University Learns About IoT Insecurity The Hard Way

Status
Not open for further replies.
"The IT team realized that the IoT devices used weak, default passwords that were brute-forced as the botnet spread from device to device."

#1 rule to security: never use the default password on devices. That part is common sense and should not even need to be taught. If they at least changed the passwords to something much more complex, it would have been much harder for the botnet to brute-force... lol
 
"The second bullet point is especially amusing to me: revert Internet of Things devices to just plain Things."

Yup. It boggles my mind how many things inexplicably are connected to the internet. Lightbulbs don't need to be connected to the internet, for the love of god.
 
I like the fact that they don't want the devices to talk to the Internet but at the same time they want all updates to be automatically installed! You can't have it both ways, the devices are either visible to the Internet so they can be updated and hacked, or they can't see the Internet and can't be updated automatically.
 
In response to #1 rule of not using the default password, many IoT devices have been found to have a default admin username and password which is not changeable and it not mentioned in what ever limited user interface is presented. The only way to change them is to enable SSH on them, if not enabled by default, connect that way and either remove or change the hidden default.

I can only assume the hidden admin was placed there so the poor bastard at the end of the 1-800 number could have some hope in hell of offering some degree of support but in the end it has caused the world nothing but a headache. Thank you Hangzhou Xiongmai!
 
University-Lightbulb01
admin
admin
University-Lightbulb02
admin
admin
University-Lightbulb03
admin
admin
University-Lightbulb04
admin
admin

Now to flash the lights really fast and make people think the university is haunted.
 


Maybe not a direct connection from the device, but it actually makes a lot of sense to have access to most of the devices from internet. It can give you quite a lot of convenience, especially for managing things from afar.
If the 'Things' are made secure enough, I don't see absolutely anything wrong with having your lightbulbs accessible from your smartphone.

I would be more hesitant for life or death stuff, but that would just require a higher level of security.

 


I can see more than a few devices being handy to access from the internet. Lights you can periodically turn on and off so that people will think you're home when you're not. Thermostat to be able to adjust temperature so it's not freezing or blistering hot when you get home. Ovens for those meals that take 6hrs+ to cook. Many others as well.
 
A university ought to have staff that already knows better than to allow this to happen so easily. Security and convenience are always at odds with each other and they should more carefully plan out a proper balance before they install systems like this.
 


Depending on the University, some of them have really awful systems, and even worse security. I don't really understand how they let it happen, but there is not much push to improve until something quite bad happens, from my experience.
 


In my experience University IT folk don't have University degrees, they don't pay enough to get those people. Last few guys we had were all Cisco/A+ certified type guys that couldn't figure out why we were running out of IP addresses (500 people in building with a 24 subnet). The people with University degrees tend to go off and get decent paying jobs.
 
This university should be avoided at all costs ...

Most of the things mentioned in the article are common sense and do not need a scientist to figure it out .

This is a case of Neglect.
 


I don't want to sound overly mean, but A+ certification is useless, same with Cisco.... lol. The A+ certification can be easily passed just by picking up the book and reading the 'few' things that aren't common sense. Anyone who has a build on PCPartpicker pretty much already knows the same information. With Cisco certification, the tests are ungodly hard, but the classes deal with technology that is for the most part outdated (Novell, etc). I took the classes, but didn't bother finishing the tests. Neither one helps with finding a decent job. Going back to college for Engineering does though.
 
Status
Not open for further replies.