and application servers. Luckily for the University, the Verizon RISK Team was there to provide insight into how to proceed. Analysis of previous malware samples had shown that the control password, used to issue commands to infected systems, was also used as the newly updated device password. These commands were typically received via Hypertext Transfer Protocol (HTTP) and in many cases, did not rely on Secure Sockets Layer (SSL) to encrypt the transmissions.
“If this was the case for our compromise, a full packet capture device could be used to inspect the network traffic and identify the new device password. The plan was to intercept the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update. If conducted properly and quickly, we could regain control of our IoT devices,” said the commander.“I instructed the network operations team to prepare to shut down all network access for our IoT segments once we had intercepted the malware password. Short-lived as it was, the impact from severing all of our IoT devices from the internet during that brief period was noticeable across the campus—and we were determined never to have a repeat incident.”
Key Lessons and mitigation processes: Verizon
- Don’t keep all your eggs in one basket; create separate network zones for IoT systems; air-gap them from other critical networks where possible.
- Include IoT devices in IT asset inventory; regularly check manufacturer websites for computer code updates.
- Regularly monitor events and logs; hunt for threats at endpoints, as well as at the network level; scan for open remote access protocols on your network and disable commonly unused and unsecured features and services (such as, UPnP, RTSP) that aren’t required.
- Change default credentials on devices; use strong and unique passwords for device accounts and Wi-Fi networks.
- Don’t allow direct ingress or egress connectivity to the internet; don’t forget the importance of an in-line proxy or content filtering system