Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)

Posted by msmash on from the internet-of-shit dept.

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

8 of 246 comments (clear)

  1. I don't know... by Anonymous Coward · · Score: 5, Funny

    ... this sounds phishy.

    1. Re: I don't know... by Anonymous Coward · · Score: 5, Insightful

      High roller = whale
      So an aquarium seems an appropriate attack vector.

  2. Zero sympathy by olsmeister · · Score: 5, Insightful

    IoT devices should be sparingly and carefully deployed.

    Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.

  3. IoT turned DEFCON into a party again by phantomfive · · Score: 5, Interesting

    IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
    echo "admin\n admin\n" | telnet device_ip
    I thought we were done with the days of telnet exploits but it's a gift that keeps giving.

    --
    "First they came for the slanderers and i said nothing."
  4. Re:Network Separation (Partial report from vendor) by Anonymous Coward · · Score: 5, Informative

    https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
    ---
    To ensure these communications remained separate
    from the commercial network, the casino configured
    the tank to use an individual VPN to isolate the tank’s
    data
    ---

    So yes, it was segregated via a VPN link. Clearly that wasn't enough.

  5. Re:Internet Of Things by ZorinLynx · · Score: 5, Insightful

    A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.

    This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.

  6. Re:Network Separation (Partial report from vendor) by Archangel+Michael · · Score: 5, Insightful

    VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.

    Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.

    It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  7. Re:Network Separation by Oswald+McWeany · · Score: 5, Funny

    I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"

    So good manners these days involves, not only offering the workman a cup of tea, but your wifi password too.

    "Would you like a spot of tea and a Wi-Fi password whilst you fix our driveway?"

    How else are the workmen going to use you-tube to look up how they do their job?

    --
    "That's the way to do it" - Punch