An unnamed university experienced a major DDOS attack from it's own vending machines, light bulbs and other IoT devices. Some hackers thought it would be fun to manually brute force some 5,000 IoT devices on the campus and set them to query seafood related domains. Students complained about slow network access, but the help desk at the university ignored them. By the time that the senior IT security team member was contacted, the network was dropping legitimate traffic for some 5,000 seafood requests. The Verizon RISK (Research, Investigations, Solutions and Knowledge) Team was called in and they identified the root of the problem as the soda machines, light bulbs, and other IoT machines sending requests for seafood domains every 15 minutes.
To remedy the issue, Verizon RISK had managed to intercept a packet with a clear text individual malware password for a device; this had to be repeated for all 5,000 IoT devices on the network. Then they changed the hacked passwords on all devices at once with a script. What do you think of IoT device security? Verizon advises to put IoT devices onto their own zone within a network separate from mission critical devices. This isn't the first attack of this type. At what point do we just leave the IoT devices in the store until they gain some security? Or is it just human error that allows these attacks?
Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password—locking us out of the 5,000 systems.