A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

from the somebody-might-want-to-get-on-this dept

For years we've documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we're not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.

A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this "invisible pollution" continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.

She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers' financial histories stolen thanks to an internet-of-broken things aquarium thermostat:

"Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

It's understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it's pretty clear we're going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That's why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 16 Apr 2018 @ 12:54pm

    Regulation

    And the government isn't interested in regulating something like this - but are wild about promoting copyright and other monopolies. Because no one is bribing them to care.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2018 @ 3:23pm

      Re: Regulation

      I have reservations about involving the government at this point. IoT products and the IoT market are evolving rapidly and any regulations would be written by bureaucrats who know nothing about technology and could be obsolete in a few years anyway.

      OTOH, a group like the IoT Consortium, http://iofthings.org/, should be pushing strongly for a consensus of IoT Best Practices, which could be continuously updated and should be disseminated widely to both consortium members and non-members.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Apr 2018 @ 4:17pm

        Re: Re: Regulation

        I'm the same. Usually when you get politicians involved in creating regulations you get regulations for industries that are written by lawyers. Think about that. Problem is you don't want someone writing what amounts to technical regulatory guidance from those that have no experience in the industry they are regulating AND who are subject to a voting public who thinks Internet Explorer is their operating system, Facebook is "The Internet" and anything against their insular world view is "fake news". You also don't want that regulatory guidance written in stone, rather evolving guidance based on current and past experience in device security.

        The law should theoretically create a regulatory agency with delegated statutory powers staffed by those with knowledge of the subject being regulated but not captured by that industry. Though as we've already seen, even that doesn't work when the lunatics are running the asylum (in the US: FCC, FDA, DOE, & others).

        reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 16 Apr 2018 @ 1:06pm

    Amazing

    All the people that work in a casino and they can't be bothered to walk by the fish tank and take note of the temperature.

    But seriously. How hard is it to have multiple networks? One for the internet, one for security, one for business, etc.. Only one of those would be connected to the internet (guess which one) and none of them connected to each other.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2018 @ 2:01pm

      Re: Amazing

      none of them connected to each other.

      That part's easier said than done—one errant wire can undo the whole thing. BTW, is a high roller database "business" or "security"?

      Regardless of which network it was on, why did some random thermometer have enough access to query the database?

      reply to this | link to this | view in chronology ]

      • icon
        The Wanderer (profile), 17 Apr 2018 @ 8:41am

        Re: Re: Amazing

        A high-roller database falls under "business", naturally; the high rollers are cutomers, and the service offered to them is one of the casino's products.

        The "security" network would be for things like security cameras, door locks, alarm systems, et cetera.

        There might need to be some overlap, or rather some data synced between the two networks, for example in the realm of user and/or customer authentication (for example, if the casino's hotel operation issues high-value frequent customers personal ID cards which unlock their hotel-room doors, rather than handing out generic cards which have to be returned on departure) - but I see no reason why a database with enough customer information to be worth exfiltrating would ever need to be on the security network.

        (That just means that the security protecting access to the business network needs to be even better, of course.)

        reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Apr 2018 @ 2:15pm

      Re: Amazing

      Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.

      It would be good security hygiene to build different networks but it shouldn't be critical.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Apr 2018 @ 4:14pm

        Re: Re: Amazing

        Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.

        Corollary: if it turns out to be, that should not automatically compromise the security of the entire rest of the network. The database server should not be vulnerable to the camera, the fish tank, the IP-based toilet valves...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Apr 2018 @ 5:11pm

          Re: Re: Re: Amazing

          IOT devices should not have direct access to the wider Internet, but rather connect to a local server, over an isolated network to that server, which can be secured, and maybe only accessible from the outside via a proxy server, and which relays notifications via an email and text server.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 17 Apr 2018 @ 8:31am

            Re: Re: Re: Re: Amazing

            Good idea, but still, any system that can be compromised by a misplugged network cable is not secure enough. Lock down those IoT devices as much as possible but assume some idiot's going to plug it directly to the database server anyway, and make sure the DB won't fall over when it happens.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 1:57pm

    Not the thermometer's fault

    People have been saying for at least 30 years to treat the network as untrustworthy. The real scandal isn't that the thermostat was hacked, it's that evidently the high roller database had no security. It should've had authentication and encryption, and most people with access should not have had enough access to dump the whole database. The system should limit their query rate and flag anything suspicous.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 17 Apr 2018 @ 7:59am

      IoT is the suffix of Id

      IoT is the suffix of Id.

      Not only should that high rollers database had authentication and encryption, it should have been ON A DIFFERENT NETWORK.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 16 Apr 2018 @ 2:17pm

    I guess that we'll need to reach those catastrophic conditions where lives are lost and, much more importantly, it costs money*.

    *As sad as it may sound, I think deaths are worth less than money lost nowadays.

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 16 Apr 2018 @ 2:45pm

    I guess

    This is clearly another argument on turning up the thermostat on spear-phishing.

    E

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 2:54pm

    "is what economists call an externality" No, it's called late stage capitalism.

    reply to this | link to this | view in chronology ]

  • identicon
    Mauricio Freitas, 16 Apr 2018 @ 3:13pm

    Old story?

    I am interested to know why is this old story back to life? This originally came to publick back in July 2017 - here is a WP link https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/? utm_term=.c1a9617584d3

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 16 Apr 2018 @ 3:27pm

    And the beat goes on.

    No solution except regulation. I cannot think of one. Hopefully that is just a failure of my imagination, meaning someone else can figure out a fix.

    Regulation of technical anything is such a series of ongoing disasters in the US. We have what, < 4% of our Legislators with any technical knowledge? Time to go setup my V-chip.

    reply to this | link to this | view in chronology ]

  • identicon
    Zonker, 16 Apr 2018 @ 3:54pm

    Casino hacked by aquarium thermostat?

    So they gambled on the security of their network and lost.

    Sounds like it's time for them to turn up the heat on who's at fault.

    Somebody's probably going to be sleeping with the fishes over this.

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 16 Apr 2018 @ 5:34pm

    No Sympathy For Casinos

    Q: What kind of game is it where any attempt to improve your odds is seen as “cheating”?

    A: A sucker’s game.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 6:38pm

    1) create problem
    2) exasperate problem
    3) ???
    4) proclaim a fix is necessary
    5) profit

    reply to this | link to this | view in chronology ]

  • identicon
    DOlz, 17 Apr 2018 @ 5:44am

    And here I always thought fish were boring.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.