Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

IoT turned DEFCON into a party again

[phantomfive]

IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.

Android Networking

My pet hate, IOS devices that bluetooth to your smartphone as a backdoor:

Android smartphones offer every application default "Full Network Access". So you're not just giving the *app*, access to the location, address book etc., you're giving the *company* that made the app that access remotely too.

Google's explanation for this is total bullshit, something like "apps can access the internet by starting a browser, ergo this has no damage". Really, it's "we need it to spy on you so we enable it". And every shitty little app, that might have a genuine reason to access the address book, also gets full access to send the address book to their server.

So you buy a fitness band, and it won't work unless connected to your smartphone, which in turn needs an app, which in turn needs you register for an account and approve access to the address book and location and other stuff. i.e. to use this device you bought, give us full access to your private data, and your indentity and in exchange we'll promise to use it for any reason and call it a privacy policy.

You trusted Zuck in 2006 when he promised to only share your data with your chosen friends. You gave him your data, and it turns out he sells it all on to anyone who will pay. And Android devices come pre-installed with this stuff, Facebook, Microsoft's snoop ware, anyone with money can buy pre-installed right to data you will put on the phone, and full network access to slurp your private data off that phone.

And we can blame Zuck for farming its customers for sellable data, but a lot of this is Google's fault.

No app should have network access by default.

Re:Network Separation

[Oswald+McWeany]

And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.

Good Suggestion.

I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.

Re:Network Separation (Partial report from vendor)

[MightyMartian]

This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?

My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.

This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.

Re:Network Separation (Partial report from vendor)

[trg83]

The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.