A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer
from the somebody-might-want-to-get-on-this dept
For years we've documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we're not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.
A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:
"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this "invisible pollution" continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.
She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers' financial histories stolen thanks to an internet-of-broken things aquarium thermostat:
"Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."
It's understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it's pretty clear we're going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That's why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: casino, cybersecurity, iot, security, thermometer
Reader Comments
Subscribe: RSS
View by: Time | Thread
Regulation
[ link to this | view in chronology ]
Re: Regulation
I have reservations about involving the government at this point. IoT products and the IoT market are evolving rapidly and any regulations would be written by bureaucrats who know nothing about technology and could be obsolete in a few years anyway.
OTOH, a group like the IoT Consortium, http://iofthings.org/, should be pushing strongly for a consensus of IoT Best Practices, which could be continuously updated and should be disseminated widely to both consortium members and non-members.
[ link to this | view in chronology ]
Re: Re: Regulation
The law should theoretically create a regulatory agency with delegated statutory powers staffed by those with knowledge of the subject being regulated but not captured by that industry. Though as we've already seen, even that doesn't work when the lunatics are running the asylum (in the US: FCC, FDA, DOE, & others).
[ link to this | view in chronology ]
Amazing
But seriously. How hard is it to have multiple networks? One for the internet, one for security, one for business, etc.. Only one of those would be connected to the internet (guess which one) and none of them connected to each other.
[ link to this | view in chronology ]
Re: Amazing
That part's easier said than done—one errant wire can undo the whole thing. BTW, is a high roller database "business" or "security"?
Regardless of which network it was on, why did some random thermometer have enough access to query the database?
[ link to this | view in chronology ]
Re: Re: Amazing
The "security" network would be for things like security cameras, door locks, alarm systems, et cetera.
There might need to be some overlap, or rather some data synced between the two networks, for example in the realm of user and/or customer authentication (for example, if the casino's hotel operation issues high-value frequent customers personal ID cards which unlock their hotel-room doors, rather than handing out generic cards which have to be returned on departure) - but I see no reason why a database with enough customer information to be worth exfiltrating would ever need to be on the security network.
(That just means that the security protecting access to the business network needs to be even better, of course.)
[ link to this | view in chronology ]
Re: Amazing
It would be good security hygiene to build different networks but it shouldn't be critical.
[ link to this | view in chronology ]
Re: Re: Amazing
Corollary: if it turns out to be, that should not automatically compromise the security of the entire rest of the network. The database server should not be vulnerable to the camera, the fish tank, the IP-based toilet valves...
[ link to this | view in chronology ]
Re: Re: Re: Amazing
[ link to this | view in chronology ]
Re: Re: Re: Re: Amazing
Good idea, but still, any system that can be compromised by a misplugged network cable is not secure enough. Lock down those IoT devices as much as possible but assume some idiot's going to plug it directly to the database server anyway, and make sure the DB won't fall over when it happens.
[ link to this | view in chronology ]
Not the thermometer's fault
People have been saying for at least 30 years to treat the network as untrustworthy. The real scandal isn't that the thermostat was hacked, it's that evidently the high roller database had no security. It should've had authentication and encryption, and most people with access should not have had enough access to dump the whole database. The system should limit their query rate and flag anything suspicous.
[ link to this | view in chronology ]
IoT is the suffix of Id
Not only should that high rollers database had authentication and encryption, it should have been ON A DIFFERENT NETWORK.
[ link to this | view in chronology ]
*As sad as it may sound, I think deaths are worth less than money lost nowadays.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I guess
E
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Old story?
[ link to this | view in chronology ]
And the beat goes on.
Regulation of technical anything is such a series of ongoing disasters in the US. We have what, < 4% of our Legislators with any technical knowledge? Time to go setup my V-chip.
[ link to this | view in chronology ]
Casino hacked by aquarium thermostat?
Sounds like it's time for them to turn up the heat on who's at fault.
Somebody's probably going to be sleeping with the fishes over this.
[ link to this | view in chronology ]
No Sympathy For Casinos
A: A sucker’s game.
[ link to this | view in chronology ]
2) exasperate problem
3) ???
4) proclaim a fix is necessary
5) profit
[ link to this | view in chronology ]
exasperate?
[ link to this | view in chronology ]
Re: exasperate?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Former British intelligence officer Robert Hannigan noted that there are no universally accepted IoT security standards. "I know the case when the bank was hacked through surveillance cameras because buying a device, the organization was repelled by the price." He also added that the thermostat and surveillance cameras of the same model still work for other companies and users. I hope that site https://ipayzz.com/slots-lv-casino/ make an only good impression on you.
[ link to this | view in chronology ]
I don't think that will be for a long time. In 2019 we have completely new technology such as Decentralization (blockchain), AI. I'm sure that developers do maximum to protect casinos, gambling, and other internet industries. So I'm sure that this one casino has already a protection system https://getcasinobonus.net/bonuses/bet365/ . In this case I'll be glad when my money can be saved from hackers.
[ link to this | view in chronology ]
Hey. If you have been looking for reviews of the best online casinos in the UK, welcome to this site https://play.casino. On the presented gaming platforms, you can play both for real money and for free. You can comfortably play without downloading on any smartphone or tablet based on Android or iOS. They are offered without registration, so every portal guest can play without any obligations and financial risks. Just choose the best casino to try how to play correctly
[ link to this | view in chronology ]
canon setup
And the Govt is not doing anything.
Visit: https://setup-canon.com/ijsetup
[ link to this | view in chronology ]
More and more gambling enthusiasts prefer to spend their free time on virtual venues rather than in real casinos. And, this is not unusual. Indeed, casino online https://casinor.com/ have a lot of extremely attractive features that make the operation of slot machines more convenient and profitable. Few people want to spend their precious time traveling around the city and visiting gambling establishments when it is possible to arrange in the most comfortable environment behind a computer monitor and get at their disposal everything necessary to satisfy the craving for excitement. On the online casino site, players have a unique opportunity to activate any emulators in demo mode.
[ link to this | view in chronology ]
If you have been looking for reviews of the best online casinos welcome to this site HotGamblingNews. On the presented news platform you will find a lot of news, reviews and other interesting and usefull for gamblers info.
[ link to this | view in chronology ]
Hey sir, I really played in web-based club, my fundamental locale is club, I truly prefer to win. I comparably love to play blackjack switch, where I absolutely scholarly the standards and systems. An enchanting article surprisingly, I like the ordinary rewards that give different stages to games.
[ link to this | view in chronology ]