Last month an unnamed university featured in a Verizon Data Breach Digest regarding Internet of Thing equipped devices (IoTs) published a story regarding a botnet army throttling the campus network to the point of limited or no connectivity for it’s students. What made this particular attack interesting however was that the DNS name servers were creating high volume alerts for seafood-related searches.
According to the article, the university in question handed over the DNS and Firewall logs to Verizon’s RISK team for further analysis and discovered over 5,000 discrete systems, ranging from soda machines to lightbulbs, were making hundreds of DNS lookups every 15 minutes. According to a RISK team member, these devices were “Were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.” and the botnet “spread from device to device by brute forcing default and weak passwords”. On the advice of the RISK team, the University was able to halt the throttling by using a packet “sniffer” (software or hardware that can intercept information) to intercept a clear-text password of the infected IoT devices and use it to re-gain control of their property.
In essence this story, while humourous to an outsider, stakes the credibility of an IoT network attack. In this particular instance, using the power of Internet equipped Lightbulbs, soda machines, vending machines and the like, Campus network was severely rendered useless. To the untech-savvy the solution would have been to replace these 5000 units in order to make the problem go away. In the hands of someone more devious, an attacker could have also integrated the botnet on equipment that can also track voice or video for further gain. This all being said, a solution is possible to prevent the attack and further attacks by practicing in solid IoT security fundamentals such as creating separate Network Zones for IoT devices, and Changing the devices default credentials if possible.