Second day of Hackmas: Casino gets hacked via a fish tank
Probably my favourite hack of all time is the Casino that lost its high roller database after its fishtank got hacked.
In the end the attack was just like any other – find a vulnerability in the network and exploit it but the exposed piece of infrastructure was not the usual.
You see, the fish tank in question had a thermostat and sensors that was connected to the internet, presumably so that it could be controlled and maintained from someone’s smartphone app.
And this is the problem with Internet of Things (IoT) devices: they aren’t built with security in mind. They’re often cheaply produced products that have “cool features” that can only be updated via an app.
These apps come shipped with default usernames and passwords (usually the username is admin and the password is… admin) that people don’t change. There’s no incentive to change the password because once you’ve connected to the fish tank (or whatever it is you’ve just purchased) you’re more concerned with playing with the settings than you are about having to remember yet another password.
What did the attackers walk away with? 10GB of data on the Casino’s high roller database.
How could this have been prevented?
- Did the fish tank need to be connected to the internet???
- Setup a guest network that is isolated from your corporate network
- Change the default password
- Install any available software updates