Slashdot Mirror

← Back to Stories (view on slashdot.org)

College Network Attacked With Its Own Insecure IoT Devices (zdnet.com)

Posted by EditorDavid on from the lessons-in-karma dept.

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."

31 of 53 comments (clear)

  1. Simple solution to 'default' passwords: by Anonymous Coward · · Score: 2, Insightful

    Write them per device based on the device serial number, which is affixed to the back of the device.

    This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)

    A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that is getting put on a college campus should be at least a single step up from that, and device metadata can be input into the flash during quality assurance testing as part of the flashing/testing procedure.

    1. Re:Simple solution to 'default' passwords: by Anonymous Coward · · Score: 1

      Write them per device based on the device serial number, which is affixed to the back of the device.

      But that would cost 10 cents more per device! My company is struggling, we only net $460 million in profits each year. We're barely staying afloat, like both of my yachts. I can't afford to implement something that will cost more money.

      -- CEO

  2. Hard to imagine by rmdingler · · Score: 2

    ...until IoT manufacturers bother to properly secure their devices...

    This is actually a planned event, set for the 5th of never.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Hard to imagine by arglebargle_xiv · · Score: 1

      It would help users identify what it is they're getting if everyone referred to it as IoS, not IoT. Remember folks, the abbreviation for "Internet of Things" is IoS, not IoT.

  3. "...it's only gong to get worse..." by turkeydance · · Score: 1

    it's the Gong Show!

    1. Re:"...it's only gong to get worse..." by JustAnotherOldGuy · · Score: 1

      it's the Gong Show!

      I loved that show....still do.

      JP Morgan, hubba hubba. She used to flash the audience and contestants when she felt like it, which was pretty much all the time, lol.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:"...it's only gong to get worse..." by flopsquad · · Score: 1

      Not even saying the name of the "college" in the summary is gong-worthy. I refuse to RTFA if TFS is a POS.

      --
      Nothing posted to /. has ever been legal advice, including this.
  4. Completely Seperate Network ? by Crashmarik · · Score: 1

    Never happen. People want to be able to use the things from their existing equipment.
    Camera -> Mobile
    Sensors -> Desktop
    Use Monitoring -> Accounting Cloud

    Good luck making a security case, unless they have already been burned and burned hard.

  5. until IoT manufacturers bother to properly secure by Anonymous Coward · · Score: 1

    Not sure how they plan to achieve that, given that even in IT that does not happen...

    This needs to cost money *to the manufacturers* to start seeing something happening.

  6. Re:until IoT manufacturers bother to properly secu by Anonymous Coward · · Score: 2, Informative

    That's the problem. This is a classic market failure. The cost of insecure IoT devices is an externality. The manufacturer already sold their device, so it doesn't affect them. The owner of the individual device often (though perhaps not in this case?) still has a working device as far as they can tell, so it doesn't really affect them, either. The fix for the device is to buy a new one, so it's actually a net win for the manufacturer at this point.

    Unfortunately, those in the US have been conditioned to believe that government is worse than any other problem, so you won't see anything done about IoT security until something even more significant than Dyn or something targeted directly at government happens.

  7. You reap what you so. by Gravis+Zero · · Score: 1

    Invest in poor security and you will get poor results.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:You reap what you so. by Gravis+Zero · · Score: 1

      sow*

      Investing in everything but editable posts and you will get unedited posts.

      --
      Anons need not reply. Questions end with a question mark.
  8. Re:until IoT manufacturers bother to properly secu by Attila+Dimedici · · Score: 2

    You would be right if this only affected individual consumers, but as this story illustrates it affects large organizations. Those organizations are large enough to make the manufacturer pay for their loss, maybe not this time but in the long run. If it was not the case here (and it likely was not), this university (and other large organizations) will put clauses in their contracts when they buy such devices making the manufacturer liable for such losses. Once manufacturers fix it for their big customers, they will fix it for the average consumer as well because it will be cheaper to get it right for everyone than to only get it right for some.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
  9. VLAN + Frrewall? by Murdoch5 · · Score: 2

    Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

    1. Re:VLAN + Frrewall? by K10W · · Score: 1

      Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      blame is partly on the "professionals" but that will never change. There will always be such incompetence in low level competency IT positions especially for inhouse in a none tech business and where budget for that stuff is low. Lost count of how many times I had to troubleshoot such idiocy from so called network professionals when management asked me to step in and sort the issues but management STILL don't listen despite admitting proof of the incompetence they wont change.

      More needs to be done from the side of IoT vendors and others in the supply chain end to start making a dent in this issue or these stories wont go away no matter who installs them there will always be major weakness in the chain. Many don't even attempt to secure never mind harden the devices properly and they have no financial or legal incentive to... yet. IoT things wont go away and we need to start having proper encryption implementation plus authentication implementation so not just anyone who gets access can make changes to config (some devices send auth info cleartext so goes hand in hand with former point). System for patching and a way to push this, network isolation considerations both advising proper setup like this case didn't have as well as controlling what data they leak to EVERYTHING on home so less likely to be a weak link to own another device from within. The latter point sure some thigns need to communicate and be aware of each other but there is ways of doing that properly; such as proper handshake needed between such devices and way to determine and config what info what can share with what and when. Or making the requests go through a controller/smart hub as the middleman that is far more hardened with regard to such things. Sadly although this stuff will ocme I do not see it happening soon.

    2. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      Damn near everyone who is stupid enough to use IoT devices in the first place. Or employers who are stupid enough to force them to use them.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.

    4. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      Common sense would tell even a high school level IT student, to throw the device into an isolated VLAN and attach port monitoring to the port on the switch which the device will talk to, so they can see how the traffic is coming out and if it's safe or not.

    5. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.

      Nor is their anything wrong with falling off a cliff. Hitting the ground is a different story.

      It isn't that these devices can't be made secure. It is that they simply are not secure. Your secure devices does not nullify the (millions) that are out there now, that are so easy to turn into a botnet, that is tuhttps://slashdot.org/rning into the main feature of IoT.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    6. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.

    7. Re:VLAN + Frrewall? by Ol+Olsoc · · Score: 1

      Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.

      Well, let's just hope we get this taken care of before too long. The big trick is going to be coming up with a way for the home users to isolate their machines. There are some ways to start, but the Chinese manufacturers of inexpensive stuff you buy on ebay shipped straight in will be a tough nut to crack.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    8. Re:VLAN + Frrewall? by Murdoch5 · · Score: 1

      In the home environment is where IoT devices are very dangerous, because I would never expect a home user to have the gear or skill to do these kind of configurations, that is where we need required certifications and marks to show the security is at a decent enough level, X.

  10. don't forget the 3rd party payment vendor that jus by Joe_Dragon · · Score: 1

    don't forget the 3rd party payment vendor that just runes there own device that is plugged in to the DBA bus.

  11. Garage door openers on the network... by __aaclcg7560 · · Score: 3, Interesting

    Due to changes by the powers to be, my coworkers and I have ot narrow down the scope of the raw Nessus scan data to find our work assignments. Pull the spreadsheet, search for laptops and workstations in OU path, and work on the narrowed dataset (~400K items). One of the more interesting things to find in the raw data are garage openers on the network. Not sure how to remediate those yet. Won't be long before refrigerators, microwave ovens and HDTVs are on the network. Hopefully those will be on a separate VLAN than the general VLAN.

  12. Good by Opportunist · · Score: 1

    Dumb people being hit by their own stupidity is great, let's hope it stays that way and doesn't hit unsuspecting victims that actually DID try to secure their systems and get hit by the fallout.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:Simple solution to 'default' passwords: WRONG! by buss_error · · Score: 2

    No. Do not create a circumstance where a password is default at all in any circumstance. Simply have the device boot up and demand a password to be set as a minimum configuration.

    The counter to this is that it makes set up too hard. The counter to that is that they have to configure their wireless password anyway, so it's not like we are demanding a integral reduction without using a calculator or a scratch pad.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  14. it's only gong to get worse. by beckett · · Score: 1

    looks like now the spell check has been hijacked and is searching for seafood restaurants.

  15. Re:until IoT manufacturers bother to properly secu by Alain+Williams · · Score: 3, Interesting

    The only way of fixing this is to make the high street retailer liable for the damage (including clean up costs) for IoT device failures like this. The liability should be statutory, ie the householder/college/... would not have to show negligence, just that a device installed as per reasonable instructions had this failure. These devices should also have support (eg easy to apply software updates), this support should be for the reasonable expected lifetime of the device; which for something like a light sensor would be 20-40 years, not the paltry year or two that you get with most e-bling these days.

    Making the manufacturer liable would not work, many of them are in other countries (eg China) and it would be too difficult for Joe Sixpack/Aunt Tilley to make a complaint - ie sue them. The retailer is in your country, a statutory liability would ensure that their buying departments do appropriate checks and arrange suitable long term support; then arrange insurance in case the manufacturer goes out of business or fails to deliver.

    "Oh No!" I hear cries "this will make my IoT toys more expensive!". Please consider the cost of not doing this, not just immediate damage but the cost of employing a builder to replace the light-sensor/e-switch/central-heating/...

  16. Re:until IoT manufacturers bother to properly secu by Attila+Dimedici · · Score: 1

    If the vending machines are owned by an outside company, they should be on their own VLAN that can only access the Internet and the other machines.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
  17. Next Semester by b783719 · · Score: 1

    College decided to provide free seafood on weekends to avoid getting attacked again.

    Next Semester, another 5000 IoT devices were compromised looking up Steak Houses...

  18. Seafood restaurants by heritage727 · · Score: 1

    It's the dolphins making their plans to leave.