University Network Crippled By Its Own Hacked Vending Machines
In one of the weirder hacking events in recent months, an unnamed university’s network was hobbled to the point of uselessness by hackers. That’s not really all that shocking, but what is humorously surprising is the breach mechanism: vending machines.
Image courtesy of Fortune
A new report outlines an attack from within that pitted a university’s vending machines, smart lightbulbs, and other internet-of-things connected devices against it. Using a botnet-style attack, hackers flooded the network with pointless searches for seafood-related traffic, rendering the network so bogged down that students began to make complaints to the help desk. (We’ll ignore for the moment that instead of looking into it, the help desk supposedly dismissed the complaints. It was only after someone higher up in the department caught on to all the seafood searches that they had the wherewithal to investigate.)
The first plan of action was going to be costly: replace every single IoT device the university currently deploys in order to regain access to more than 5,000 systems. That’s where the vending machines and lightbulbs come in. Fortunately, a report on the attack from Verizon’s RISK Team showed the IT department how it was spreading and locking them out. The botnet sought out weak passwords and replaced them, so all the university had to do was unleash a packet sniffer, find out those passwords, and change them. Rather than a costly and time-consuming solution, the issue was resolved in a matter of hours.
Verizon has issued an early teaser for its 2017 Data Breach Digest, which outlines this anonymous situation in greater detail. If this is just a sample of the type of attack their team has uncovered in the previous year, the work of thwarting cybercrime will be hard-pressed to keep up with the nearly limitless creativity of hackers.
According to an article on the university attack by NetworkWorld, “Verizon’s sneak peek report includes mitigation and response tips, such as change default credentials on IoT devices. It also advises, ‘Don’t keep all your eggs in one basket, create separate network zones for IoT systems and air-gap them from other critical networks where possible.'”