IoT Attack Against a University Network

Verizon's Data Brief Digest 2017 describes an attack against an unnamed university by attackers who hacked a variety of IoT devices and had them spam network targets and slow them down:

Analysis of the university firewall identified over 5,000 devices making hundreds of Domain Name Service (DNS) look-ups every 15 minutes, slowing the institution's entire network and restricting access to the majority of internet services.

In this instance, all of the DNS requests were attempting to look up seafood restaurants -- and it wasn't because thousands of students all had an overwhelming urge to eat fish -- but because devices on the network had been instructed to repeatedly carry out this request.

"We identified that this was coming from their IoT network, their vending machines and their light sensors were actually looking for seafood domains; 5,000 discreet systems and they were nearly all in the IoT infrastructure," says Laurance Dine, managing principal of investigative response at Verizon.

The actual Verizon document doesn't appear to be available online yet, but there is an advance version that only discusses the incident above, available here.

Posted on February 17, 2017 at 8:30 AM • 14 Comments

Comments

My InfoFebruary 17, 2017 10:59 AM

"We identified that this was coming from their IoT network, their vending machines and their light sensors were actually looking for seafood domains; 5,000 discreet systems and they were nearly all in the IoT infrastructure," says Laurance Dine, managing principal of investigative response at Verizon.

Fuckin' serves THEM right for buying in to the "Internet of Things." Same old story.

Computerized shit: insecure, highly proprietary code running with elevated privileges.

"NO USER SERVICEABLE PARTS INSIDE."

HA! HA! HA!

bigmacbearFebruary 17, 2017 11:40 AM

5,000 discreet systems

I would suggest if they were blabbing at such high volume on the network, they weren't very discreet. "Discrete" I can buy though. ;)

Clive RobinsonFebruary 17, 2017 12:48 PM

I guess the obvious question is why were the IoT devices on the general network?

I thought it had been obvious for some years now with the likes of IP based CCTV and phones etc, you put them on their own network physical or virtual so you can do as a minimum standard QoS and PoE type activities. I know of atleast two large Universities in the UK and several small to medium sized businesses where that was standard behaviour getting on for a decade ago.

There is the old saying about managing your workers, because if you don't manage them, then they will manage you... The same applies to computers and all communications equipment of which IoT is currently just a small part, it you don't manage them from the get go, then you know where you time sinks will appear.

albertFebruary 17, 2017 1:17 PM

@Bill,
I'm not an afishinado either.

@CLive,

Clive, Clive, Clive...have you taken leave of your census? Shirley you don't use logic and reason in a case like this.

Why was Verizon involved? Did they provided IT services for the nameless university?

More data needed.
. .. . .. --- ....

BillFebruary 17, 2017 1:36 PM

@Albert: The article said they had Verizon on retainer.

"Now that I had a handle on the incident in general, I reached out
to the Verizon RISK Team, which we had on retainer"

TedFebruary 17, 2017 2:37 PM

Verizon’s RISK (Research, Investigations, Knowledge, Solutions) Team shares a potpourri of anonymized cases studies, for other folks to review and learn from.

The 16 cybercrime case studies they share -- with measures you can to take to mitigate and resolve these issues – are sorted into four categories “The Human Element,” “Conduit Devices,” “Configuration Exploitation,” and “Malicious Software.”

The story above can be found under Conduit Devices “CD-3: IoT Calamity – the Panda Monium” and can be reviewed along with the others here:

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

(The first section asks visitors to register for the report, however, there is a link to same 100-page report under that that you can click on to read to same report.)

Each cybercrime case in this report has an “Attack-Defend Card.” The card for “IoT Calamity – the Panda Monium” gives a brief overview covering Breach Scenario, Incident pattern, Threat actor, and Targeted victims.

Under Targeted victims it lists the key stakeholders as “Incident Commander, Legal Counsel, and Corporate Communications” (more at Appendix A: Key Incident Response Stakeholders) and Countermeasures as “CSC-1, CSC-3, CSC-9, CSC-11, and CSC-12” (more at Appendix B: CIS Critical Security Controls).

albertFebruary 17, 2017 6:17 PM

@Bill,

Noted, but what university was it, who designed the system, and who operates it?

. .. . .. --- ....

unbobFebruary 18, 2017 5:35 AM

@Clive
> I guess the obvious question is why were the IoT devices on the general network?

Apparently they were on there own network segment, but no one thought of the implications of allowing them to make DNS queries to the main network.

Clive RobinsonFebruary 18, 2017 7:15 AM

@ unbob,

Apparently they were on there own network segment, but no one thought of the implications of allowing them to make DNS queries to the main network.

Hmm so the prize race horse was in the stable, but nobody thought to shut the stable door...

The moral of IoT devices and earlier network appliances is that they can not be trusted, therefore you "lock them up". Whilst that was once easy because they were wired devices, it's become hard due to wireless. Thus now you have to "lock them out" of your other wireless networks, which means a lot more work than it once did, as "ease of use" for other systems has to go out the window...

IoT is bad news in many ways, not least due to money. Consumers want the cheapest possible price and manufacturers the most profit they can make. In a two sided market the resultwas an uneasy stalemate where manufacturers had some profit, as competition amongst manufactrers kept the price down. However it's a three way game these days and there is a lot of money in "personal data" currently, more than there is in product sales... Thus the manufacturer is incentivised to almost give away the hardware in return for a free run at the way more profitable "personal data". The problem is people are starting to be privacy conscious and not want to alow their "personal data" to be raped, pillaged and plundered". Thus manufacturers are looking at ways to prevent you from stopping them collecting your "personal data". This includes the device not functioning in part or full if you stop it doing an ET and phoning home to China etc. Worse some manufacturers claim they compleatly own not just the software, but the hardware and any personal data it can collect. In short you pay them to loose basic legal rights...

I do not see this changing any time soon unless something disrupts the market and it's environment. Bruce has mentioned regulation of the market but lobbying is likely to neuter that, however a change in the environment where you have to pay for each byte of data sent would likely have quite a dramatic effect as a knock on to the market...

albertFebruary 18, 2017 1:21 PM

@Clive,

"...where you have to pay for each byte of data sent would likely have quite a dramatic effect as a knock on to the market......"

No, an IoT device (other than a camera) doesn't use much bandwidth. DNS requests are trivial in those terms, especially if there are thousands of devices working together.

Face it, manufacturers have -no- motivation to 'do the right thing'. This is true of -any- kind of manufacturing and -all- aspects of production of -any- product.

I hate to say it, but regulation appears to be the only workable solution. How else can one prevent the use of poorly designed, insecure devices?

Regulations can be very simple, but aren't, because of forced compromises with manufacturers. So, we need arguments that trump all compromises, like, say, 'national security'.

Attacks on our infrastructure are already happening, but the really big one has yet to occur. Imagine the pissing and moaning and hand-wringing. There'll be lots of talk, lots of accusations, and attempts at retribution (US are very good at that). Shift the blame. Cries for regulation, water them down, wait for the next one, rinse, repeat.

The financial system works just like that, except for the 'regulation' part.

. .. . .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.