University’s IoT devices went fishing for information – how did it happen?

Verizon has published its annual Data Breach Digest and issued previews online – and it makes entertaining as well as sobering reading. One story has already attracted a fair bit of press attention, in which an unnamed university had its Internet of Things installation turned into a network of botnets dedicated to looking for fish restaurants instead of working with the students.

The IT professional in the report confirms that he reported dips in network performance to Verizon, which quickly ascertained that there had been some sort of hijack:

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure.

Many devices including light switches had been attached to the IoT infrastructure for ease of management, the report continues (one piece of coverage suggested the refrigerators were involved as well, although we confess we couldn’t see any reference to them in the report).

As an aside, readers of a certain age might remember the radio series and books of the Hitchhiker’s Guide to the Galaxy, in which an entire spaceship’s computer systems were turned to ascertaining why Arthur Dent should want a cup of tea – we always said that series was ahead of its time.

As another aside, you might wonder how vulnerable a system has to be so that everything looking something up every 15 minutes slows it down so much. As it’s anonymised, we have to take the Verizon report at face value on that score.

The lessons learned, according to the Verizon report, included not putting all of the eggs in a single basket – in other words, don’t have every element of an IoT installation in a single network. It also suggested keeping firmware updates current and – wait for it – changing the default passwords, which hadn’t been done. In the event, the attackers’ password wasn’t encrypted so it was intercepted and the attack neutralised.

Jessica Twentyman, editor of Internet of Business, said:

What’s interesting to me about this story is that it once again begs the question: who’s responsible for IoT security? Is it the manufacturers of smart devices, who often seem to treat security as a secondary design consideration, if at all; or the individuals and organisations that deploy them? The answer, of course, must be both – but we continue to see complacency on both sides and a good deal of confusion and buck-passing when things go wrong. We badly need some consensus here, with smart device manufacturers doing more to secure the devices they sell and IoT administrators doing more to secure the environments that they run.