When a University’s vending machines became a botnet

By Adam Tinworth

15/02/2017 | Here's a alarming story of mismanaged Internet of Things security, as reported by Network World. An (unnamed) university had found its network slowing to a crawl. Investigations hit a dead end so experts were called:

The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.

Yes, essentially, the university's networked devices, including as innocuous devices as its vending machines, had been hijacked by malware. The university was playing physical host to a botnet.

Initially the solution looked drastic – and expensive – but thankfully another solution presented itself:

At first, the incident commander thought the only way out of trouble was to replace all the IoT devices, such as “every soda machine and lamp post.” Yet the RISK Team’s report explained that “the botnet spread from device to device by brute forcing default and weak passwords,” so the university used a packet sniffer to intercept a clear-text malware password for a compromised IoT device.

And then they were able to replace all the passwords with much more secure ones.

Perhaps luckily, this story wasn't reported widely, and so hasn't eroded public trust in the Internet of Things. But, my goodness, we can't afford too many stories of this nature if the IoT is to win the public acceptance it needs to hit the mainstream - and realise the potential benefits that come with that.

If you're building an IoT product - make sure that "security" is right up there in the top echelon of product requirements. To do anything else is massively short-sighted.

Lead image by halfrain on Flickr, and used under a Creative Commons licence