Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)

Posted by msmash on from the internet-of-shit dept.

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

17 of 246 comments (clear)

  1. I don't know... by Anonymous Coward · · Score: 5, Funny

    ... this sounds phishy.

    1. Re: I don't know... by Anonymous Coward · · Score: 5, Insightful

      High roller = whale
      So an aquarium seems an appropriate attack vector.

  2. Zero sympathy by olsmeister · · Score: 5, Insightful

    IoT devices should be sparingly and carefully deployed.

    Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.

  3. IOT is a disaster waiting to happen by pablo_max · · Score: 4, Insightful

    It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.

    I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
    It sounds like the IT department there wasnt thinking too hard about security.

    1. Re:IOT is a disaster waiting to happen by rtkluttz · · Score: 4, Insightful

      Its not even that. There is literally nothing that IoT devices do in the cloud that can't be done completely in the owners network. Anyone that allows devices on their network that basically have you authenticating to a companies servers outside your home or business to do something inside your home or business deserve everything they get.

      --
      Digital is, by definition, imperfect. Analog is the way to go.
  4. IoT turned DEFCON into a party again by phantomfive · · Score: 5, Interesting

    IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
    echo "admin\n admin\n" | telnet device_ip
    I thought we were done with the days of telnet exploits but it's a gift that keeps giving.

    --
    "First they came for the slanderers and i said nothing."
  5. No fish were harmed by jfdavis668 · · Score: 4, Funny

    During this hacking attempt. Except whales.

  6. Re:high-roller database by namgge · · Score: 4, Funny

    A list of people with a lot more money than sense.

  7. Re:Internet Of Things by haruchai · · Score: 4, Funny

    Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?

    You probably don't, but Big Brother does. They're hoping you will give up your privacy in exchange for added convenience of these IoTs.

    Say that a bit louder , Alexa didn't hear you

    --
    Pain is merely failure leaving the body
  8. Re:Network Separation (Partial report from vendor) by Anonymous Coward · · Score: 5, Informative

    https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
    ---
    To ensure these communications remained separate
    from the commercial network, the casino configured
    the tank to use an individual VPN to isolate the tank’s
    data
    ---

    So yes, it was segregated via a VPN link. Clearly that wasn't enough.

  9. Re:Internet Of Things by ZorinLynx · · Score: 5, Insightful

    A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.

    This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.

  10. Re:Internet Of Things by ctilsie242 · · Score: 4, Insightful

    You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.

    Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.

  11. Re: Internet Of Things by oh_my_080980980 · · Score: 4, Insightful

    Gosh how was society able to do that for centuries before these wonder device....

  12. Re:Internet Of Things by Opportunist · · Score: 4, Insightful

    The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:Network Separation (Partial report from vendor) by Archangel+Michael · · Score: 5, Insightful

    VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.

    Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.

    It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  14. Re:Network Separation (Partial report from vendor) by trg83 · · Score: 4, Interesting

    The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.

  15. Re:Network Separation by Oswald+McWeany · · Score: 5, Funny

    I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"

    So good manners these days involves, not only offering the workman a cup of tea, but your wifi password too.

    "Would you like a spot of tea and a Wi-Fi password whilst you fix our driveway?"

    How else are the workmen going to use you-tube to look up how they do their job?

    --
    "That's the way to do it" - Punch