Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Technology

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 246

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

This discussion has been archived. No new comments can be posted.

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank

Comments Filter:
  • by Anonymous Coward on Monday April 16, 2018 @08:07AM (#56445285)

    ... this sounds phishy.

  • Network Separation (Score:3, Insightful)

    by Anonymous Coward on Monday April 16, 2018 @08:11AM (#56445299)

    And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.

    • by Anonymous Coward on Monday April 16, 2018 @08:37AM (#56445449)

      https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
      ---
      To ensure these communications remained separate
      from the commercial network, the casino configured
      the tank to use an individual VPN to isolate the tank’s
      data
      ---

      So yes, it was segregated via a VPN link. Clearly that wasn't enough.

      • by Archangel Michael ( 180766 ) on Monday April 16, 2018 @09:35AM (#56445769) Journal

        VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.

        Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.

        It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.

        • Comment removed based on user account deletion
          • by skids ( 119237 ) on Monday April 16, 2018 @10:56AM (#56446275) Homepage

            For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."

            You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.

            • Exactly... it comes down to resources. I would love to proxy and log some specific traffic between a device I don't really trust and the information it needs... but that is a couple days to reverse engineer the communications and there is already too much on my plate.

      • by PPH ( 736903 ) on Monday April 16, 2018 @09:50AM (#56445859)

        What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.

        The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.

        • by MightyMartian ( 840721 ) on Monday April 16, 2018 @10:07AM (#56445987) Journal

          This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?

          My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.

          This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.

        • by trg83 ( 555416 ) on Monday April 16, 2018 @10:19AM (#56446059)
          The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.
      • This past weekend, I saw an article on creating a VPN server in 30 minutes using, I think, Linode Great.

        Then, they said the server could be used for multiple purposes such as serving up web pages to the public and whatnot.

        The author lost all credibility at that point.

    • That's smart! There is no way to route between two seperate networks.
      • To get between networks, you need a layer three device ( aka router ).

        Is simple enough to build an ACL that says âoe Do not let devices from network X talk to network Y. âoe

        Also simple enough to prevent certain devices from talking to other devices on the same network and / or blocking access to pretty much anything you want.

        It just requires a bit of forward planning / thinking.

        Assume everything connected to your networks are potential entry points and / or downright hostile.

        • by Bengie ( 1121981 )
          Many managed switches do Layer 3 routing and default to routing among the VLANs. I think that's a horrible default. So many times people have issues with asymmetric routes between overlapping subnets in different vlans because their switch is routing one way, and the actual router the other way, but the stateful firewall is having a spazz attack about only seeing half of the traffic.

          No idea why people like to use overlapping subnets, especially in different broadcast domains.
    • and why need local non cloud devices look at target there they hacked to the network from the 3rd party vendors HVAC system.

      A big casino should have that on a non cloud non wifi network.

    • by Oswald McWeany ( 2428506 ) on Monday April 16, 2018 @09:28AM (#56445729)

      And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.

      Good Suggestion.

      I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.

      • Probably won't be too much longer and you'll be seeing routers supporting dual network spaces for just this reason. (like the DMZ)
      • by trg83 ( 555416 )
        I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"
        • by Oswald McWeany ( 2428506 ) on Monday April 16, 2018 @11:04AM (#56446317)

          I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"

          So good manners these days involves, not only offering the workman a cup of tea, but your wifi password too.

          "Would you like a spot of tea and a Wi-Fi password whilst you fix our driveway?"

          How else are the workmen going to use you-tube to look up how they do their job?

        • I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"

          A thoughtful host will place a wifi QR code in the bathroom.

    • by Khyber ( 864651 )

      "Event at home I have one wifi for home automation and one for the rest."

      But I bet those aren't properly (physically) separated by being on physically-distinct networks. You're still a target.

  • Zero sympathy (Score:5, Insightful)

    by olsmeister ( 1488789 ) on Monday April 16, 2018 @08:13AM (#56445311)
    IoT devices should be sparingly and carefully deployed.

    Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
    • You just made the argument against EVERY fucking internet enabled device.

      Congratulations.
    • This.

      I can see the practicality of having some things online - a thermometer for a tank of $10,000 fish, sure.

      But as you said: HAVE A SEPARATE, TOTALLY BANAL NETWORK FOR THAT SHIT.
      *DON'T* connect that to your operating system, your vault doors, or your self-destruct systems, eh?

    • by judoguy ( 534886 )
      I have a friend with a wildly expensive salt water tank. He absolutely requires remote sensing on a variety of things such as temperature and salinity to allow him go go out of town without obsessing.

      He's also a top level DBA and security guy having worked for companies needing to be certified for PCI and DOD level databases. He has firewalls, etc. up the wazoo at home. Just because he can.

    • by barjam ( 37372 )

      I doubt it was a fish tank thermometer only, it was probably a fish tank controller that had a thermometer as one of it's functions. On something like a saltwater tank where you might have thousands of dollars in corals and such the controller is used to regulate temperature, chemicals and so on. One tiny slip up in parameters and thousands of dollars are down the drain. IOT for that sort of things makes total sense.

      Network isolated and all that for sure though.

      On the other hand if the casino's security wer

    • I didn't bother to RTFA, but I'm betting it's not actually a simple thermometer, but rather a tank controller. Temperature is among its functions, but it likely also controls the lights, monitors PH (possibly injecting buffer as needed), controls the heater, controls cooling fans, and controls the pumps. These devices have pretty good reporting capabilities to facilitate tank management, and they're pretty essential devices in keeping your tank healthy. But still, no reason it should have been on the same

  • by pablo_max ( 626328 ) on Monday April 16, 2018 @08:15AM (#56445315)

    It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.

    I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
    It sounds like the IT department there wasnt thinking too hard about security.

    • by rtkluttz ( 244325 ) on Monday April 16, 2018 @08:28AM (#56445391) Homepage

      Its not even that. There is literally nothing that IoT devices do in the cloud that can't be done completely in the owners network. Anyone that allows devices on their network that basically have you authenticating to a companies servers outside your home or business to do something inside your home or business deserve everything they get.

      • They let you get status updates on the devices or control them from elsewhere on the Internet. e.g. A friend has a IoT security camera whose video feed he can access from his phone at any time from anywhere, if say he gets a notification from his alarm company that someone has broken in.

        Of course, if you really want this sort of functionality, the device should be restricted to your home or business LAN, and your phone should be using a VPN to connect to that LAN to communicate with the device. These d
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      It sounds like the IT department there wasnt thinking too hard about security.

      IT pays for shit and you get about as much respect as the janitor. If a casino cares about security, they would need to pay better and give more respect to get the kind of talent required to actually do a decent job at securing their systems. Their underpaid IT staff is most likely following check lists created at least 10 years ago.

  • by phantomfive ( 622387 ) on Monday April 16, 2018 @08:21AM (#56445345) Journal
    IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
    echo "admin\n admin\n" | telnet device_ip
    I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
  • by jfdavis668 ( 1414919 ) on Monday April 16, 2018 @08:21AM (#56445347)
    During this hacking attempt. Except whales.
  • Oh no! (Score:3, Funny)

    by dohzer ( 867770 ) on Monday April 16, 2018 @08:25AM (#56445363)

    Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?

    • by judoguy ( 534886 )

      Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?

      At the casino. Just show up and they'll be glad to help you help them.

    • The Casino's have donation machines in their lobbies. Thousands of them. Just insert your donation and push the button(or pull the lever on some older machines), on rare occasions you might actually get your donation back.
  • by 110010001000 ( 697113 ) on Monday April 16, 2018 @08:41AM (#56445475) Homepage Journal
    "up to the cloud" is the key term here. It is meaningless. This must be an "AI" company looking for more funding.
  • I watched the first episode of Max Headroom a year or so ago.

    I laughed at a scene where they hacked a company, and I shit you not, by connecting to water pipes somehow and then jumping from a urinal in a men's room to a security camera, again not defecating anywhere near or on your person, located there.

    The tragedy is that we're at the point where such things seem to be shifted from the realm of uneducated entertainment to reality.

  • by Archon ( 13753 ) on Monday April 16, 2018 @09:24AM (#56445701)

    Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.

    • A VLAN may not help if the device can be compromised. It should be operated on a different physical network.

      • by ledow ( 319597 )

        What?

        Are you suggesting that you'd have to compromise the switch? How would that work any differently with physical separation?

        You can request a VLAN, from a list of allowed VLANs, on any decent managed switch. But you can also be FORCED onto a VLAN with no way to override that by such switches too.

        And if Cable 1 is on VLAN 1 and Cable 2 is on VLAN 2, you can't do anything without total compromise of the switch itself (which renders the problem moot anyway). And which is incredibly unlikely to happen, es

    • Revetted? Sorry, I'm not a native speaker, is that a polite way of saying "fired out of a cannon"?

      • by Passman ( 6129 )

        Revetted? Sorry, I'm not a native speaker, is that a polite way of saying "fired out of a cannon"?

        No, revetted is when you fire the IT staff for incompetence, oursource their function to India, and then use the savings to buy yourself another Corvette.

    • I can all but guarantee this is probably what really happened:

      Manager: I want to get Internet Enabled thermometers because
      IT: Right, no problem except we don't have partitioned corporate wireless networks because we tried to do that last year but our budget was cut and no-one wanted to invest in it
      Manager: I don't care about your problems. I got $10,000 of fish to worry about and this vendor promised me they'd remotely monitor my fish to make sure they don't die.
      IT: Ok, but..
      Manager: NO BUTS. D
  • Maybe if more high profile targets get finally hit by the security hole IoT is, we'll finally see some movement in this field.

    I mean, FFS, these things have security standards I have not seen since the millennium rolled over! You can go down the OWASP Top 10 (of any year of your choice) and the average IoT crapware is guilty of all of them!

  • by ripvlan ( 2609033 ) on Monday April 16, 2018 @09:42AM (#56445809)

    Wasn't this the plot of the first season of Mr Robot? Although he snuck in and fiddled with the device to make it accessible.

    Rather than upload the data to the cloud - he sought to erase the cloud.

  • Now modifying the list, THAT'S where the fun's at!

    I wonder how many weeks of free luxuries they would lavish you with before they notice that you aren't gambling :D

  • by ledow ( 319597 )

    Well VLANned, guys.

    I mean, seriously. What are you playing at?

  • Anyone who allows IoT in their business deserves the consequences.

    Really.

    The only secure IoT devices are the ones you never install.

  • ....wut? Ok guys, it's time to accept that we're living in a cyberpunk novel. They were windows into the future and that future is now. So make with the pink mohawks and techno music.

    Remember, only only Keanu can save us. I think all those John Wick movies were just prepping him.

This is clearly another case of too many mad scientists, and not enough hunchbacks.

Working...