University Hit With The Attack of the Vending Machines
Sounds like a low budget sci-fi thriller, but it is not.
In a sneak peak of Verizon’s new data breach report, Verizon tells the story of an unnamed university that was attacked by its own vending machines. For real.
The university had thousand of devices to manage, so, like many businesses, decided that connecting all these devices to the Internet was a sensible thing to do. They ignored the stories of how that could go bad and connected them anyway.
Students had been complaining that the network was slow and losing their connection, but the help desk chalked it up to undergrads who were clueless (well, not really, but basically, yes).
Eventually, it got bad enough that the problem was escalated and IT discovered that thousands of Internet connected devices had been hijacked and were making large numbers of DNS requests every few minutes.
They were making enough requests that real DNS requests were being dropped and students browsing was being degraded.
The university called in Verizon’s RISK team (Research, investigations, Solutions and Knowledge) who discovered the problem. 5,000 devices were making DNS requests to a handful of web sites overloading them.
Worse yet, the devices had been hijacked and the device passwords changed.
Note that this is a pretty benign attack – it could have been a lot worse. What if the vending machines started attacking other university resources or other resources on the Internet.
So how did the botnet get in to attack all those vending machines, light bulbs and whatever?
Well of course – some devices used the manufacturer’s default passwords while other devices used weak passwords. Nothing new here.
The university was lucky because the malware sent the new, changed passwords to the devices in the clear, so now that the university knew what was going on, they could discover what the passwords were changed to and change them to a new, strong password.
The moral of the story is that even your light bulbs can be your enemy – you have to think things though.
For details on what the university screwed up (besides weak and default passwords), read the article in Network World below.
It is that it is easy to make security mistakes. Actually, the good news is that the big mistake that they made allowed them to discover the dumb mistake (default and weak passwords), so in some sense, it all worked out.
Of course the students who had really slow Internet until the university decided to take them seriously – well, they are a different matter.
Information for this post came from Network World.