College Network Attacked With Its Own Insecure IoT Devices (zdnet.com) 53
An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."
Simple solution to 'default' passwords: (Score:2, Insightful)
Write them per device based on the device serial number, which is affixed to the back of the device.
This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)
A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that i
Re: (Score:1)
Write them per device based on the device serial number, which is affixed to the back of the device.
But that would cost 10 cents more per device! My company is struggling, we only net $460 million in profits each year. We're barely staying afloat, like both of my yachts. I can't afford to implement something that will cost more money.
-- CEO
Re:Simple solution to 'default' passwords: WRONG! (Score:3)
No. Do not create a circumstance where a password is default at all in any circumstance. Simply have the device boot up and demand a password to be set as a minimum configuration.
The counter to this is that it makes set up too hard. The counter to that is that they have to configure their wireless password anyway, so it's not like we are demanding a integral reduction without using a calculator or a scratch pad.
Hard to imagine (Score:3)
...until IoT manufacturers bother to properly secure their devices...
This is actually a planned event, set for the 5th of never.
Re: (Score:2)
"...it's only gong to get worse..." (Score:2)
Re: (Score:2)
it's the Gong Show!
I loved that show....still do.
JP Morgan, hubba hubba. She used to flash the audience and contestants when she felt like it, which was pretty much all the time, lol.
Re: (Score:2)
Completely Seperate Network ? (Score:2)
Never happen. People want to be able to use the things from their existing equipment.
Camera -> Mobile
Sensors -> Desktop
Use Monitoring -> Accounting Cloud
Good luck making a security case, unless they have already been burned and burned hard.
until IoT manufacturers bother to properly secure (Score:1)
Not sure how they plan to achieve that, given that even in IT that does not happen...
This needs to cost money *to the manufacturers* to start seeing something happening.
Re: (Score:2, Informative)
That's the problem. This is a classic market failure. The cost of insecure IoT devices is an externality. The manufacturer already sold their device, so it doesn't affect them. The owner of the individual device often (though perhaps not in this case?) still has a working device as far as they can tell, so it doesn't really affect them, either. The fix for the device is to buy a new one, so it's actually a net win for the manufacturer at this point.
Unfortunately, those in the US have been conditioned t
Re: (Score:3)
don't forget the 3rd party payment vendor that jus (Score:2)
don't forget the 3rd party payment vendor that just runes there own device that is plugged in to the DBA bus.
Re: (Score:2)
Re:until IoT manufacturers bother to properly secu (Score:4, Interesting)
The only way of fixing this is to make the high street retailer liable for the damage (including clean up costs) for IoT device failures like this. The liability should be statutory, ie the householder/college/... would not have to show negligence, just that a device installed as per reasonable instructions had this failure. These devices should also have support (eg easy to apply software updates), this support should be for the reasonable expected lifetime of the device; which for something like a light sensor would be 20-40 years, not the paltry year or two that you get with most e-bling these days.
Making the manufacturer liable would not work, many of them are in other countries (eg China) and it would be too difficult for Joe Sixpack/Aunt Tilley to make a complaint - ie sue them. The retailer is in your country, a statutory liability would ensure that their buying departments do appropriate checks and arrange suitable long term support; then arrange insurance in case the manufacturer goes out of business or fails to deliver.
"Oh No!" I hear cries "this will make my IoT toys more expensive!". Please consider the cost of not doing this, not just immediate damage but the cost of employing a builder to replace the light-sensor/e-switch/central-heating/...
You reap what you so. (Score:2)
Invest in poor security and you will get poor results.
Re: (Score:2)
sow*
Investing in everything but editable posts and you will get unedited posts.
VLAN + Frrewall? (Score:3)
Re: (Score:1)
Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.
blame is partly on the "professionals" but that will never change. There will always be such incompetence in low level competency IT positions especially for inhouse in a none tech business and where budget for that stuff is low. Lost count of how many times I had to troubleshoot such idiocy from so called network professionals when management asked me to step in and sort the issues but management STILL don't listen despite admitting proof of the incompetence they wont change.
More needs to be done from th
Re: (Score:2)
Re: (Score:2)
Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.
Damn near everyone who is stupid enough to use IoT devices in the first place. Or employers who are stupid enough to force them to use them.
Re: (Score:2)
Re: (Score:2)
There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.
Nor is their anything wrong with falling off a cliff. Hitting the ground is a different story.
It isn't that these devices can't be made secure. It is that they simply are not secure. Your secure devices does not nullify the (millions) that are out there now, that are so easy to turn into a botnet, that is tuhttps://slashdot.org/rning into the main feature of IoT.
Re: (Score:2)
Re: (Score:2)
Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.
Well, let's just hope we get this taken care of before too long. The big trick is going to be coming up with a way for the home users to isolate their machines. There are some ways to start, but the Chinese manufacturers of inexpensive stuff you buy on ebay shipped straight in will be a tough nut to crack.
Re: (Score:2)
Garage door openers on the network... (Score:4, Interesting)
Good (Score:2)
Dumb people being hit by their own stupidity is great, let's hope it stays that way and doesn't hit unsuspecting victims that actually DID try to secure their systems and get hit by the fallout.
it's only gong to get worse. (Score:2)
Next Semester (Score:1)
College decided to provide free seafood on weekends to avoid getting attacked again.
Next Semester, another 5000 IoT devices were compromised looking up Steak Houses...
Seafood restaurants (Score:1)