A still unidentified American university reportedly battled an army of smart devices led by vending machines within a concerted hacking attempt that held the school's internet hostage for some time. The institution's IT staff has been overwhelmed by the breach that is why Verizon's RISK Team had to be called in for support.
The incident is similar to previous attacks involving IoT devices.
DNS Lookup Breach
According to the university's report, the problem was first detected after students complained of slow internet connection. Initial probe revealed that the servers tasked with handling the Domain Name System (DNS) are being inundated by a barrage of bot attacks coming from internet-connected devices.
"As the servers struggled to keep up, legitimate lookups were being dropped — preventing access to the majority of the internet," one of the school's senior IT personnel recounted.
As the barrage of mysterious lookups persisted, the school got more alarmed. After the staff collected the internet logs, they were taken aback after data showed an astounding 5,000 discrete systems each executing hundreds of lookups every 15 minutes.
Hacked IoT Execute Botnet Barrage
It turned out internet connected devices found within the university led by vending machines and light bulbs have been tampered with a malware to use DNS servers in a different subnet. This allowed the hacker to corrupt the school's IoT infrastructure, which has been allocated its own segment in the institution's network for better management.
The botnet attack was able to corrupt more and more devices by brute forcing its way through default and weak passwords. Once this is has been done, say in one vending machine, the hacker was able to take complete control shutting the school's IT staff out.
The machine was, thus, effectively rendered free to wreak havoc. Imagine the extent of the damage once 5,000 of these finally executed concerted attacks.
Lesson Learned
As the university waited for the Verizon RISK team to institute a more concrete solution, the staff had to scramble disconnecting the entire IoT segment from the rest of the network.
It is not yet known if Verizon RISK was able to find the culprit behind the attack or if they were able to determine the goal aside from crippling the school's internet. Previous attacks, however, has been carried out to extract money from educational institutions. For example, the University of Calgary has paid hackers last year to release the school's infiltrated information technology system.
The attacked university in this report has already taken some steps to avoid similar incident in the future. For example, vending machines and other IoT devices now have their own separate network so that any potential damage would immediately be contained in case they get induced to run amok again.