A cybersecurity executive has revealed that hackers used an Internet of Things (IoT) connected fish tank thermostat to gain access to a casino's high-roller database. Darktrace CEO Nicole Eagan told the story to an audience in London last week.
“The attackers used that to get a foothold in the network,” she explained. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.” The incident raises awareness about the security of IoT objects.
IoT devices vulnerable
“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” said Eagan. “There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”
Some of these flaws have been highlighted by Israeli researchers who found that many off-the-shelf home devices were able to be remotely accessed by default factory passwords. Other incidents of security flaws include smartphone applications that are used to monitor household applications.
It has also been reported that hackers have been able to access the camera on robot vacuum cleaners and used it to tour the interior of a home. The former head of the British government’s digital spying agency, Robert Hannigan, says the sheer scale of IoT-connected devices is part of the problem.
“With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem,” Hannigan said. “I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”
He goes on to suggest that there needs to some sort of government regulation around the industry. “It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he said. “The problem is these devices still work. The fish tank or the CCTV camera still work.”
Hacker verbally abused woman through webcam
Late last year a woman posted a video of a hacker speaking to her via her private webcam. The Dutch woman first noticed that her off-the-shelf webcam began to move on its own soon after installing it in her home.
Worried it had been hacked, she unplugged the camera. When she turned it back on to show a friend, the camera started moving again before a male voice started to ask her questions. The hacker asked if the woman spoke French. After replying that she spoke English, the unknown digital intruder mocked her accent saying “Hola Senorita”.
The distraught woman screamed at the hacker via the webcam to leave her house, before the male voice verbally abused her. The woman shared the video of the incident on Facebook. She wrote: “I walked into the living room and I saw my camera move. The camera went back and forth. I had no idea what he was doing. Was it updating? All of a sudden, I heard a rumble. The camera turned my way, and I heard, ‘bonjour madame’. I moved to the left and right, and the camera came with me.”
In a statement following the incident the manufacturer of the camera issued a notice advising all customers to change the default ID password and use a strong WiFi password.