Slashdot Mirror

← Back to Stories (view on slashdot.org)

College Network Attacked With Its Own Insecure IoT Devices (zdnet.com)

Posted by EditorDavid on from the lessons-in-karma dept.

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."

53 comments

  1. Exciting by Anonymous Coward · · Score: 0

    Watch Dogs IRL, here we come!

  2. Simple solution to 'default' passwords: by Anonymous Coward · · Score: 2, Insightful

    Write them per device based on the device serial number, which is affixed to the back of the device.

    This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)

    A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that is getting put on a college campus should be at least a single step up from that, and device metadata can be input into the flash during quality assurance testing as part of the flashing/testing procedure.

    1. Re: Simple solution to 'default' passwords: by Anonymous Coward · · Score: 0

      That's what ISPs do with customer routers. These default passwords are probably much more secure than what people would choose for their Wi-Fi password (if any)!

      I'd be curious to see stats over 10 years with regards of open Wi-Fi networks.

    2. Re:Simple solution to 'default' passwords: by Anonymous Coward · · Score: 1

      Write them per device based on the device serial number, which is affixed to the back of the device.

      But that would cost 10 cents more per device! My company is struggling, we only net $460 million in profits each year. We're barely staying afloat, like both of my yachts. I can't afford to implement something that will cost more money.

      -- CEO

  3. Hard to imagine by rmdingler · · Score: 2

    ...until IoT manufacturers bother to properly secure their devices...

    This is actually a planned event, set for the 5th of never.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Hard to imagine by arglebargle_xiv · · Score: 1

      It would help users identify what it is they're getting if everyone referred to it as IoS, not IoT. Remember folks, the abbreviation for "Internet of Things" is IoS, not IoT.

  4. "...it's only gong to get worse..." by turkeydance · · Score: 1

    it's the Gong Show!

    1. Re:"...it's only gong to get worse..." by JustAnotherOldGuy · · Score: 1

      it's the Gong Show!

      I loved that show....still do.

      JP Morgan, hubba hubba. She used to flash the audience and contestants when she felt like it, which was pretty much all the time, lol.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:"...it's only gong to get worse..." by Anonymous Coward · · Score: 0

      "it's the Gong Show!"

      Nah, it's the Goon Show!
      We'll all be murdered in our beds!

      https://en.wikiquote.org/wiki/The_Goon_Show

      I had to install one of those nasty IoTs on Friday. Wave, formerly Astound, has now required an Encrypted Box to allow me to watch Basic Cable TV. And here I went, thinking that they were the Anti-Comcast.
      Last week, as Channels blinked out of existence, only to be replaced by a message that they were doing this for my own good, I came to realize that _everybody_ involved in the Cable Industry is a Goon. There are no Good Guys there. And no, I am not expecting "Better Internet Service", and I'm not buying the line that the Channels were being "Converted" to a Digital Format to make my Internet better. They already _were_ in a Digital Format- Clear QAM. Only now, it's encrypted. Even CSPAN is encrypted. (How can that possibly be legal?)
      There are real reasons why they do this, but try getting just one of those fuckers to admit it. The first is: they can cut off the signals remotely without "rolling a truck", for any reason that they like, which saves them money, and the savings will be passed to the Customers, right?
      The second reason is that every single one, without exceptions, of their Customers are Pirates and Thieves. Preventive measures are called for.
      But the third reason, the main reason, is that after the "Free" period, they can charge me monthly for it, for a rubbish box made in China, made for a buck, that talks about me to them, but also potentially anybody else interested. What hours do I watch TV. What Channels do I watch. And by the way, this mandated IoT is just as rubbish as all the other IoTs, which means it can be harvested.
      For those of a Technical Bent, it is a Cisco, going by the name of technicolor, (Did they pay for the Technicolor naming rights?), DTA 271HD.
      I want to knobble it.
      Why not me? Somebody else with less than honest intentions is going to do so anyway.
      It can't even be turned off. Oh, on the remote there is an off button, which silences the TV, but it consumes exactly the same amount of power, 4.3 Watts, as when it is "On". Watts that _I_ now pay for. (Yes, at current Rates, only about $10 a year, but it is the principle of the thing.)

      Oh, I needed a new Cable Modem as well, another "technicolor" box. But I knobbled my last one to see what outgoing connections it was making before; it shouldn't be too difficult with this one as well.

      Captcha: adverse
      Call me Anthony

    3. Re:"...it's only gong to get worse..." by flopsquad · · Score: 1

      Not even saying the name of the "college" in the summary is gong-worthy. I refuse to RTFA if TFS is a POS.

      --
      Nothing posted to /. has ever been legal advice, including this.
  5. updates? by Anonymous Coward · · Score: 0

    seriously going to get software updates for my iot fridge when i can't get it for a couple of years old phone..... doubtful

  6. Completely Seperate Network ? by Crashmarik · · Score: 1

    Never happen. People want to be able to use the things from their existing equipment.
    Camera -> Mobile
    Sensors -> Desktop
    Use Monitoring -> Accounting Cloud

    Good luck making a security case, unless they have already been burned and burned hard.

  7. This proves Trump correct... by Anonymous Coward · · Score: 0

    so we shouldn't discuss this.

    "You failed to confirm you are a human. Please start from the beginning and try again. If you are a human, we apologize for the inconvenience." which proves /. is censoring replies.

    1. Re: This proves Trump correct... by Anonymous Coward · · Score: 0

      Censorship is required of a democracy. Glad to see /. Is censoring.

  8. until IoT manufacturers bother to properly secure by Anonymous Coward · · Score: 1

    Not sure how they plan to achieve that, given that even in IT that does not happen...

    This needs to cost money *to the manufacturers* to start seeing something happening.

  9. Re:until IoT manufacturers bother to properly secu by Anonymous Coward · · Score: 2, Informative

    That's the problem. This is a classic market failure. The cost of insecure IoT devices is an externality. The manufacturer already sold their device, so it doesn't affect them. The owner of the individual device often (though perhaps not in this case?) still has a working device as far as they can tell, so it doesn't really affect them, either. The fix for the device is to buy a new one, so it's actually a net win for the manufacturer at this point.

    Unfortunately, those in the US have been conditioned to believe that government is worse than any other problem, so you won't see anything done about IoT security until something even more significant than Dyn or something targeted directly at government happens.

  10. Appernet of Apps! by Anonymous Coward · · Score: 0

    Only apps can app apps, and the Appernet of Apps has the appiest apps!

    Apps!

    1. Re: Appernet of Apps! by Anonymous Coward · · Score: 0

      You forgot to mention something about Luddites.

  11. You reap what you so. by Gravis+Zero · · Score: 1

    Invest in poor security and you will get poor results.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:You reap what you so. by Gravis+Zero · · Score: 1

      sow*

      Investing in everything but editable posts and you will get unedited posts.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:You reap what you so. by Anonymous Coward · · Score: 0

      that post was stupid regardless of the mispelling.

    3. Re:You reap what you so. by Anonymous Coward · · Score: 0

      "Investing in everything but editable posts and you will get unedited posts."

      Well then, you reap what you so bloody well deserve.

      IT is inherently fraudulent, they are nothing more than a bunch of gas-passers who _never_ own up to their mistakes; it's always somebody else's fault.
      Corporate won't give us enough money.
      Management is clueless.
      Users are even more clueless.
      Engineers are prima donnas.
      Network devices.... ooh! Shiny!

      The very phrase "Information Technology" is pure puffery, right up there with "Sanitary Engineer", and equally unpleasant.

    4. Re:You reap what you so. by Anonymous Coward · · Score: 0

      After you click the preview button, you can use that opportunity to proofread your post and its title and you can choose not to submit at that point in favor of editing the post.

      It's not slashdot's fault that you missed the error in the review phase and the error wasn't even that big a deal, anyway. The decision not to allow editing once a comment is publicly visible was deliberate and the reasons are more important than our desires to correct minor spelling/gramatical errors.

    5. Re:You reap what you so. by Anonymous Coward · · Score: 0

      I am an ex-IT alum, so among the gas passers I should be right there, like the bottom man on the totem pole.

    6. Re:You reap what you so. by Anonymous Coward · · Score: 0

      You have taken the idiom the wrong way, but that is OK, it is a common mistake. (The "Bottom Man" on a Native Totem Pole has the highest respect.)
      But to take your metaphor literally, what it means is that when you look up, all that you see are assholes, right up to the top.
      I have no argument with that, but it still doesn't excuse the utter ineptitude that characterizes "IT" these days.

    7. Re:You reap what you so. by Anonymous Coward · · Score: 0

      "Investing in everything but editable posts and you will get unedited posts."

      Well then, you reap what you so bloody well deserve.

      IT is inherently fraudulent, they are nothing more than a bunch of gas-passers who _never_ own up to their mistakes; it's always somebody else's fault.
      Corporate won't give us enough money.
      Management is clueless.
      Users are even more clueless.
      Engineers are prima donnas.
      Network devices.... ooh! Shiny!

      The very phrase "Information Technology" is pure puffery, right up there with "Sanitary Engineer", and equally unpleasant.

      I agree, IT is inherently fraudulent - just like every CxO positon, HR position, etc.,... If IT is fraudulent, all departments are fraudulent for the same reasons.

      However, Corporate DOESN'T give enough resources to for IT to deliver what it asks.
      Management IS clueless.
      Users ARE even more clueless.
      Engineers ARE prima donnas.

      From an IT perspective, the above is the reason for the fraudulence. For other departments, the fraudulence has different, though perhaps similar, justifications. Usually, it boils down to some sort of practicality or realism.

  12. Re:until IoT manufacturers bother to properly secu by Attila+Dimedici · · Score: 2

    You would be right if this only affected individual consumers, but as this story illustrates it affects large organizations. Those organizations are large enough to make the manufacturer pay for their loss, maybe not this time but in the long run. If it was not the case here (and it likely was not), this university (and other large organizations) will put clauses in their contracts when they buy such devices making the manufacturer liable for such losses. Once manufacturers fix it for their big customers, they will fix it for the average consumer as well because it will be cheaper to get it right for everyone than to only get it right for some.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
  13. VLAN + Frrewall? by Murdoch5 · · Score: 2

    Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

    1. Re:VLAN + Frrewall? by Anonymous Coward · · Score: 0

      Probably they were overworked/underpaid grunts focused on getting ready for start of semester priorities such as setting up accounts for a bunch of students and professors....

      RO

    2. Re:VLAN + Frrewall? by K10W · · Score: 1

      Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      blame is partly on the "professionals" but that will never change. There will always be such incompetence in low level competency IT positions especially for inhouse in a none tech business and where budget for that stuff is low. Lost count of how many times I had to troubleshoot such idiocy from so called network professionals when management asked me to step in and sort the issues but management STILL don't listen despite admitting proof of the incompetence they wont change.

      More needs to be done from the side of IoT vendors and others in the supply chain end to start making a dent in this issue or these stories wont go away no matter who installs them there will always be major weakness in the chain. Many don't even attempt to secure never mind harden the devices properly and they have no financial or legal incentive to... yet. IoT things wont go away and we need to start having proper encryption implementation plus authentication implementation so not just anyone who gets access can make changes to config (some devices send auth info cleartext so goes hand in hand with former point). System for patching and a way to push this, network isolation considerations both advising proper setup like this case didn't have as well as controlling what data they leak to EVERYTHING on home so less likely to be a weak link to own another device from within. The latter point sure some thigns need to communicate and be aware of each other but there is ways of doing that properly; such as proper handshake needed between such devices and way to determine and config what info what can share with what and when. Or making the requests go through a controller/smart hub as the middleman that is far more hardened with regard to such things. Sadly although this stuff will ocme I do not see it happening soon.

    3. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      Damn near everyone who is stupid enough to use IoT devices in the first place. Or employers who are stupid enough to force them to use them.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.

    5. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      Common sense would tell even a high school level IT student, to throw the device into an isolated VLAN and attach port monitoring to the port on the switch which the device will talk to, so they can see how the traffic is coming out and if it's safe or not.

    6. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.

      Nor is their anything wrong with falling off a cliff. Hitting the ground is a different story.

      It isn't that these devices can't be made secure. It is that they simply are not secure. Your secure devices does not nullify the (millions) that are out there now, that are so easy to turn into a botnet, that is tuhttps://slashdot.org/rning into the main feature of IoT.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.

    8. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.

      Well, let's just hope we get this taken care of before too long. The big trick is going to be coming up with a way for the home users to isolate their machines. There are some ways to start, but the Chinese manufacturers of inexpensive stuff you buy on ebay shipped straight in will be a tough nut to crack.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    9. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      In the home environment is where IoT devices are very dangerous, because I would never expect a home user to have the gear or skill to do these kind of configurations, that is where we need required certifications and marks to show the security is at a decent enough level, X.

  14. Re:until IoT manufacturers bother to properly secu by Anonymous Coward · · Score: 0

    I doubt vending machines are bought directly by the college. More likely their food service contractor (such as ARA) owns the machines, and is allowed to connect them to the campus network. So that would be a bit more indirect in that organizations which contract with food service vendors would have to stipulate in their contract that the vendor ensure "safe" connections, with a penalty for failure to do so one would hope, then that vendor has to implement that in their machine purchase contracts, AND for whomever installs and maintains the machines, whether their own employees getting vendor training, or the vendors' own support people. Lots of finger-pointing and lawyer career opportunities...

    RO

  15. FAKE NEWS by Anonymous Coward · · Score: 0

    IF this were real we would have a named attached to it. But since it NEVER happened you can't refute it as it never happened.

  16. don't forget the 3rd party payment vendor that jus by Joe_Dragon · · Score: 1

    don't forget the 3rd party payment vendor that just runes there own device that is plugged in to the DBA bus.

  17. Garage door openers on the network... by __aaclcg7560 · · Score: 3, Interesting

    Due to changes by the powers to be, my coworkers and I have ot narrow down the scope of the raw Nessus scan data to find our work assignments. Pull the spreadsheet, search for laptops and workstations in OU path, and work on the narrowed dataset (~400K items). One of the more interesting things to find in the raw data are garage openers on the network. Not sure how to remediate those yet. Won't be long before refrigerators, microwave ovens and HDTVs are on the network. Hopefully those will be on a separate VLAN than the general VLAN.

    1. Re: Garage door openers on the network... by Anonymous Coward · · Score: 0

      802.1x

  18. Good by Opportunist · · Score: 1

    Dumb people being hit by their own stupidity is great, let's hope it stays that way and doesn't hit unsuspecting victims that actually DID try to secure their systems and get hit by the fallout.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. Re:Simple solution to 'default' passwords: WRONG! by buss_error · · Score: 2

    No. Do not create a circumstance where a password is default at all in any circumstance. Simply have the device boot up and demand a password to be set as a minimum configuration.

    The counter to this is that it makes set up too hard. The counter to that is that they have to configure their wireless password anyway, so it's not like we are demanding a integral reduction without using a calculator or a scratch pad.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  20. University, not college by Anonymous Coward · · Score: 0

    The article mentions a university network, not a college network. Universities are typically made up of several colleges, like the college of pharmacy or college of business.

    This article contains a story about an unspecified university, a story that was basically summarized from Verizon's Data Breach Digest 2017. Actually, the 2017 digest isn't out yet and this story is from a "sneak peak".

  21. it's only gong to get worse. by beckett · · Score: 1

    looks like now the spell check has been hijacked and is searching for seafood restaurants.

  22. Re:until IoT manufacturers bother to properly secu by Alain+Williams · · Score: 3, Interesting

    The only way of fixing this is to make the high street retailer liable for the damage (including clean up costs) for IoT device failures like this. The liability should be statutory, ie the householder/college/... would not have to show negligence, just that a device installed as per reasonable instructions had this failure. These devices should also have support (eg easy to apply software updates), this support should be for the reasonable expected lifetime of the device; which for something like a light sensor would be 20-40 years, not the paltry year or two that you get with most e-bling these days.

    Making the manufacturer liable would not work, many of them are in other countries (eg China) and it would be too difficult for Joe Sixpack/Aunt Tilley to make a complaint - ie sue them. The retailer is in your country, a statutory liability would ensure that their buying departments do appropriate checks and arrange suitable long term support; then arrange insurance in case the manufacturer goes out of business or fails to deliver.

    "Oh No!" I hear cries "this will make my IoT toys more expensive!". Please consider the cost of not doing this, not just immediate damage but the cost of employing a builder to replace the light-sensor/e-switch/central-heating/...

  23. Is there any advantage? by Anonymous Coward · · Score: 0

    To customers, to the consumers, I mean. It seems to me there's only drawbacks and absolutely nothing in it for us.

  24. Not just the manufacturers Problem by Anonymous Coward · · Score: 0

    Most IoT devices are running Linux. As such, the passwords are set to a default. For example: User = pi, Password = raspberry.

    Most installers, plug a device in, and forget about it. They fail to set the password, and the machine functions with a default password.

    Two things need to change to solve this problem. Manufacturers need to force installers to change the password, and installers need training.

  25. Re:until IoT manufacturers bother to properly secu by Attila+Dimedici · · Score: 1

    If the vending machines are owned by an outside company, they should be on their own VLAN that can only access the Internet and the other machines.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
  26. Next Semester by b783719 · · Score: 1

    College decided to provide free seafood on weekends to avoid getting attacked again.

    Next Semester, another 5000 IoT devices were compromised looking up Steak Houses...

  27. Seafood restaurants by heritage727 · · Score: 1

    It's the dolphins making their plans to leave.