Hacker News new | comments | show | ask | jobs | submit login
Casino high-roller database stolen through a thermometer in the lobby fish tank (businessinsider.com)
230 points by jonnybgood 7 months ago | hide | past | web | favorite | 74 comments

I studied the photo to see if I could spot the Internet-connected thermometer, and then finally noticed that the caption said "Ethan Miller/Getty Images", and only after that saw that it also said, "An aquarium at a casino — not the one in question."

Forbes who wrote an earlier story did the same thing, but with a Shutterstock photo[1]. At least the original source of the story (the cyber defense company) used an illustration so it was obvious that it wasn't the real thing[2].

[1] https://www.forbes.com/sites/leemathews/2017/07/27/criminals...

[2] https://www.darktrace.com/resources/wp-global-threat-report-... (see page 8)

Another reason to boycott Getty!

Why would we boycott Getty simply for having an image of a fish tank in a casino-looking lobby? That seems .. stupid.

To my understanding they're also responsible for getting the "View Image" button removed from Google Images

Even if they were, the parent's experience is not a valid reason to boycott in this case still.

perhaps it was sarcasm

What the article doesn't mention: IoT devices are harmful not only because they are vulnerable. They can be used to collect data on users. Every enterprise aims to get as much profit as possible; collecting users' data and selling them later obviously gets you more profit than not collecting.

Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.

I think the reason why these devices require an Internet connection is that vendors just want to lock user to their servers and collect "anonymous statistics" from them.

Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.

Seriously? This is not obvious?

What's the upper bound on the number of aquariums that a large facility might have as decor, decorative dividers, etc? 10? 50? 200? More?

At a commercial scale having people go to each one is no more viable than Google using web managed network switches would be, or than using individual residential thermostats in a large office building. It might be possible, but it would be slow and error prone.

Installing an in house server would be no better, but for different reasons of getting IT involved either for the server or for local software on a PC (locked down possibly and unable to install or run unrecognized apps). "Hi, this is Bob in maintenance, we'd like to install some software that will scan the network for" "NO." "But the fish!" "NO."

For that matter had these been properly segregated on an "IoT" network neither of those would have worked well anyway. If you're handling financial data like that in a regulated environment, nothing from the IoT network should be able to reach to protected systems. There's a case for the protected network to be able to reach to IoT, but there are also reasons to not allow it.

Frankly, having devices like that able to reach out to a cloud management system makes a lot of sense for both the client and vendor (subscriptions, lock-in, etc). The problem is allowing them on a supposedly secure network.

Edit: added "residential thermostats" because it seems more appropriate here than my initial example

This reminds me of "cloud cameras" which seem to be getting more and more popular, and the absurdity of the whole situation.

Years ago, the standard was "IP cameras" which you basically connected to directly and they would stream video to you. Now these cameras stream video to some remote server, so the output from a camera which might be sitting only tens of meters away, goes maybe thousands of miles out into the Internet, crossing a geopolitical border or several, before coming back in. IMHO it's absolutely disgustingly inefficient in addition to all the privacy risks.

Of course the makers claim this is so you can watch from anywhere, but a lot of those old "dumb"(?) IP cameras could be configured to upload video to a remote server if you wanted, and one under your control.

Relatedly, the musings of a coworker who wondered why IM'ing someone sitting less than 10ft away in the office should even require a working Internet connection --- because his message gets sent far away and then back, in a horrificly wasteful loop, instead of going directly from computer to computer within the LAN.

>Of course the makers claim this is so you can watch from anywhere, but a lot of those old "dumb"(?) IP cameras could be configured to upload video to a remote server if you wanted, and one under your control.

The average consumer doesn't have a remote server or the knowledge to set one up.

> The average consumer doesn't have a remote server or the knowledge to set one up.

Which is fine to say, but doesn't really address the main issue of the IoT Cameras and honestly comes off as exploitative as an excuse. Just because something provides a convenient service does not mean it should get a free pass on basic and reasonable security precautions, nor should it be able to exfiltrate data, much less in a lazy way.

To be 100% clear, I'm not meaning to put words in the parent's mouth; I understand that the statement is just a factual statement that most people don't know how to set up a remote server. However, small SOC boards have never been cheaper and continue to grow cheaper; a "remote server" to feed data to can be bundled easily at extremely low cost to the manufacturer, let the user provide their own storage, and then work on making the discovery experience elegant. (Plug in the cameras and the SOC box close to one another. Plug the SOC Box into a monitor/TV. Follow the on-screen prompts to discover the local WiFi and Cameras and connect all of them)

Apple has found ways to make their wireless vision almost complete; setting up remote printers, connecting via Airdrop, etc, is all fairly close to elegant with some minor bumps. Xiaomi's line of hardware ties in neatly to Mi-Life fairly well also and discovery is easy (though the actual connectivity is in dire need of work). The idea that consumers need to let their data be exfiltrated due to lack of knowledge is silly; there are numerous examples on how to do it right, and the tech has never been more ready.

This is far more eloquent than my reply. +1

> The average consumer doesn't have a remote server or the knowledge to set one up.

The average consumer doesn't need a remote server or the knowledge to set one up, just a plug and play device that works. IP cameras don't need to stream to some cloud service, you could have a plug and play consumer "home cloud" set up that allows the user to keep control of their data 100%.

A while ago there used to be almost plug and play IP camera set ups. Plug this box into your router and these cameras into that box. The box could be logged into remotely and had both a web based interface and mobile app.

I used this in a number of installs were the mostly computer illiterate clients wanted to be able to check up on their horses, or home or work premises (or all three) from their phone or laptop as well as review footage from months ago.

It feels weird to me that people feel comfortable in transmitting what can be very personal and private feeds into the ether and if more average consumers were less ignorant of the risks there would be more consumer pressure for cloud-less set ups.

net send!

Well, when I was 12 I used that command in a batch file with an infinite goto loop effectively lock up my sister's computer, so we might want something a bit more robust than that.

> Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary.

It’s strictly unnecessary, but it’s a bit convenient for NAT-piercing and enabling remote monitoring and management.

It’s like everything else: there’s a trade off between certain conveniences and security/privacy. For some people, the line is strongly on the side of security and for others, the line is more favorable to convenience.

there’s a trade off between certain conveniences and security/privacy

The trade isn't between convenience and security. It's between convenience and the result of a security breach. "more security" is abstract and hard to understand; "lowering the probability of this bad thing happening" is much, much easier.

In this case the casino owners had to choose between "remote monitoring of the fishtank" and "a way for hackers to access the internal network and all the bad things that could result from that", and they chose the fishtank.

RE: Thermostat

I live in Phoenix, and regularly set my thermostat en route to my house after being gone awhile. I have scripts that set it to away automatically when my phone leaves the network.

It saves me quite a lot of power yearly.

(I feel guilty for contributing to these sorts of pedantic HN threads, but there you go)

At least yours is a very decent example of where it is handy.

Really? And who will support that on-premise "thermo-server"? Who'll security update it? run sw upgrades? Solve misconfigured networks? Replace a faulty network adapter?

It could just be ease of maintenance; if a server on AWS goes down, you can fix it from anywhere, or fall back on blaming Amazon.

If an on-site server goes down, odds are you might need to go on site, especially if the whole thing is separated from the internet to avoid leaking "anonymous statistics."

Those IoT devices are getting more and more computing power. They can run the server software (like Web UI) on the device itself. For example, they can serve static SPA that would connect back to the device via Websocket. So you don't need a sophisticated web server and can do most computations in a browser.

It's not terribly useful for each fish tank thermometer (or whatever) to run its own server and webui, since what you're probably interested in is "are all of my things behaving as expected".

Having that data be centralized- on site or off- is where a web UI can be most useful.

A friend of mine rolled his own version of this for his house, helping him optimize how the furnace / ac units operate, etc. It would've been way more painful to go to each devices UI individually.

Why not? That server could have an api for a management device to discover and manage it as well.

That does make sense, http or otherwise. And yes, technically feasible for each devices to serve up their own SPA, though I still fail to see why one would want to go to individual sites when a centralized interface for looking at the units both individually and as a group would be more efficient. To each their own, I guess.

Right now you are beholden to the Amazon, Apple or vertically integrated solution to access your IoT devices.

My thermostat cost $10 75 years ago. I would prefer that a $200 thermostat have a life longer than the technology platform.

Especially if it’s a SPA, the same API (with minimal changes) that drives the web UI could be available to others on the network.

But then it can either only be accessed within the same subnet, or you are going to have to do some port forwarding. Which is too much to ask for 99% of users.

Old news: this is from 2017 [0]

It's just that the attack was part of a new article, and the headline used it to make it sexy.

[0] https://www.forbes.com/sites/leemathews/2017/07/27/criminals...

Regulation to try to prevent weak links in a still perimeter-security-based design is hopeless. We need to stop substituting network of origin for real authentication and authorization systems.

But don't go too far and substitute authentication for network isolation. Vulnerabilities are a thing.

> But don't go too far and substitute authentication for network isolation. Vulnerabilities are a thing.

I don't know if I still agree with this. One of my most important and private services is exposed on the web - the most untrusted network on the planet - and it's using application layer authentication, and no network isolation.

I don't need a vpn to get access to my gmail, my web banking or my nextcloud instance. I can access all those services over the most untrusted network of the world with a username and a password (and maybe a second factor auth token).

I think network layer isolation is overvalued. In the end, you still have to secure all your local lan resources anyway, because trusting your lan clients is never a good idea. So if your lan is untrusted like the wan network, and you secure all your stuff in your lan like you would secure them if they where exposed on the internet, there is no need for network level isolation at this point. Sure, it's an other layer of security and all that, but that comes with a high cost, that not always is worth paying for.

No kidding, who puts a valuable database on the same network as their HVAC system? The sysadmin should be fired.

AND that database presumably wasn't password protected?

I have a friend who works in a casino, and the industry standard is to put untrusted devices on a segregated network.

Even trusted devices are segregated by vendor.

Industry standard is not always truly followed by everyone as seen here. Still can't believe this sounds like something out of Mr. Robot

When I first saw the title I thought this was about extracting data from an air gapped network through some crazy thermometer enabled means. Truth seems to be much more mundane.

Curious.. are there any recorded instances of air gapped networks being breached?

Not totally sure of the details but the dropped flash drive hack seems popular



It would be nice if at home routers made this easy to do too

You can get Home routers that setup VLAN. Ubiquiti Edge Routers will do almost anything you need to do.

I have one of those (but no Internet of Shit devices to segregate). Still, it's nice to know I can do so if I need to.

Unfortunately, all is not rainbows and unicorns. Ubiquiti's GUI doesn't treat IPv6 as a first-class citizen; if you want IPv6 you need to head for the CLI and hope you hit upon the right recipe to enable it for your provider - and make sure you set up your firewall rules to only open IPv6 addresses/ports you want open.

This is also a feature on Pfsense, or just about any high end router, switch, or firewall.

The article asserts, "It expands the attack surface and most of this isn't covered by traditional defenses", which is bogus. It's just another device that doesn't need to be on the same network as critical services.

Tomato makes this very easy. I've set up an "untrusted" network, devices in which can't connect anywhere, neither to local nor to remote machines (only I can connect to them).

My router, the Asus RT-N66U can have multiple Wi-Fi guest networks with the default firmware.

Didn't that Wired article about the Jeep hack tell us something about how well that sometimes gets implemented?

From memory, there was an "untrusted trusted entertainment system" network segment, and a firewall which allowed one-way traffic out of the "trusted" vehicle management network (so the entertainment system could get car speed and similar), and the firewall could have it's firmware updated. From the untrusted network segment...

The problem with the entertainment system hack is that the can bus used in vehicles uses a priority system that is designed so that higher priority device can always claim the bus. If I remember correctly the entertainment system hack moved up the priority of the entertainment system on the bus so that it was higher priority than whatever nominally controls the car. A can bus isn't robust against bad actors and should have been air gapped to any external connection.

Priority doubles as ID in most CAN systems, so changing the priority means you're no longer sending the message to the same endpoint. As you say, though, CAN isn't secure against someone with physical access to the bus.

IMO "the problem" isn't the CAN priority system, it's that a remotely programmable device (the CAN gateway) was connected to both the control network and the internet (via the entertainment center). For something so security critical, it should have been kept as dumb as a box of rocks, and certainly never made network-updatable.

That is an obvious and sound plan. It would be interesting to know how that broke down in this particular case.

Yep. With the usual sorts of regulations, a casino can lose its license and be shut down for screwing up this kind of security. Compared to other sorts of businesses, casino regulation is very strict. I'd love to know how it played out.

As someone who has used the web-based room reservation software for rewards members, I find this a bit hard to believe.

Uncanny the number of times I get precisely two downvotes.

How does a hack like this work? Is the device somehow connected to the Internet, the attackers take over the device, then since that device has access to the casino network, the attackers could then see anything that wasn't secured on the network?(basically anything that relied on the network being secure for their security?)

I don't know exactly what happened in this case, because they're not sharing details, but I've done similar things in a lot of pen tests.

Your assumption is pretty accurate. Whatever internet-facing device is compromised is then used as a gateway onto the internal network, and a conduit for getting data back out if necessary. With access to the internal network, it's usually much easier to find things like systems with default/weak passwords, exploitable services, and so on.

It usually takes a couple of steps, like hopping from the initial system onto something that has interesting credentials stored/cached on it, and from there on to the things that are actually of interest. Every once in awhile, I'm lucky, and the initial point of compromise has super-privileged credentials on it, but that just makes things easier.

While not exactly the same, this write-up does give an example of the steps invovled: https://docs.google.com/document/d/1XWzlOOuoTE7DUK60qTk1Wz1V...

That was my guess as someone who has worked places where database access is restricted to a whitelisted set of ips that includes the internal network.

Take over the thermometer and you can send requests to the database as a whitelisted ip.

If vendor's website has a vulnerability like CSRF (which are very common because browsers allow cross-domain GET/POST requests by default and developers often don't realise they should block such requests) then the attacker can gain control over IoT device if they make an employee visit their page.

At this point I wouldn't be surprised if the high roller database itself were stored on its own IoT device linked to some "high roller analysis as a service" platform.

Or maybe just in an unpassworded MongoDB instance somewhere in Amazon, because agile.

You’d think these companies would use VLANs or at a minimum a router or layer 3 switch to segregate camera, critical services and fish tank IoT network traffic.

The original source[1] claims that the casino did take some precautions (a VPN) but still doesn't clearly explain how the failure occurred: "A North American casino recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank's data. However, as soon as Darktrace was installed, it identified anomalous data transfers from the fish tank to a rare external destination. Communications took place on a protocol normally associated with audio and video."

[1] https://www.darktrace.com/resources/wp-global-threat-report-...

Note that the "source" here is an ad for an "AI-enhanced" network monitor. There's no information to vet their claims, and a little weird that their client would happily subject themselves to public embarassment like that.

>You’d think these companies would use VLANs or at a minimum a router or layer 3 switch

You assume way too much. I bet half the fish in that tank never even got a background check

They problably do. Sounds like in this case the thermometer was able to hit a phone or videoconferencing network.

This is such a clickbait article.

It doesnt mention any details of how the data was actually stolen using the thermometer. It doesnt even explicitly say that the thermometer was an IOT device. "Hacked through a thermometer" could mean so many things

Right now /r/movies is having a laugh about a scene from Rampage where a character hacks a corporate network through a thermostat. Much as I love a good chuckle at "Hollywood hacking", this is a thing that can actually happen.

I think the big difference between reality and a lot of Hollywood hacking is 1. the time it takes 2. how elaborate it always have to be 3. the fact that during the initial exploration they would most likely find an even easier point of attack.

Maybe the fish tank shouldn't be on the same network as high value assets. That way, vending machines could be accessed by the fish tank but not the mission critical data.

It's likely that was the protocol, but it wasn't followed. It usually comes down to actions of a Pointy Haired Boss rather than some glaringly obvious hole in their security plan.

How do you verify a database you stole isn’t a decoy with dummy data?

Because this isn't a spy movie and that sort of thing rarely happens in real life.

It's also fairly easy to vet the data.

You verify it.

"S" in "IoT" is for Security

what is a high-roller database?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact