At an unnamed university, its network was taken down by its internet connected vending machines:
Today’s cautionary tale comes from Verizon’s sneak peek (pdf) of the 2017 Data Breach Digest scenario. It involves an unnamed university, seafood searches, and an IoT botnet; hackers used the university’s own vending machines and other IoT devices to attack the university’s network.
Since the university’s help desk had previously blown off student complaints about slow or inaccessible network connectivity, it was a mess by the time a senior member of the IT security team was notified. The incident is given from that team member’s perspective; he or she suspected something fishy after detecting a sudden big interest in seafood-related domains.
The “incident commander” noticed “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” That explained the “slow network” issues, but not much else.
The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.
Seafood, huh?
Needless to say, there is something fishy about the Internet of Things.*
It’s a toxic mixture of marketing types and brogrammers, and until there there are real statutory requirements for people trying to make a buck off of things like internet enabled refrigeratures, stay away from this.
Right now, these are trivial to hack into, and, at best, this makes them a listening device in your own home.
*Sorry for the pun.†
†Not really sorry. Not one bit.