University Experiences DDoS Attack From IoT Vending Machines and Light Bulbs

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,061
An unnamed university experienced a major DDOS attack from it's own vending machines, light bulbs and other IoT devices. Some hackers thought it would be fun to manually brute force some 5,000 IoT devices on the campus and set them to query seafood related domains. Students complained about slow network access, but the help desk at the university ignored them. By the time that the senior IT security team member was contacted, the network was dropping legitimate traffic for some 5,000 seafood requests. The Verizon RISK (Research, Investigations, Solutions and Knowledge) Team was called in and they identified the root of the problem as the soda machines, light bulbs, and other IoT machines sending requests for seafood domains every 15 minutes.

To remedy the issue, Verizon RISK had managed to intercept a packet with a clear text individual malware password for a device; this had to be repeated for all 5,000 IoT devices on the network. Then they changed the hacked passwords on all devices at once with a script. What do you think of IoT device security? Verizon advises to put IoT devices onto their own zone within a network separate from mission critical devices. This isn't the first attack of this type. At what point do we just leave the IoT devices in the store until they gain some security? Or is it just human error that allows these attacks?

Of the thousands of domains requested, only 15 distinct IP addresses were returned. Four of these IP addresses and close to 100 of the domains appeared in recent indicator lists for an emergent IoT botnet. This botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password—locking us out of the 5,000 systems.
 
  • Like
Reactions: dgz
like this
What do i think of non existent security?

IoT devices have no place in vending machines, light bulbs and everything else. It's a complete waste of time, money, energy, etc.

The fact that this campus bought and installed over 5000 devices goes to show that campuses have way too much money and love to waste it. Maybe instead the should focus on lowering enrollment costs for students.
 
Chances are these devices were allowed more access out of the campus network then the average student. Instead, they should be on their own physical network, or failing that a secured VLAN. Their access should be controlled by a default block everything rule and only traffic specifically approved by the security admins allowed out to the Internet.

Also, legislation needs to happen that requires IOT makers to publish what traffic a device generates, where that traffic goes, and what breaks on the device if the traffic is blocked.
 
What do i think of non existent security?

IoT devices have no place in vending machines, light bulbs and everything else. It's a complete waste of time, money, energy, etc.

The fact that this campus bought and installed over 5000 devices goes to show that campuses have way too much money and love to waste it. Maybe instead the should focus on lowering enrollment costs for students.

Why though? University's couldn't care less about the students, it's all about the research. It's kinda funny considering the students are the ones mostly supporting the schools.
 
Was it CSUS? The campus' online presence went under last Tuesday, and administrators blamed a DDOS attack. Everyone else on campus just blamed the sysadmins for continual shitty service (and rightly so, since it has been bad for a while).

EDIT:

Why though? University's couldn't care less about the students, it's all about the research. It's kinda funny considering the students are the ones mostly supporting the schools.
LOL! Not surprising to me.
 
Having these types of things on a network isn't by default a bad thing, just should be implemented knowing they are not secure and really should be limited to what they can communicate with. My opinion is they should be on their own segmented VLAN/VRF. From experience though unless these places actually spend the time and money on network design, policy, implementation and maintaining such you basically end up with lets just plug it in.
 
What do i think of non existent security?

IoT devices have no place in vending machines, light bulbs and everything else. It's a complete waste of time, money, energy, etc.

The fact that this campus bought and installed over 5000 devices goes to show that campuses have way too much money and love to waste it. Maybe instead the should focus on lowering enrollment costs for students.

Light bulbs I'll give ya. The vending machine is a practical networked device as it can send errors, stock indicators, and other metrics so that delivery guys only need to bring what sells the most or a repair can be requested instantly. That saves the vending supplier money [and the client], and makes sure the machines are operating at peak levels to meet the demand of their deployment.


What needs to change is that IoT default passwords need to be randomized and not one-for-all. This is something router companies have started doing. They also should require stricter password guidelines. No more 'password123'.
 
I had a CC compromised with some fraudulent charges recently and I'm 99% sure it was from a university vending machine. The charges on my CC were with a vending machine company and I had just recently made a purchase with said CC at a machine. I would have used cash but I didn't have any at the moment. Going forward I'll use cash or just be hungry.
 
What do i think of non existent security?

IoT devices have no place in vending machines, light bulbs and everything else. It's a complete waste of time, money, energy, etc.

The fact that this campus bought and installed over 5000 devices goes to show that campuses have way too much money and love to waste it. Maybe instead the should focus on lowering enrollment costs for students.

My campus spends all of its gobs of money on campus beautification, and none of it on actual shit that matters. It's all about convincing parents to get their kids to attend; the administration doesn't give a fuck about the students. Our higher education system is pathetic.
 
Light bulbs I'll give ya. The vending machine is a practical networked device as it can send errors, stock indicators, and other metrics so that delivery guys only need to bring what sells the most or a repair can be requested instantly. That saves the vending supplier money [and the client], and makes sure the machines are operating at peak levels to meet the demand of their deployment.


What needs to change is that IoT default passwords need to be randomized and not one-for-all. This is something router companies have started doing. They also should require stricter password guidelines. No more 'password123'.

I get that from a stock perspective. but at the end of the day, you still need to go to each machine to collect change/dollars and such. Is it really THAT benefitial to warrant:
1) Extra costs for these services, versus old fashioned vending machiens that can probably be had for way cheaper
2) Security Costs to ensure they are properly implemented so things like this don't happen
3) Software maintanance costs, versus old-school ones that don't.
 
FUU71WUIDUFGTNZ.MEDIUM.jpg


OH FFS!!!!!!!!111!11!11!!!11.

it's a god damn plant it needs water and sunlight.

rocket surgery this isn't.
 
Light bulbs I'll give ya. The vending machine is a practical networked device as it can send errors, stock indicators, and other metrics so that delivery guys only need to bring what sells the most or a repair can be requested instantly. That saves the vending supplier money [and the client], and makes sure the machines are operating at peak levels to meet the demand of their deployment.


What needs to change is that IoT default passwords need to be randomized and not one-for-all. This is something router companies have started doing. They also should require stricter password guidelines. No more 'password123'.

On the repair aspect, how often do smart machines accurately and fully diagnose and report what has gone wrong with the machine?

The vending machine supply aspect works better for edge case scenarios of juuussst enough machine/sales to somehow be profitable while also being supplied by somebody who does not have access to something with the cargo capacity of even a Ford transit van. A university is generally going to have several / dozens / hundreds of vending machines, plus on campus stores selling the same snack items, so the stock is already there and being cycled. Who would supply a vending machine route that would fill just one or two machines and then back to the supply depot? Unless it's one the scale of selling smartphones or mini gold bars (both things where I live!) you'd likely spend more on fuel and labor then you'd recoup in snack sales. Similarly, I would be surprised to see a deliveryman sent out solely because a smart vending machine reported that it was out of Cherry Coke.

When loading a hand truck, what take more time counting out five mini-bags of Cheetos, one bag of Funions, six bags of Ruffles, and twenty-two cool ranch Doritos bags, or just grabbing dozen count boxes for each item and stocking at the vending machine? So while Funions might not be popular with THAT vending machine, by leaving the box on the hand truck it will eventually get depleted during the rounds.

The best part on the supply-side is for easy tabulating and long-term tracking of what sales are most popular in each location for the purpose of weighting how many sleeves in the vending might carry a given item.

Of course, an IoT vending machine can be more easily configured to accept debit and credit cards, but I'd likely rather trust how that was handled pre-IoT days, with dedicated networks just for handling payment transactions.
 
IMHO, IoT should just die a horrible death. I'm all for controlling devices in my hope using IP and servers, but this needs to be local only. They shouldn't be contacting the outside network. If I need to I'll run a server in my home to manage them.

Death to the cloud shit.
 
Does it say the vending machines are part of the whole IoT group? I didn't get that out of the story i got vending machines AND IoT devices (light bulbs, ect.) Vending machines are networked for inventory and debit card transactions. I guess I consider that a separate group. I consider IoT those stupid "smart bulbs" that you can access from an app on your smart phone (which is just kinda stupid and gimmicky to me). If the vending machine has that then i guess you can put that in the group of IoT. Maybe i'm wrong for that assumption.
 
I think it's time for UL to create an IoT division to certify that devices meet basic security requirements. Then users can avoid buying those that aren't certified, if they are concerned about security.
 
Back
Top