How a University Fought Off an IoT Attack and 12 Lessons Learned

The Verizon security team recently announced the first Data Breach Digest, a series of 18 cybercrime cases the team investigated. The Verizon team starts with a sneak peek of one of the case studies that describes how a university was attacked by an IoT botnet consisting of over 5,000 infected hosts. The study concludes with 12 good lessons learned from the attack. 

The initial Verizon report, “IoT Calamity: the Panda Monium,” describes how a university’s IT security team responded to an IoT attack that took down over 5,000 internet-connected devices, such as those used to control soda machines and light bulbs on the university campus. The story describes great teamwork and good lessons learned organizations can use to help combat future IoT security threats. 

Examples of IoT

IoT is a term that describes internet connected devices such as lighting systems, building automation or smart appliances, just to name a few. Each device typically has embedded electronics designed to connect to a network to get updates or communicate with back-end services hosted in the cloud. 

According to Verizon, “Security is often an afterthought when it comes  to IoT (Internet of Things) solutions—and that means  devices are often vulnerable to a wide array of threats.”

Since IoT devices usually stay connected to the internet, they can be ideal targets for exploit, which in turn can be turned into a botnet army. It’s not just the IoT vendors fault: I also described in a previous article the need for better IoT security standards as well.

Botnet Barrage

In the case study, a university team member noted an increased number of complaints from students about network connectivity slowness. The help desk soon found that Domain Name Service (DNS) lookups produced a high volume of abnormal alerts related to seafood industry sub-domains.

Upon further review of network and firewall logs with Verizon RISK team, the university IT team determined that over 5,000 systems were making hundreds of DNS lookups every 15 minutes. The team later confirmed the devices were hosted from a network dedicated for IoT infrastructure.

It was then determined a botnet spread from device to device by brute forcing default and weak passwords on each device, eventually taking control of all 5,000 systems. The compromised IoT devices were found to be communicating with thousands of devices, but only 15 distinct IP addresses (4 of which matched recent indicators list of emerging IoT botnets according to Verizon RISK team). 

Luckily, the security team was able to quickly install packet capture devices used to inspect the un-encrypted traffic (using HTTP instead of HTTPS) and then recover the newly changed IoT device passwords. The team then developed a script and pushed to all the devices to update the password and remediate the infection. 

12 Lessons Learned

Based on the IoT security incident, the team recommended the following guidelines: 

  1. Create separate networks for IoT systems and air-gap from critical networks.
  2. Don’t allow direct ingress and egress connectivity to the internet (use inline proxies and URL filtering).
  3. Change default passwords on all devices.
  4. Regularly monitor security events for endpoint threats.
  5. Scan for open remote access protocols.
  6. Disable common unused and unsecured configurations (such as UPnP, RTSP).
  7. Include IoT in IT asset inventory (for proper lifecycle management).
  8. Ensure firmware updates done on a timely basis.
  9. Ensure IoT device-related incidents are part of Incident Response playbooks.
  10. Scope and contain security incidents immediately.
  11. Leverage network forensics to include logs, packet capture and network flows.
  12. Notify law enforcement and CERT organizations (as threat could impact other organizations). 

These are all great lessons learned that organizations of all sizes can use in many other areas of security as well, to include desktops, servers and network security, to name a few. 

Leave a Comment

Your email address will not be published. Required fields are marked *