Slashdot Mirror
Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
IoT devices should be sparingly and carefully deployed.
Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.
This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Gosh how was society able to do that for centuries before these wonder device....
High roller = whale
So an aquarium seems an appropriate attack vector.
The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.
Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.
It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.
The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.
Have gnu, will travel.
For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."
You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.
Someone had to do it.