A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

from the somebody-might-want-to-get-on-this dept

For years we've documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we're not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.

A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this "invisible pollution" continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.

She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers' financial histories stolen thanks to an internet-of-broken things aquarium thermostat:

"Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

It's understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it's pretty clear we're going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That's why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: casino, cybersecurity, iot, security, thermometer


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 16 Apr 2018 @ 12:54pm

    Regulation

    And the government isn't interested in regulating something like this - but are wild about promoting copyright and other monopolies. Because no one is bribing them to care.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2018 @ 3:23pm

      Re: Regulation

      I have reservations about involving the government at this point. IoT products and the IoT market are evolving rapidly and any regulations would be written by bureaucrats who know nothing about technology and could be obsolete in a few years anyway.

      OTOH, a group like the IoT Consortium, http://iofthings.org/, should be pushing strongly for a consensus of IoT Best Practices, which could be continuously updated and should be disseminated widely to both consortium members and non-members.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Apr 2018 @ 4:17pm

        Re: Re: Regulation

        I'm the same. Usually when you get politicians involved in creating regulations you get regulations for industries that are written by lawyers. Think about that. Problem is you don't want someone writing what amounts to technical regulatory guidance from those that have no experience in the industry they are regulating AND who are subject to a voting public who thinks Internet Explorer is their operating system, Facebook is "The Internet" and anything against their insular world view is "fake news". You also don't want that regulatory guidance written in stone, rather evolving guidance based on current and past experience in device security.

        The law should theoretically create a regulatory agency with delegated statutory powers staffed by those with knowledge of the subject being regulated but not captured by that industry. Though as we've already seen, even that doesn't work when the lunatics are running the asylum (in the US: FCC, FDA, DOE, & others).

        link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 16 Apr 2018 @ 1:06pm

    Amazing

    All the people that work in a casino and they can't be bothered to walk by the fish tank and take note of the temperature.

    But seriously. How hard is it to have multiple networks? One for the internet, one for security, one for business, etc.. Only one of those would be connected to the internet (guess which one) and none of them connected to each other.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2018 @ 2:01pm

      Re: Amazing

      none of them connected to each other.

      That part's easier said than done—one errant wire can undo the whole thing. BTW, is a high roller database "business" or "security"?

      Regardless of which network it was on, why did some random thermometer have enough access to query the database?

      link to this | view in chronology ]

      • icon
        The Wanderer (profile), 17 Apr 2018 @ 8:41am

        Re: Re: Amazing

        A high-roller database falls under "business", naturally; the high rollers are cutomers, and the service offered to them is one of the casino's products.

        The "security" network would be for things like security cameras, door locks, alarm systems, et cetera.

        There might need to be some overlap, or rather some data synced between the two networks, for example in the realm of user and/or customer authentication (for example, if the casino's hotel operation issues high-value frequent customers personal ID cards which unlock their hotel-room doors, rather than handing out generic cards which have to be returned on departure) - but I see no reason why a database with enough customer information to be worth exfiltrating would ever need to be on the security network.

        (That just means that the security protecting access to the business network needs to be even better, of course.)

        link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Apr 2018 @ 2:15pm

      Re: Amazing

      Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.

      It would be good security hygiene to build different networks but it shouldn't be critical.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Apr 2018 @ 4:14pm

        Re: Re: Amazing

        Security should be thought at the device level. The camera itself should not be vulnerable. Full stop.

        Corollary: if it turns out to be, that should not automatically compromise the security of the entire rest of the network. The database server should not be vulnerable to the camera, the fish tank, the IP-based toilet valves...

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Apr 2018 @ 5:11pm

          Re: Re: Re: Amazing

          IOT devices should not have direct access to the wider Internet, but rather connect to a local server, over an isolated network to that server, which can be secured, and maybe only accessible from the outside via a proxy server, and which relays notifications via an email and text server.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 17 Apr 2018 @ 8:31am

            Re: Re: Re: Re: Amazing

            Good idea, but still, any system that can be compromised by a misplugged network cable is not secure enough. Lock down those IoT devices as much as possible but assume some idiot's going to plug it directly to the database server anyway, and make sure the DB won't fall over when it happens.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 1:57pm

    Not the thermometer's fault

    People have been saying for at least 30 years to treat the network as untrustworthy. The real scandal isn't that the thermostat was hacked, it's that evidently the high roller database had no security. It should've had authentication and encryption, and most people with access should not have had enough access to dump the whole database. The system should limit their query rate and flag anything suspicous.

    link to this | view in chronology ]

    • icon
      DannyB (profile), 17 Apr 2018 @ 7:59am

      IoT is the suffix of Id

      IoT is the suffix of Id.

      Not only should that high rollers database had authentication and encryption, it should have been ON A DIFFERENT NETWORK.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 16 Apr 2018 @ 2:17pm

    I guess that we'll need to reach those catastrophic conditions where lives are lost and, much more importantly, it costs money*.

    *As sad as it may sound, I think deaths are worth less than money lost nowadays.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Apr 2018 @ 2:18pm

      Re:

      Clarifying: not that I think they are worth less, it's that our society is treating them this way hence the "sad" adjective.

      link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 16 Apr 2018 @ 2:45pm

    I guess

    This is clearly another argument on turning up the thermostat on spear-phishing.

    E

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 2:54pm

    "is what economists call an externality" No, it's called late stage capitalism.

    link to this | view in chronology ]

  • identicon
    Mauricio Freitas, 16 Apr 2018 @ 3:13pm

    Old story?

    I am interested to know why is this old story back to life? This originally came to publick back in July 2017 - here is a WP link https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/? utm_term=.c1a9617584d3

    link to this | view in chronology ]

  • icon
    David (profile), 16 Apr 2018 @ 3:27pm

    And the beat goes on.

    No solution except regulation. I cannot think of one. Hopefully that is just a failure of my imagination, meaning someone else can figure out a fix.

    Regulation of technical anything is such a series of ongoing disasters in the US. We have what, < 4% of our Legislators with any technical knowledge? Time to go setup my V-chip.

    link to this | view in chronology ]

  • identicon
    Zonker, 16 Apr 2018 @ 3:54pm

    Casino hacked by aquarium thermostat?

    So they gambled on the security of their network and lost.

    Sounds like it's time for them to turn up the heat on who's at fault.

    Somebody's probably going to be sleeping with the fishes over this.

    link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 16 Apr 2018 @ 5:34pm

    No Sympathy For Casinos

    Q: What kind of game is it where any attempt to improve your odds is seen as “cheating”?

    A: A sucker’s game.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2018 @ 6:38pm

    1) create problem
    2) exasperate problem
    3) ???
    4) proclaim a fix is necessary
    5) profit

    link to this | view in chronology ]

  • icon
    DOlz (profile), 17 Apr 2018 @ 5:44am

    And here I always thought fish were boring.

    link to this | view in chronology ]

  • identicon
    RichardSeidman, 12 Apr 2019 @ 8:09am

    Former British intelligence officer Robert Hannigan noted that there are no universally accepted IoT security standards. "I know the case when the bank was hacked through surveillance cameras because buying a device, the organization was repelled by the price." He also added that the thermostat and surveillance cameras of the same model still work for other companies and users. I hope that site https://ipayzz.com/slots-lv-casino/ make an only good impression on you.

    link to this | view in chronology ]

  • icon
    BugMN (profile), 30 Jul 2019 @ 8:49am

    I don't think that will be for a long time. In 2019 we have completely new technology such as Decentralization (blockchain), AI. I'm sure that developers do maximum to protect casinos, gambling, and other internet industries. So I'm sure that this one casino has already a protection system https://getcasinobonus.net/bonuses/bet365/ . In this case I'll be glad when my money can be saved from hackers.

    link to this | view in chronology ]

  • icon
    LennartPersson (profile), 10 Feb 2020 @ 1:55am

    Hey. If you have been looking for reviews of the best online casinos in the UK, welcome to this site https://play.casino. On the presented gaming platforms, you can play both for real money and for free. You can comfortably play without downloading on any smartphone or tablet based on Android or iOS. They are offered without registration, so every portal guest can play without any obligations and financial risks. Just choose the best casino to try how to play correctly

    link to this | view in chronology ]

  • icon
    Jones Wilson (profile), 18 Apr 2020 @ 1:39am

    canon setup

    And the Govt is not doing anything.
    Visit: https://setup-canon.com/ijsetup

    link to this | view in chronology ]

  • identicon
    Emma Watson, 11 May 2020 @ 12:36am

    More and more gambling enthusiasts prefer to spend their free time on virtual venues rather than in real casinos. And, this is not unusual. Indeed, casino online https://casinor.com/ have a lot of extremely attractive features that make the operation of slot machines more convenient and profitable. Few people want to spend their precious time traveling around the city and visiting gambling establishments when it is possible to arrange in the most comfortable environment behind a computer monitor and get at their disposal everything necessary to satisfy the craving for excitement. On the online casino site, players have a unique opportunity to activate any emulators in demo mode.

    link to this | view in chronology ]

  • icon
    alebas (profile), 17 Dec 2020 @ 5:49am

    If you have been looking for reviews of the best online casinos welcome to this site HotGamblingNews. On the presented news platform you will find a lot of news, reviews and other interesting and usefull for gamblers info.

    link to this | view in chronology ]

  • icon
    jackblight (profile), 2 Feb 2022 @ 4:02am

    Hey sir, I really played in web-based club, my fundamental locale is club, I truly prefer to win. I comparably love to play blackjack switch, where I absolutely scholarly the standards and systems. An enchanting article surprisingly, I like the ordinary rewards that give different stages to games.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.