A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

For years we’ve documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we’re not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.

A year or so ago Bruce Schneier penned what was probably the best explanation of why nothing in the IOT chain of dysfunction seems to improve:

"The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Instead of fixing their products, vendors simply move on to marketing the next best thing. And consumers continue to gobble them up, creating millions of millions of new attack vectors into homes and businesses around the world annually. Obviously this "invisible pollution" continues to have a very real and visible impact. Case in point: Nicole Eagan, the CEO of cybersecurity firm Darktrace, says hackers are increasingly targeting unprotected IOT devices including air conditioners, toys, and surveillance cameras to get into corporate networks.

She noted how one bank that decided to skimp on security cameras actually wound up being hacked after those cameras were quickly compromised by attackers. Speaking at the WSJ CEO Council Conference, she also shared an anecdote about how one big casino client had their customers’ financial histories stolen thanks to an internet-of-broken things aquarium thermostat:

"Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby. The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."

It’s understandable that people are wary of regulating this sector lest it stifle innovation or create unforeseen, additional problems. But it’s pretty clear we’re going to need a massive collaboration between the public, companies, and government if we want to avoid some potentially calamitous and fatal outcomes (especially if and when essential infrastructure is targeted). That’s why what the open source IOT security and privacy standards organizations like Consumer Reports have been cooking up desperately need all the public and private sector support they can get.

Permalink | Comments | Email This Story

via Techdirt
A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer