The tale of an IoT aquarium thermometer and a Casino’s high-roller database uploaded to the cloud.

The tale of an IoT aquarium thermometer and a Casino’s high-roller database uploaded to the cloud.

casino.jpg

The general public and most corporate entities are certainly familiar with the cost effective features and conveniences introduced by Internet of Things ( IoT ) enabled devices such as security cams, HVAC & Building Control Systems, and in the following case, an IoT thermometer for a casino’s fish tank.

Sadly, the following isn’t exactly a new story in cyber security circles.

A Casino’s inherently insecure Internet of Things (IoT) device - an Internet-enabled thermometer - was hacked, used as an ingress through the casino’s network and gained access to a “high roller” database of clients and uploaded it to the cloud.

Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London on Thursday how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.

According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and "then pulled it back across the network, out the thermostat, and up to the cloud."

The second half of this story is what I found to be genuinely surprising.

It is Optium Cyber Security’s view that even if an Internet of Things ( IoT ) device of any type where to be compromised - and this can happen even under the most stringent application of cyber security best practices - certainly the introduction of additional cyber security best practices should have strictly limited and monitored the IoT device's network access as well as detected and stopped the exfiltration of a mission critical database.

There are a few lessons learned to be derived from this event:

  • Assume an Internet of Things ( IoT ) device has built in security vulnerabilities and can be hacked at any time. These devices are typically built cost efficiently for functionality. Security is an afterthought and for many manufacturers the ability to patch is perhaps impossible or certainly difficult at best.

  • Apply stringent cyber security best practices as you introduce each IoT device into the network. This is where Optium Cyber Security consulting comes into play. A moderate investment of time and money at the start can prevent a world of pain and cost later.

  • Monitor, analyze, and understand your information fabric. No one is immune from a breach even after the consultative approach and best practices has shrunk the attach surface. If the National Security Agency ( NSA ) can be hacked so can we all.  Everyone's goal should be to make their organization a more difficult target.

    However, if the worst happens, it is best to see the event unfold early, in real time, exercise contingency plans, and have the opportunity to also react in real time. This is where Optium Cyber Systems Managed Security Services ( MSSP) operations comes into play. Wondering, after the event, what happened and how bad is the situation, obviously is the worst of all preventable scenarios.  Utilizing a managed security service MSSP can help provide peace of mind in the critical and potentially costly situations.

    Sources:  https://thehackernews.com/2018/04/iot-hacking-thermometer.html