College Network Attacked With Its Own Insecure IoT Devices

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."

Simple solution to 'default' passwords:

Write them per device based on the device serial number, which is affixed to the back of the device.

This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)

A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that is getting put on a college campus should be at least a single step up from that, and device metadata can be input into the flash during quality assurance testing as part of the flashing/testing procedure.