A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer
from the somebody-might-want-to-get-on-this dept
For years we’ve documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we’re not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.
A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:
“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this “invisible pollution” continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.
She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers’ financial histories stolen thanks to an internet-of-broken things aquarium thermostat:
“Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network,” she said. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”
It’s understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it’s pretty clear we’re going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That’s why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.
Filed Under: casino, cybersecurity, iot, security, thermometer
Comments on “A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer”
And the government isn’t interested in regulating something like this – but are wild about promoting copyright and other monopolies. Because no one is bribing them to care.
I have reservations about involving the government at this point. IoT products and the IoT market are evolving rapidly and any regulations would be written by bureaucrats who know nothing about technology and could be obsolete in a few years anyway.
OTOH, a group like the IoT Consortium, http://iofthings.org/, should be pushing strongly for a consensus of IoT Best Practices, which could be continuously updated and should be disseminated widely to both consortium members and non-members.
Re: Re: Regulation
I’m the same. Usually when you get politicians involved in creating regulations you get regulations for industries that are written by lawyers. Think about that. Problem is you don’t want someone writing what amounts to technical regulatory guidance from those that have no experience in the industry they are regulating AND who are subject to a voting public who thinks Internet Explorer is their operating system, Facebook is “The Internet” and anything against their insular world view is “fake news”. You also don’t want that regulatory guidance written in stone, rather evolving guidance based on current and past experience in device security.
The law should theoretically create a regulatory agency with delegated statutory powers staffed by those with knowledge of the subject being regulated but not captured by that industry. Though as we’ve already seen, even that doesn’t work when the lunatics are running the asylum (in the US: FCC, FDA, DOE, & others).
All the people that work in a casino and they can’t be bothered to walk by the fish tank and take note of the temperature.
But seriously. How hard is it to have multiple networks? One for the internet, one for security, one for business, etc.. Only one of those would be connected to the internet (guess which one) and none of them connected to each other.
That part’s easier said than done—one errant wire can undo the whole thing. BTW, is a high roller database "business" or "security"?
Regardless of which network it was on, why did some random thermometer have enough access to query the database?
Re: Re: Amazing
A high-roller database falls under “business”, naturally; the high rollers are cutomers, and the service offered to them is one of the casino’s products.
The “security” network would be for things like security cameras, door locks, alarm systems, et cetera.
There might need to be some overlap, or rather some data synced between the two networks, for example in the realm of user and/or customer authentication (for example, if the casino’s hotel operation issues high-value frequent customers personal ID cards which unlock their hotel-room doors, rather than handing out generic cards which have to be returned on departure) – but I see no reason why a database with enough customer information to be worth exfiltrating would ever need to be on the security network.
(That just means that the security protecting access to the business network needs to be even better, of course.)
Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.
It would be good security hygiene to build different networks but it shouldn’t be critical.
Re: Re: Amazing
Corollary: if it turns out to be, that should not automatically compromise the security of the entire rest of the network. The database server should not be vulnerable to the camera, the fish tank, the IP-based toilet valves…
Re: Re: Re: Amazing
IOT devices should not have direct access to the wider Internet, but rather connect to a local server, over an isolated network to that server, which can be secured, and maybe only accessible from the outside via a proxy server, and which relays notifications via an email and text server.
Re: Re: Re:2 Amazing
Good idea, but still, any system that can be compromised by a misplugged network cable is not secure enough. Lock down those IoT devices as much as possible but assume some idiot’s going to plug it directly to the database server anyway, and make sure the DB won’t fall over when it happens.
Not the thermometer's fault
People have been saying for at least 30 years to treat the network as untrustworthy. The real scandal isn’t that the thermostat was hacked, it’s that evidently the high roller database had no security. It should’ve had authentication and encryption, and most people with access should not have had enough access to dump the whole database. The system should limit their query rate and flag anything suspicous.
Re: IoT is the suffix of Id
IoT is the suffix of Id.
Not only should that high rollers database had authentication and encryption, it should have been ON A DIFFERENT NETWORK.
I guess that we’ll need to reach those catastrophic conditions where lives are lost and, much more importantly, it costs money*.
*As sad as it may sound, I think deaths are worth less than money lost nowadays.
Clarifying: not that I think they are worth less, it’s that our society is treating them this way hence the “sad” adjective.
This is clearly another argument on turning up the thermostat on spear-phishing.
“is what economists call an externality” No, it’s called late stage capitalism.
I am interested to know why is this old story back to life? This originally came to publick back in July 2017 – here is a WP link https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/?utm_term=.c1a9617584d3
And the beat goes on.
No solution except regulation. I cannot think of one. Hopefully that is just a failure of my imagination, meaning someone else can figure out a fix.
Regulation of technical anything is such a series of ongoing disasters in the US. We have what, < 4% of our Legislators with any technical knowledge? Time to go setup my V-chip.
Casino hacked by aquarium thermostat?
So they gambled on the security of their network and lost.
Sounds like it’s time for them to turn up the heat on who’s at fault.
Somebody’s probably going to be sleeping with the fishes over this.
No Sympathy For Casinos
Q: What kind of game is it where any attempt to improve your odds is seen as “cheating”?
A: A sucker’s game.
1) create problem
2) exasperate problem
4) proclaim a fix is necessary
You want to annoy the problem?
Re: Re: exasperate?
Probably thought “exacerbate” was a naughty word.
And here I always thought fish were boring.
Former British intelligence officer Robert Hannigan noted that there are no universally accepted IoT security standards. "I know the case when the bank was hacked through surveillance cameras because buying a device, the organization was repelled by the price." He also added that the thermostat and surveillance cameras of the same model still work for other companies and users. I hope that site https://ipayzz.com/slots-lv-casino/ make an only good impression on you.
I don’t think that will be for a long time. In 2019 we have completely new technology such as Decentralization (blockchain), AI. I’m sure that developers do maximum to protect casinos, gambling, and other internet industries. So I’m sure that this one casino has already a protection system https://getcasinobonus.net/bonuses/bet365/ . In this case I’ll be glad when my money can be saved from hackers.
Hey. If you have been looking for reviews of the best online casinos in the UK, welcome to this site https://play.casino. On the presented gaming platforms, you can play both for real money and for free. You can comfortably play without downloading on any smartphone or tablet based on Android or iOS. They are offered without registration, so every portal guest can play without any obligations and financial risks. Just choose the best casino to try how to play correctly
And the Govt is not doing anything.
More and more gambling enthusiasts prefer to spend their free time on virtual venues rather than in real casinos. And, this is not unusual. Indeed, casino online https://casinor.com/ have a lot of extremely attractive features that make the operation of slot machines more convenient and profitable. Few people want to spend their precious time traveling around the city and visiting gambling establishments when it is possible to arrange in the most comfortable environment behind a computer monitor and get at their disposal everything necessary to satisfy the craving for excitement. On the online casino site, players have a unique opportunity to activate any emulators in demo mode.
If you have been looking for reviews of the best online casinos welcome to this site HotGamblingNews. On the presented news platform you will find a lot of news, reviews and other interesting and usefull for gamblers info.
Hey sir, I really played in web-based club, my fundamental locale is club, I truly prefer to win. I comparably love to play blackjack switch, where I absolutely scholarly the standards and systems. An enchanting article surprisingly, I like the ordinary rewards that give different stages to games.
Otc crypto exchange https://coinspaid.com/exchange/ is secured & perfect for any crypto transaction with the 4.8 ratings on Playstore. Otc crypto, you can buy/sell, trade, Send and Pay cryptocurrencies. At Otc crypto user experience & security is our first priority.