Casino fish tank hack a cautionary tale for businesses using IoT

Pinch me if you’ve heard this one. In 2017, a casino was breached through a smart thermometer used to monitor the temperature of an aquarium installed in the lobby. Threat actors exploited the smart thermometer to penetrate the casino’s network and steal information from its high-roller database. Yikes.

The fish tank hack has already gone down in history as the ultimate cautionary tale for installing IoT in your home or business. Yet adoption of IoT has steadily risen over the last five years for consumers and organizations — despite, or in some cases because of, the COVID-19 pandemic causing a serious wrinkle in basically everything.

IoT security is no longer a fringe concern. Business owners and security teams alike should be looking at ways to build IoT security protocols into their plans for adoption — especially because many such devices have little protection built into their own functionality.

Weak IoT security should concern consumers, businesses as adoption increases

Back in 2017, IoT was still a baby-faced newbie. The technology was not yet well understood, but early adopters were keen to demonstrate their savvy with the latest and greatest. However, that lack of understanding carried with it grave consequences — especially for one North American casino.

In July of that year, the casino was breached through rather unorthodox means: a fish tank. Not just any fish tank, of course. The high-tech aquarium was installed in the casino’s lobby and its temperature and salinity were remotely monitored via Internet-connected thermostat, which also allowed for automated feeding of the fish.

Unfortunately, lack of proper security protocols like network segmentation and antivirus protection meant the smart device also allowed hackers to easily access the casino’s network and exfiltrate 10 GB of data from its high-roller database. The data, which may have included information about some of the casino’s biggest spenders, along with other private details, was sent to a remote server in Finland. By the time the casino discovered its error, it was too late.

The story has become something of a cybersecurity legend; a parable for IoT security. Four years later, adoption of IoT has increased ten-fold, yet the lessons learned from the fish tank hack have yet to penetrate the masses. Consumers and organizations might know much more about the benefits of smart devices, but many remain ignorant of their security deficits. And despite the US government getting involved and passing IoT laws, there is still a lack of regulation across the industry.

Today, IoT devices are in hot demand. The global market for IoT was valued at $761.4 billion in 2020, according to Mordor Intelligence, and it is expected to top $1.3 trillion by 2026. Juniper Research says that there will be 83 billion IoT connections by 2024, up from 35 billion recorded in 2020. That’s a whole lot of IoT, especially considering the pandemic derailed the global economy, employment, and entire industries for more than a year.

IoT adoption among consumers has picked up pace over the last five years, with smart phones and home automation particularly driving growth. The global home automation market alone stood at $45.8 billion in 2017 and is projected to reach $114 billion by 2025.

The most popular smart home devices include home assistants like Alexa or Google Home, smart thermostats such as Nest, and smart doorbell/security devices like Ring. Other IoT home products include smart locks, refrigerators, washers and dryers, wristwatches, baby monitors, and toys. Almost all cars made today have some form of Internet connectivity. Even medical devices and health/fitness apps count as IoT.

Each of these devices carry with them known vulnerabilities. Alexa and other home assistants have been known to record conversations without any such deliberate request from their owners. Smart thermostats and locks have been exploited by domestic abusers looking to trap and torture their victims. Baby monitors and smart toys have invited creepers to look in on sleeping babes and record interactions with said wee ones. And cybercriminals have used IoT devices to snatch or modify patient data and penetrate hospital networks, not unlike the methods used to access the casino’s high-roller database.

The pandemic only sweetened the pot for cybercriminals looking to take advantage of the hasty shift to remote work, which was (and still is) reliant on IoT, cloud computing, and users’ security hygiene to function smoothly. Add to that a home assistant all-too-eager to record company secrets shared over Zoom meetings, and you have the recipe for a much-weakened security perimeter.

Yet organizations — nay, entire industries — have jumped on the IoT bandwagon, with adoption skyrocketing over the last few years and projections showing continuing growth through the middle of the decade. Right now, about 40 percent of companies are deploying IoT within their business infrastructures, according to Eclipse Foundation’s 2020 IoT Commercial Adoption survey. However, Microsoft’s 2020 IoT Signals Report states that 1 in 3 decision makers plan to up their IoT investments.

Certain industries are mostly responsible for driving growth in organizations’ IoT adoption rates. The industrial sector, including manufacturing, agriculture, and retail will account for over 70 percent of all IoT connections in just three years, according to Juniper Research. Technologies such as smart cities, factory automation, precision farming, and e-commerce will contribute to such growth.

One industry particularly impacted by IoT is healthcare. The global healthcare IoT market is expected to reach $14 billion by 2024, says Zion Market Research, driven largely by healthcare facilities’ growing use of cloud computing and medical management apps. To protect patients from potential exposure to COVID-19, virtual appointments for non-emergency care have become the norm, and smart thermometers now scan patients for fever, a telltale symptom of the virus.

In addition, the global IoT medical device market is growing steadily at a rate of about 15 percent between 2019 and 2025 and is expected to generate around $63 million by 2025 (Zion Market Research). IoT is likely to transform conventional paper-based healthcare by simplifying access to real-time patient data and remote monitoring. From diagnostic biotech to smart pills that automate administration of medication, there’s no shortage of IoT applications in the medical field.

Between all of this IoT use at home and in the office, as well as in manufacturing, agriculture, retail, and healthcare, the lack of strong security protocols only introduces more and more opportunities for cybercriminals to penetrate organizations’ defenses. That’s why it’s important for individuals, business owners, developers, and IT and security teams to understand how to protect IoT devices as they’re being built and once they’ve been deployed.

For an overview of why IoT security is so lacking, plus a few recommended solutions for boosting IoT defenses, check out this blog on Malwarebytes Labs:

By Marcin Kleczynski

CEO of Malwarebytes, click About Me at the top of the page to learn more!

Leave a Reply