How IoT hackers turned a university's network against itself

A university found its own network turned against it - as refrigerators and lights overwhelmed it with searches for seafood.
Written by Danny Palmer, Senior Writer

Hackers are increasingly building botnets out of unsecured Internet of Things devices and using them to direct traffic at particular targets in order to overwhelm servers with the aim of taking websites and services offline.

The hijacked devices are used to target networks which could be anywhere across the globe, but cybersecurity researchers have now detailed how a network of hacked IoT devices were turned around to attack the very network they were hosted on.

The case in question, as reported in Verizon's Data Breach Digest 2017, occurred within the last year and involved the computer network at an unspecified university.

Analysis of the university firewall identified over 5,000 devices making hundreds of Domain Name Service (DNS) look-ups every 15 minutes, slowing the institution's entire network and restricting access to the majority of internet services.

In this instance, all of the DNS requests were attempting to look up seafood restaurants -- and it wasn't because thousands of students all had an overwhelming urge to eat fish -- but because devices on the network had been instructed to repeatedly carry out this request.

"We identified that this was coming from their IoT network, their vending machines and their light sensors were actually looking for seafood domains; 5,000 discreet systems and they were nearly all in the IoT infrastructure," says Laurance Dine, managing principal of investigative response at Verizon.

There's no indication as to why hackers chose seafood restaurant searches as the tool of choice to overwhelm the servers.

Exploiting the poor security of Internet of Things by using brute force attacks to crack default and poor passwords, cybercriminals hacked into the network of IoT devices and deployed malware.

This malware instructed the likes of lights and fridges to turn their requests against the university in order to overwhelm the network in one of the first recorded attacks of its kind.

"It's a very interesting concept of what the future may hold. Because the difference between what this is doing and other scenarios is [it's] using your own IoT against you," says Dine.

"They're not using IoT or a combination of IoT networks from around the globe to target somebody in a botnet DDoS attack. This is actually the university's own IoT network pitted against the university".

This attack ultimately aimed to take down the network of the entire university, which would've succeeded if cybersecurity professionals hadn't been able to remedy the attack.

While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.

"The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there's going to be so many of these things used by people with very limited understanding of what they are," says Dine.

"There's people who don't have laptops that are going to have refrigerators that are going to be on a network that can communicate with whatever. They're not going to know about changing default passwords," he adds.

One way organisations can attempt to avoid falling victim to this sort of attack is by ensuring that IoT devices are on a completely different network to the rest of the IT estate.

But until IoT manufacturers bother to properly secure their devices -- and the organisations which deploy them learn to properly manage them -- DDoS attacks by IoT botnets are going to remain a huge threat.

"There's going to be endless amounts of technology out there that people are going to easily be able to get access to. DDoS is going to continue to be a big problem until we figure out how to create diversions," says Dine.


Editorial standards