Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Networking Wireless Networking Botnet Education Security Verizon IT

College Network Attacked With Its Own Insecure IoT Devices (zdnet.com) 53

An anonymous reader writes:An attacker compromised over 5,000 IoT devices on a campus network -- including vending machines and light sensors -- and then used them to attack that same network. "In this instance, all of the DNS requests were attempting to look up seafood restaurants," reports ZDNet, though the attack was eventually blocked by cybersecurity professionals. Verizon's managing principal of investigative response blames the problem on devices configured using default credentials -- and says it's only gong to get worse. "There's going to be so many of these things used by people with very limited understanding of what they are... There's going to be endless amounts of technology out there that people are going to easily be able to get access to."
The article suggests "ensuring that IoT devices are on a completely different network to the rest of the IT estate." But it ends by warning that "until IoT manufacturers bother to properly secure their devices -- and the organizations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat."
This discussion has been archived. No new comments can be posted.

College Network Attacked With Its Own Insecure IoT Devices

Comments Filter:
  • by Anonymous Coward

    Write them per device based on the device serial number, which is affixed to the back of the device.

    This will defeat 'default password' attack botnets, provide just enough security to keep a device sort-of secure even under active incompetence, AND provide easy default password recovery given physical access to the device (which already negates software security to begin with.)

    A number of devices I've had over the years already do this. While many devices do not due to cheap quality control, anything that i

    • by Anonymous Coward

      Write them per device based on the device serial number, which is affixed to the back of the device.

      But that would cost 10 cents more per device! My company is struggling, we only net $460 million in profits each year. We're barely staying afloat, like both of my yachts. I can't afford to implement something that will cost more money.

      -- CEO

    • No. Do not create a circumstance where a password is default at all in any circumstance. Simply have the device boot up and demand a password to be set as a minimum configuration.

      The counter to this is that it makes set up too hard. The counter to that is that they have to configure their wireless password anyway, so it's not like we are demanding a integral reduction without using a calculator or a scratch pad.

  • by rmdingler ( 1955220 ) on Saturday February 11, 2017 @07:54PM (#53848013) Journal

    ...until IoT manufacturers bother to properly secure their devices...

    This is actually a planned event, set for the 5th of never.

    • It would help users identify what it is they're getting if everyone referred to it as IoS, not IoT. Remember folks, the abbreviation for "Internet of Things" is IoS, not IoT.
    • it's the Gong Show!

      I loved that show....still do.

      JP Morgan, hubba hubba. She used to flash the audience and contestants when she felt like it, which was pretty much all the time, lol.

    • Not even saying the name of the "college" in the summary is gong-worthy. I refuse to RTFA if TFS is a POS.
  • Never happen. People want to be able to use the things from their existing equipment.
    Camera -> Mobile
    Sensors -> Desktop
    Use Monitoring -> Accounting Cloud

    Good luck making a security case, unless they have already been burned and burned hard.

  • Not sure how they plan to achieve that, given that even in IT that does not happen...

    This needs to cost money *to the manufacturers* to start seeing something happening.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      That's the problem. This is a classic market failure. The cost of insecure IoT devices is an externality. The manufacturer already sold their device, so it doesn't affect them. The owner of the individual device often (though perhaps not in this case?) still has a working device as far as they can tell, so it doesn't really affect them, either. The fix for the device is to buy a new one, so it's actually a net win for the manufacturer at this point.

      Unfortunately, those in the US have been conditioned t

      • You would be right if this only affected individual consumers, but as this story illustrates it affects large organizations. Those organizations are large enough to make the manufacturer pay for their loss, maybe not this time but in the long run. If it was not the case here (and it likely was not), this university (and other large organizations) will put clauses in their contracts when they buy such devices making the manufacturer liable for such losses. Once manufacturers fix it for their big customers, t
      • The only way of fixing this is to make the high street retailer liable for the damage (including clean up costs) for IoT device failures like this. The liability should be statutory, ie the householder/college/... would not have to show negligence, just that a device installed as per reasonable instructions had this failure. These devices should also have support (eg easy to apply software updates), this support should be for the reasonable expected lifetime of the device; which for something like a light sensor would be 20-40 years, not the paltry year or two that you get with most e-bling these days.

        Making the manufacturer liable would not work, many of them are in other countries (eg China) and it would be too difficult for Joe Sixpack/Aunt Tilley to make a complaint - ie sue them. The retailer is in your country, a statutory liability would ensure that their buying departments do appropriate checks and arrange suitable long term support; then arrange insurance in case the manufacturer goes out of business or fails to deliver.

        "Oh No!" I hear cries "this will make my IoT toys more expensive!". Please consider the cost of not doing this, not just immediate damage but the cost of employing a builder to replace the light-sensor/e-switch/central-heating/...

  • Invest in poor security and you will get poor results.

  • by Murdoch5 ( 1563847 ) on Saturday February 11, 2017 @09:56PM (#53848429)
    Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.
    • by K10W ( 1705114 )

      Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      blame is partly on the "professionals" but that will never change. There will always be such incompetence in low level competency IT positions especially for inhouse in a none tech business and where budget for that stuff is low. Lost count of how many times I had to troubleshoot such idiocy from so called network professionals when management asked me to step in and sort the issues but management STILL don't listen despite admitting proof of the incompetence they wont change.

      More needs to be done from th

      • Common sense would tell even a high school level IT student, to throw the device into an isolated VLAN and attach port monitoring to the port on the switch which the device will talk to, so they can see how the traffic is coming out and if it's safe or not.
    • Who the hell would put an IoT device in the same VLAN with other network equipment? "Professionals" who cause these massive security issues and effectively shoot themselves in the foot deserve every second of pain and hardship they run into.

      Damn near everyone who is stupid enough to use IoT devices in the first place. Or employers who are stupid enough to force them to use them.

      • There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.
        • There is nothing wrong with IoT devices, as I'm currently producing several such devices myself. The problem comes in how you connect them to your network infrastructure.

          Nor is their anything wrong with falling off a cliff. Hitting the ground is a different story.

          It isn't that these devices can't be made secure. It is that they simply are not secure. Your secure devices does not nullify the (millions) that are out there now, that are so easy to turn into a botnet, that is tuhttps://slashdot.org/rning into the main feature of IoT.

          • Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.
            • Right and that's not what we're arguing, no matter how insecure they are, you have to connect them to your network in the right manor. The firs thing I would do is to provision a VLAN on my network with full port monitoring, then hook up a firewall to monitor that VLAN, then connect those devices and isolate them so they don't and can't talk to the rest of the network. This would take maybe 1 hour, so being to busy, really isn't an excuse.

              Well, let's just hope we get this taken care of before too long. The big trick is going to be coming up with a way for the home users to isolate their machines. There are some ways to start, but the Chinese manufacturers of inexpensive stuff you buy on ebay shipped straight in will be a tough nut to crack.

              • In the home environment is where IoT devices are very dangerous, because I would never expect a home user to have the gear or skill to do these kind of configurations, that is where we need required certifications and marks to show the security is at a decent enough level, X.
  • by __aaclcg7560 ( 824291 ) on Saturday February 11, 2017 @11:53PM (#53848835)
    Due to changes by the powers to be, my coworkers and I have ot narrow down the scope of the raw Nessus scan data to find our work assignments. Pull the spreadsheet, search for laptops and workstations in OU path, and work on the narrowed dataset (~400K items). One of the more interesting things to find in the raw data are garage openers on the network. Not sure how to remediate those yet. Won't be long before refrigerators, microwave ovens and HDTVs are on the network. Hopefully those will be on a separate VLAN than the general VLAN.
  • Dumb people being hit by their own stupidity is great, let's hope it stays that way and doesn't hit unsuspecting victims that actually DID try to secure their systems and get hit by the fallout.

  • looks like now the spell check has been hijacked and is searching for seafood restaurants.
  • College decided to provide free seafood on weekends to avoid getting attacked again.

    Next Semester, another 5000 IoT devices were compromised looking up Steak Houses...

  • It's the dolphins making their plans to leave.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!

Working...