Leaking fish tank

The house always wins? How a smart device took down a casino.

When it comes to the Internet of Things, security still lags behind ingenuity. Among its connected devices are a fair few unknowns. And practice shows that IoT threats have a nasty habit of catching users with their pants down, so to speak. Our agenda today features another seemingly harmless contraption.

High-tech interior

A short while back, a US casino installed a “smart” fish tank in the lobby. The fish feeding schedule, plus salt and temperature levels, were regulated automatically. The thermostat could warn the owner online if the water got too hot or cold.

The device was hidden behind a VPN, clearly to shield it from intruders. But that proved insufficient — the seemingly innocuous thermostat provided a backdoor to other nodes in the local network.

I spy

It transpired that the double-dealing fish tank had sent 10GB of data to somewhere in Norway. Internet security staff struggled to work out what information had fallen into the hands of the faceless hackers. The answer was the casino’s database of high rollers. Open sources do not specify what precise information it contained, but whether it’s just names or, more seriously, contact information and even credit-card numbers, the reputational damage is incalculable. The name of the casino was not publicized, but it was obliged to report the incident to victims of the leak.

Forewarned is forearmed

Companies that don’t want to risk their clients, like this unnamed casino, are advised to keep these rules in mind:

  • Protecting only end devices is not enough. Intruders can use any device as a foothold for attack, so security solutions should be installed on servers and gateways as well. Ideally, they should block all contact with the outside world that seeks entry through unknown ports or arcane protocols.
  • Deny Internet access to any equipment that does not need it for core tasks.
  • Configure all IoT devices very carefully; as yet there is no way to install security solutions on them.
  • Carry out periodic penetration tests. These checks will help find security holes at the fixable stage, including less-obvious gaps that could lead to major problems.