NEWSBYTE CEO of cybersecurity company Darktrace, Nicole Eagan, has shared details of an embarrassing casino data breach. The anecdote appears to epitomise the flaws in many organisations’ approaches to IoT security, while highlighting some serious industry-wide problems.
Speaking at a WSJ CEO Council event in London, Eagan described a series of events involving hackers, a casino, and a connected aquarium.
Rather than gaining access to the vault of the unnamed establishment, hackers were able to pinch the casino’s high-roller database after gaining access to its network via the smart thermostat in a fish tank in the lobby.
Expanding the attack surface
“The attackers used [the connected thermostat] to get a foothold in the network,” said Eagen. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”
According to Business Insider, Eagan pointed out that smart thermostats are only the beginning, with increasing numbers of insecure IoT devices exposing organisations’ data.
“There’s a lot of IoT devices – everything from thermostats, refrigeration systems, and HVAC systems, to people who bring their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defences,” she said.
Devices with simple functions, basic designs, and unchanged default passwords are often targeted by hackers looking to gain a foothold in a network.
Breaches such as this highlight the obvious: simplicity doesn’t mean that lower security standards are acceptable, particularly when the device in question is connected to the same network as more sensitive information.
In many ways, a breach through a seemingly innocuous device inside a casino aquarium is the perfect analogy for the state of IoT security today. Just as with a fish tank, the smallest of cracks can quickly lead to a torrent of bad news. And just as with a fish tank, everyone can see what’s going on inside, if you put insecure devices at the doorway to your business.
Internet of Business says
Countless security reports this year have revealed similar findings: IoT device security is wanting, and many organisations lack a strategic approach to managing it.
Here are some of our recent reports on the problem, which reveal that device security is essential, alongside a better, more informed system for managing IoT networks:
- Read more: Security: Why you should worry about unsecured IoT devices – Mozilla
- Read more: Healthcare, SMEs biggest targets of security attacks, says Verizon
- Read more: Industrial IoT: Consortium sets out new IoT security benchmarks
- Read more: IoT security: Half of IT departments don’t change default passwords
- Read more: IoT Security: How to fight attacks on health, energy, and transport
- Read more: IIoT security: How to secure the ‘Internet of Threats’, by IBM