Once, there was a casino with an awesome fish tank, that required a lot of monitoring to keep it operating efficiently for the fish. Enter, the Internet of Things…
The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.
OK, that’s kind of cool. We can monitor the situation with the tank without having to actually get into it and maybe disrupt whatever is going on in the casino. One small problem though, an internet connected fish tank is surely going to attract some attention, and it did.
“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence.
Yes, someone hacked into the fish tank monitoring PC, and used it to poke around and steal data from the rest of the network.
Amusing? Sure. Also, informative.
There are a ton of IoT devices that are not very secure. In this case, it’s a fish tank monitoring PC, the kind of things that is extremely likely to get overlooked when it comes to security, because it’s not really integral to the business. (Note though, no one asked the fish about how integral it was to therm. They may have felt differently.) But, why are they not segregated from the other parts of the network? Why wasn’t the fish cam on a guest wireless access point or something like that, firewalled off from the data that would actually be worth stealing? Given that we don’t know what data was stolen, or which casino it was, it is possible that it was segregated away and the only information stolen was historical data about the tank, so I’ll reserve judgement in this case, but it’s important to always ask yourself this question.
Connecting it to the internet might be cool, but why have it on the same connection as the stuff that you really need to protect? There’s no reason for that. That’s how your security ends up sleeping with the fishes. (Oh that was awful.…)