How a thermostat in the lobby fish tank let hackers steal a casino's high-roller database
Hacking a casino high-roller database through the thermostat in a fish tank sounds like the plot of an Ocean's Eleven reboot. But according to the boss of a leading cybersecurity company, it really happened.
In yet another example of how businesses are failing to protect themselves against hacking through seemingly innocent internet of things (IoT) devices, it has been revealed how an unnamed casino had its database of high-rollers stolen through an internet-connected thermostat.
The offending piece of supposedly smart tech was used to regulate the water temperature of an aquarium installed in the lobby. But its internet connection - the very connection casino staff probably considered useful when installing the device - left the establishment's servers exposed.
Speaking at the WSJ CEO Council in London last week, Nicole Eagan, chief executive of cybersecurity company Darktrace, said: "The attackers used [the connected thermostat] to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."
The problem here is obvious, and so is the solution; 'smart' devices like this thermostat need to meet the same security standards as a smartphone or laptop, and must be treated as such by their owners.
Yet, time and again, we hear reports of 'smart' devices being hacked. Brand new cars are stolen in seconds, a home's speakers are hacked to play voices (and Rick Astley) to their owners, face recognition systems are compromised, and internet-connected door locks are left open to attack.
Arbor Networks, a security software company, claims there were 27 billion devices connected to the internet in 2017, and that by 2030 there will be 125 billion, many of which being IoT products.
Hackers gained access to the database via a fish tank thermostatiStock
Reported by Business Insider, Eagan also said: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defences."
Devices like this thermostat tend to be basic in their design. This keeps manufacturing costs down and makes them simple for the consumer to use, but leaves them more vulnerable to attack than something like a smartphone. Yet, a device's simplicity doesn't mean it requires less protection, as it is likely connected to the internet via the same network as everything else - in this case, the casino's customer database.
There is a similar problem in the smart home, as consumers fill their properties with devices like air quality monitors, smart lights and speakers. While hacking these doesn't seem like much of a threat, they will likely be connected to the same router as the home's security cameras, smart locks and alarm system, plus the owner's computer, tablet and smartphone.
Problems also lie in how simpler connected devices are less likely to receive software updates with the same frequency as a laptop or smartphone - that is, if they receive any at all. Keeping devices up-to-date is as important as giving every device a strong password and connecting them to a secure router.