
Casino high-roller database stolen through a thermometer in the lobby fish tank - jonnybgood
http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
======
mysterypie
I studied the photo to see if I could spot the Internet-connected thermometer,
and then finally noticed that the caption said "Ethan Miller/Getty Images",
and only after that saw that it also said, "An aquarium at a casino — not the
one in question."

Forbes who wrote an earlier story did the same thing, but with a Shutterstock
photo[1]. At least the original source of the story (the cyber defense
company) used an illustration so it was obvious that it wasn't the real
thing[2].

[1]
[https://www.forbes.com/sites/leemathews/2017/07/27/criminals...](https://www.forbes.com/sites/leemathews/2017/07/27/criminals-
hacked-a-fish-tank-to-steal-data-from-a-casino/)

[2] [https://www.darktrace.com/resources/wp-global-threat-
report-...](https://www.darktrace.com/resources/wp-global-threat-
report-2017.pdf) (see page 8)

~~~
fjsolwmv
Another reason to boycott Getty!

~~~
Operyl
Why would we boycott Getty simply for having an image of a fish tank in a
casino-looking lobby? That seems .. stupid.

~~~
dejawu
To my understanding they're also responsible for getting the "View Image"
button removed from Google Images

~~~
Operyl
Even if they were, the parent's experience is not a valid reason to boycott in
this case still.

~~~
joe5150
perhaps it was sarcasm

------
codedokode
What the article doesn't mention: IoT devices are harmful not only because
they are vulnerable. They can be used to collect data on users. Every
enterprise aims to get as much profit as possible; collecting users' data and
selling them later obviously gets you more profit than not collecting.

Why would a thermometer need to connect to the Internet in the first place? It
is absolutely unnecessary. The software could be installed on a server in a
local network or even inside the thermometer itself.

I think the reason why these devices require an Internet connection is that
vendors just want to lock user to their servers and collect "anonymous
statistics" from them.

~~~
userbinator
This reminds me of "cloud cameras" which seem to be getting more and more
popular, and the absurdity of the whole situation.

Years ago, the standard was "IP cameras" which you basically connected to
directly and they would stream video to you. Now these cameras stream video to
some remote server, so the output from a camera which might be sitting only
tens of meters away, goes maybe thousands of miles out into the Internet,
crossing a geopolitical border or several, before coming back in. IMHO it's
absolutely disgustingly inefficient in addition to all the privacy risks.

Of course the makers claim this is so you can watch from anywhere, but a lot
of those old "dumb"(?) IP cameras could be configured to upload video to a
remote server if you wanted, and one under your control.

Relatedly, the musings of a coworker who wondered why IM'ing someone sitting
less than 10ft away in the office should even require a working Internet
connection --- because his message gets sent far away and then back, in a
horrificly wasteful loop, instead of going directly from computer to computer
within the LAN.

~~~
davidcbc
>Of course the makers claim this is so you can watch from anywhere, but a lot
of those old "dumb"(?) IP cameras could be configured to upload video to a
remote server if you wanted, and one under your control.

The average consumer doesn't have a remote server or the knowledge to set one
up.

~~~
csydas
> The average consumer doesn't have a remote server or the knowledge to set
> one up.

Which is fine to say, but doesn't really address the main issue of the IoT
Cameras and honestly comes off as exploitative as an excuse. Just because
something provides a convenient service does not mean it should get a free
pass on basic and reasonable security precautions, nor should it be able to
exfiltrate data, much less in a lazy way.

To be 100% clear, I'm not meaning to put words in the parent's mouth; I
understand that the statement is just a factual statement that most people
don't know how to set up a remote server. However, small SOC boards have never
been cheaper and continue to grow cheaper; a "remote server" to feed data to
can be bundled easily at extremely low cost to the manufacturer, let the user
provide their own storage, and then work on making the discovery experience
elegant. (Plug in the cameras and the SOC box close to one another. Plug the
SOC Box into a monitor/TV. Follow the on-screen prompts to discover the local
WiFi and Cameras and connect all of them)

Apple has found ways to make their wireless vision almost complete; setting up
remote printers, connecting via Airdrop, etc, is all fairly close to elegant
with some minor bumps. Xiaomi's line of hardware ties in neatly to Mi-Life
fairly well also and discovery is easy (though the actual connectivity is in
dire need of work). The idea that consumers need to let their data be
exfiltrated due to lack of knowledge is silly; there are numerous examples on
how to do it right, and the tech has never been more ready.

~~~
c12
This is far more eloquent than my reply. +1

------
woliveirajr
Old news: this is from 2017 [0]

It's just that the attack was part of a new article, and the headline used it
to make it sexy.

[0]
[https://www.forbes.com/sites/leemathews/2017/07/27/criminals...](https://www.forbes.com/sites/leemathews/2017/07/27/criminals-
hacked-a-fish-tank-to-steal-data-from-a-casino/)

------
closeparen
Regulation to try to prevent weak links in a still perimeter-security-based
design is hopeless. We need to stop substituting network of origin for real
authentication and authorization systems.

~~~
hueving
But don't go too far and substitute authentication for network isolation.
Vulnerabilities are a thing.

~~~
behringer
No kidding, who puts a valuable database on the same network as their HVAC
system? The sysadmin should be fired.

~~~
konschubert
AND that database presumably wasn't password protected?

------
greglindahl
I have a friend who works in a casino, and the industry standard is to put
untrusted devices on a segregated network.

Even trusted devices are segregated by vendor.

~~~
icefox
It would be nice if at home routers made this easy to do too

~~~
wil421
You can get Home routers that setup VLAN. Ubiquiti Edge Routers will do almost
anything you need to do.

~~~
flyinghamster
I have one of those (but no Internet of Shit devices to segregate). Still,
it's nice to know I can do so if I need to.

Unfortunately, all is not rainbows and unicorns. Ubiquiti's GUI doesn't treat
IPv6 as a first-class citizen; if you want IPv6 you need to head for the CLI
and hope you hit upon the right recipe to enable it for your provider - and
make sure you set up your firewall rules to only open IPv6 addresses/ports you
want open.

------
RandallBrown
How does a hack like this work? Is the device somehow connected to the
Internet, the attackers take over the device, then since that device has
access to the casino network, the attackers could then see anything that
wasn't secured on the network?(basically anything that relied on the network
being secure for their security?)

~~~
blincoln
I don't know exactly what happened in this case, because they're not sharing
details, but I've done similar things in a lot of pen tests.

Your assumption is pretty accurate. Whatever internet-facing device is
compromised is then used as a gateway onto the internal network, and a conduit
for getting data back out if necessary. With access to the internal network,
it's usually much easier to find things like systems with default/weak
passwords, exploitable services, and so on.

It usually takes a couple of steps, like hopping from the initial system onto
something that has interesting credentials stored/cached on it, and from there
on to the things that are actually of interest. Every once in awhile, I'm
lucky, and the initial point of compromise has super-privileged credentials on
it, but that just makes things easier.

------
shaunol
At this point I wouldn't be surprised if the high roller database itself were
stored on its own IoT device linked to some "high roller analysis as a
service" platform.

~~~
21
Or maybe just in an unpassworded MongoDB instance somewhere in Amazon, because
agile.

------
leonroy
You’d think these companies would use VLANs or at a minimum a router or layer
3 switch to segregate camera, critical services and fish tank IoT network
traffic.

~~~
mysterypie
The original source[1] claims that the casino did take some precautions (a
VPN) but still doesn't clearly explain how the failure occurred: _" A North
American casino recently installed a high-tech fish tank as a new attraction,
with advanced sensors that automatically regulate temperature, salinity, and
feeding schedules. To ensure these communications remained separate from the
commercial network, the casino configured the tank to use an individual VPN to
isolate the tank's data. However, as soon as Darktrace was installed, it
identified anomalous data transfers from the fish tank to a rare external
destination. Communications took place on a protocol normally associated with
audio and video."_

[1] [https://www.darktrace.com/resources/wp-global-threat-
report-...](https://www.darktrace.com/resources/wp-global-threat-
report-2017.pdf)

~~~
fjsolwmv
Note that the "source" here is an _ad_ for an "AI-enhanced" network monitor.
There's no information to vet their claims, and a little weird that their
client would happily subject themselves to public embarassment like that.

------
advaitruia
This is such a clickbait article.

It doesnt mention any details of how the data was actually stolen using the
thermometer. It doesnt even explicitly say that the thermometer was an IOT
device. "Hacked through a thermometer" could mean so many things

------
bitwize
Right now /r/movies is having a laugh about a scene from _Rampage_ where a
character hacks a corporate network through a thermostat. Much as I love a
good chuckle at "Hollywood hacking", this is a thing that can actually happen.

~~~
abricot
I think the big difference between reality and a lot of Hollywood hacking is
1. the time it takes 2. how elaborate it always have to be 3. the fact that
during the initial exploration they would most likely find an even easier
point of attack.

------
IncRnd
Maybe the fish tank shouldn't be on the same network as high value assets.
That way, vending machines could be accessed by the fish tank but not the
mission critical data.

~~~
freeloop10
It's likely that was the protocol, but it wasn't followed. It usually comes
down to actions of a Pointy Haired Boss rather than some glaringly obvious
hole in their security plan.

------
matte_black
How do you verify a database you stole isn’t a decoy with dummy data?

~~~
paulie_a
Because this isn't a spy movie and that sort of thing rarely happens in real
life.

It's also fairly easy to vet the data.

------
gruzh
"S" in "IoT" is for Security

------
sbassi
what is a high-roller database?

