College Network Attacked With Its Own Insecure IoT Devices

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."

Simple solution to 'default' passwords:

Write them per device based on the device serial number, which is affixed to the back of the device.

This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)

A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that is getting put on a college campus should be at least a single step up from that, and device metadata can be input into the flash during quality assurance testing as part of the flashing/testing procedure.

Hard to imagine

[rmdingler]

...until IoT manufacturers bother to properly secure their devices...

This is actually a planned event, set for the 5th of never.

Re:until IoT manufacturers bother to properly secu

That's the problem. This is a classic market failure. The cost of insecure IoT devices is an externality. The manufacturer already sold their device, so it doesn't affect them. The owner of the individual device often (though perhaps not in this case?) still has a working device as far as they can tell, so it doesn't really affect them, either. The fix for the device is to buy a new one, so it's actually a net win for the manufacturer at this point.

Unfortunately, those in the US have been conditioned to believe that government is worse than any other problem, so you won't see anything done about IoT security until something even more significant than Dyn or something targeted directly at government happens.

Re:until IoT manufacturers bother to properly secu

[Attila+Dimedici]

You would be right if this only affected individual consumers, but as this story illustrates it affects large organizations. Those organizations are large enough to make the manufacturer pay for their loss, maybe not this time but in the long run. If it was not the case here (and it likely was not), this university (and other large organizations) will put clauses in their contracts when they buy such devices making the manufacturer liable for such losses. Once manufacturers fix it for their big customers, they will fix it for the average consumer as well because it will be cheaper to get it right for everyone than to only get it right for some.

VLAN + Frrewall?

[Murdoch5]

Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

Garage door openers on the network...

[__aaclcg7560]

Due to changes by the powers to be, my coworkers and I have ot narrow down the scope of the raw Nessus scan data to find our work assignments. Pull the spreadsheet, search for laptops and workstations in OU path, and work on the narrowed dataset (~400K items). One of the more interesting things to find in the raw data are garage openers on the network. Not sure how to remediate those yet. Won't be long before refrigerators, microwave ovens and HDTVs are on the network. Hopefully those will be on a separate VLAN than the general VLAN.

Re:Simple solution to 'default' passwords: WRONG!

[buss_error]

No. Do not create a circumstance where a password is default at all in any circumstance. Simply have the device boot up and demand a password to be set as a minimum configuration.

The counter to this is that it makes set up too hard. The counter to that is that they have to configure their wireless password anyway, so it's not like we are demanding a integral reduction without using a calculator or a scratch pad.

Re:until IoT manufacturers bother to properly secu

[Alain+Williams]

The only way of fixing this is to make the high street retailer liable for the damage (including clean up costs) for IoT device failures like this. The liability should be statutory, ie the householder/college/... would not have to show negligence, just that a device installed as per reasonable instructions had this failure. These devices should also have support (eg easy to apply software updates), this support should be for the reasonable expected lifetime of the device; which for something like a light sensor would be 20-40 years, not the paltry year or two that you get with most e-bling these days.

Making the manufacturer liable would not work, many of them are in other countries (eg China) and it would be too difficult for Joe Sixpack/Aunt Tilley to make a complaint - ie sue them. The retailer is in your country, a statutory liability would ensure that their buying departments do appropriate checks and arrange suitable long term support; then arrange insurance in case the manufacturer goes out of business or fails to deliver.

"Oh No!" I hear cries "this will make my IoT toys more expensive!". Please consider the cost of not doing this, not just immediate damage but the cost of employing a builder to replace the light-sensor/e-switch/central-heating/...