Hackers Use College’s Connected Vending Machines To Attack Network

Image courtesy of Mr Seb

What do you get when you combine Internet of Things devices, an overworked network, and an over abundance of seafood-related domain searches? A university attacked by its own malware-infected connected devices.

Network World reports that “you-can’t-make-these-things-up” scenario occurred recently at an unnamed university where hackers used the school’s vending machines and other connected devices to attack the network, locking administrators out of more than 5,000 systems.

The incident, detailed in a sneak peek of Verizon’s 2017 Data Breach Digest [PDF], began when students complained to the university’s help desk about slow or inaccessible network connectivity.

While many of those complaints were apparently brushed off, a senior IT security team member was finally notified, but things were already too fishy.

According to Data Breach Digest, the security team member noticed that the “name servers, responsible for Domain Name Service lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.”

This excessive seafood search slowed down the servers, causing legitimate searches to be dropped, essentially preventing access to the internet.

At this point, the university contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team, that discovered that hackers had commandeered the school’s vending machines and 5,000 other IoT devices to make seafood-related DNS requests every 15 minutes.

“With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies,” the report states. “While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.”

As a result, an IoT botnet was able to spread from device to device “by brute forcing default and weak passwords.”

Once the botnet discovered the password, it was able to take full control of the device, change the password, and lock the IT team out of around 5,000 systems.

The team was eventually able to regain access to the devices and remove the malware.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.