A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

from the somebody-might-want-to-get-on-this dept

For years we’ve documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we’re not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.

A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:

“The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this “invisible pollution” continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.

She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers’ financial histories stolen thanks to an internet-of-broken things aquarium thermostat:

“Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network,” she said. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

It’s understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it’s pretty clear we’re going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That’s why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Regulation

I have reservations about involving the government at this point. IoT products and the IoT market are evolving rapidly and any regulations would be written by bureaucrats who know nothing about technology and could be obsolete in a few years anyway.

OTOH, a group like the IoT Consortium, http://iofthings.org/, should be pushing strongly for a consensus of IoT Best Practices, which could be continuously updated and should be disseminated widely to both consortium members and non-members.

Anonymous Coward says:

Re: Re: Regulation

I’m the same. Usually when you get politicians involved in creating regulations you get regulations for industries that are written by lawyers. Think about that. Problem is you don’t want someone writing what amounts to technical regulatory guidance from those that have no experience in the industry they are regulating AND who are subject to a voting public who thinks Internet Explorer is their operating system, Facebook is “The Internet” and anything against their insular world view is “fake news”. You also don’t want that regulatory guidance written in stone, rather evolving guidance based on current and past experience in device security.

The law should theoretically create a regulatory agency with delegated statutory powers staffed by those with knowledge of the subject being regulated but not captured by that industry. Though as we’ve already seen, even that doesn’t work when the lunatics are running the asylum (in the US: FCC, FDA, DOE, & others).

Anonymous Anonymous Coward (profile) says:


All the people that work in a casino and they can’t be bothered to walk by the fish tank and take note of the temperature.

But seriously. How hard is it to have multiple networks? One for the internet, one for security, one for business, etc.. Only one of those would be connected to the internet (guess which one) and none of them connected to each other.

Anonymous Coward says:

Re: Amazing

none of them connected to each other.

That part’s easier said than done—one errant wire can undo the whole thing. BTW, is a high roller database "business" or "security"?

Regardless of which network it was on, why did some random thermometer have enough access to query the database?

The Wanderer (profile) says:

Re: Re: Amazing

A high-roller database falls under “business”, naturally; the high rollers are cutomers, and the service offered to them is one of the casino’s products.

The “security” network would be for things like security cameras, door locks, alarm systems, et cetera.

There might need to be some overlap, or rather some data synced between the two networks, for example in the realm of user and/or customer authentication (for example, if the casino’s hotel operation issues high-value frequent customers personal ID cards which unlock their hotel-room doors, rather than handing out generic cards which have to be returned on departure) – but I see no reason why a database with enough customer information to be worth exfiltrating would ever need to be on the security network.

(That just means that the security protecting access to the business network needs to be even better, of course.)

Anonymous Coward says:

Re: Re: Amazing

Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.

Corollary: if it turns out to be, that should not automatically compromise the security of the entire rest of the network. The database server should not be vulnerable to the camera, the fish tank, the IP-based toilet valves…

Anonymous Coward says:

Re: Re: Re: Amazing

IOT devices should not have direct access to the wider Internet, but rather connect to a local server, over an isolated network to that server, which can be secured, and maybe only accessible from the outside via a proxy server, and which relays notifications via an email and text server.

Anonymous Coward says:

Re: Re: Re:2 Amazing

Good idea, but still, any system that can be compromised by a misplugged network cable is not secure enough. Lock down those IoT devices as much as possible but assume some idiot’s going to plug it directly to the database server anyway, and make sure the DB won’t fall over when it happens.

Anonymous Coward says:

Not the thermometer's fault

People have been saying for at least 30 years to treat the network as untrustworthy. The real scandal isn’t that the thermostat was hacked, it’s that evidently the high roller database had no security. It should’ve had authentication and encryption, and most people with access should not have had enough access to dump the whole database. The system should limit their query rate and flag anything suspicous.

RichardSeidman says:

Former British intelligence officer Robert Hannigan noted that there are no universally accepted IoT security standards. "I know the case when the bank was hacked through surveillance cameras because buying a device, the organization was repelled by the price." He also added that the thermostat and surveillance cameras of the same model still work for other companies and users. I hope that site https://ipayzz.com/slots-lv-casino/ make an only good impression on you.

BugMN (profile) says:

I don’t think that will be for a long time. In 2019 we have completely new technology such as Decentralization (blockchain), AI. I’m sure that developers do maximum to protect casinos, gambling, and other internet industries. So I’m sure that this one casino has already a protection system https://getcasinobonus.net/bonuses/bet365/ . In this case I’ll be glad when my money can be saved from hackers.

LennartPersson (profile) says:

Hey. If you have been looking for reviews of the best online casinos in the UK, welcome to this site https://play.casino. On the presented gaming platforms, you can play both for real money and for free. You can comfortably play without downloading on any smartphone or tablet based on Android or iOS. They are offered without registration, so every portal guest can play without any obligations and financial risks. Just choose the best casino to try how to play correctly

Emma Watson says:

More and more gambling enthusiasts prefer to spend their free time on virtual venues rather than in real casinos. And, this is not unusual. Indeed, casino online https://casinor.com/ have a lot of extremely attractive features that make the operation of slot machines more convenient and profitable. Few people want to spend their precious time traveling around the city and visiting gambling establishments when it is possible to arrange in the most comfortable environment behind a computer monitor and get at their disposal everything necessary to satisfy the craving for excitement. On the online casino site, players have a unique opportunity to activate any emulators in demo mode.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...