An unnamed university was hit by a DDoS attack using the campus’ own vending machines and assorted Internet of Things (IoT) devices.

Revealed in Verizon’s preview of its 2017 Data Breach Digest, the university contacted the telecoms company’s RISK (Research, Investigations, Solutions and Knowledge) Team to handle the unusual attack.

Fishy requests

Vending machines go bad
A vengeful vending machine from the film Maximum Overdrive – Stephen King

After originally dismissing calls from students claiming that their Internet had slowed, a senior member of the IT security team was notified after it became apparent that there was indeed a problem.

The anonymous ‘incident commander’ wrote in the report that she/he noticed that “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.

“As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the Internet.” 

It was at that point that the RISK team were called in, who realized that 5,000 IoT devices, including hijacked vending machines and lights, were making the seafood-related DNS requests every 15 minutes.

“While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet,” the commander said.

The devices were enslaved by a botnet that spread from device to device by brute forcing default and weak passwords.

It then changed the device’s password, locking the administrators out and making the commander believe that the only way to fix the issue was to replace all the devices. But, thankfully for the university, a plan was devised “to intercept the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.”

This proved successful, with one of the university’s developers “able to write a script, which allowed [them] to log in, update the password, and remove the infection across all devices at once.”

While the attack was ultimately short lived, and was not on a life-or-death system, it serves as yet another reminder of the danger of poorly secured IoT devices which have been resposible for an increasing number of DDoS attacks, including one that took out hundreds of popular services.

In our next issue of the DCD Magazine, out later this week, we take a look at the rise of these attacks, what they mean for the data center, and how one can turn them into a business advantage.