You don’t need a group of eleven charming criminals led by a dashing mastermind to bring down a casino, all you need is a fish tank connected through the Internet of Things. In the cybersecurity community, the fish tank hack is a legend. The identity of the casino and data has never been released for security reasons, but an enterprising hacker was able to use an IoT-connected fish tank to gain access to a casino’s high-roller database, exporting the data through a thermostat in the tank. The story has become a parable for IoT security, where new laws passed by Congress hope to finally make a difference.
“This one is the most entertaining and clever thinking by hackers I’ve seen,” Hemu Nigam, founder, and CEO of Cyber Security Affairs told The Washington Post.
The problem started with a smart fish tank. This wasn’t some personal fish tank hanging out in an executive’s back office, it was a high-tech fish tank installed as an attraction for guests in its lobby. The tank’s IoT connection allowed it to remotely monitor temperature, salinity and automate feedings. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank’s data, according to a report on the incident from cybersecurity experts Darktrace. Occasionally the device would communicate with other connected devices throughout the casino, nothing too out of the ordinary. It wasn’t until Darktrace’s threat detection systems noticed the device was exporting a large amount of data that they had a real problem. By the time the hack was discovered, the tank had sent roughly 10 GB of data to Finland using a transfer protocol typically used for audio and video, a clear case of exfiltration. The casino had been hacked.
The attack is notable for its subtly. Targeting a new, unconventional device on the casino’s network, the threat managed to avoid scrutiny from the casino’s traditional security tools. These security tools are only as good as the assumptions they make. Not many security experts are creative enough to imagine a fish tank hacking a casino. There lies the problem. Security measures can only prepare for known vulnerabilities, it’s hard to fight what you don’t know is there. All appeared nominal with the fish tank until an anomaly was detected, tipping off experts for further investigation. By then it was too late.
“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” Darktrace CEO Nicole Egan told the audience at WSJ’s CEO Council Conference. “There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”
Connecting all of our things to the internet does create a huge vulnerability. Baby monitors, webcams, medical devices, cars, robotic vacuums, sex toys, printers, smart TVs, and childhood dolls, all on the IoT, all have been hacked. The joke in the industry is that the “S” in IoT stands for security. With no regulations or minimum security standards, every new device added to the network is an exercise based more on trust than on security. With IoT devices on track to exceed 21 billion by 2025, the problem is growing at scale regulators cannot keep up with.
A newly enacted US law hopes to change the threat landscape around IoT. The Internet of Things Cybersecurity Improvement Act of 2020, known as the “IoT Act,” mandates cybersecurity standards and guidelines for devices acquired and used by the federal government. While the new law is not industry regulation, the hope is that contractors who manufacture IoT devices for federal government use will create a higher standard that generates spillover impact on corporate use cases. The National Institute of Standards and Technology (NIST) has been developing IoT security practices for years but offers only voluntary guidelines. Those guidelines will now be enforced through federal purchasing laws.
Set to go into effect starting December 2020, the bill requires manufacturers who produce IoT devices and software for use by the federal government to meet NIST standards. Any organization that used IoT should reconsider how these standards impact their own compliance. Chief tech officers, chiefs information security officers, and others responsible for the safety of data on your building’s network should convene to review whether following the new standard set by federal agencies impacts their own risk reduction strategies.
“While IoT devices used on government networks are important, legislation mandating the security of all IoT devices would have gone further in providing a more comprehensive approach to IoT device safety,” Terence Jackson, Chief Information Security Officer at Thycotic told Security Magazine. “This may in fact create increased sales for companies as they may introduce “government” grade IoT devices that will cost more. It will be interesting to see if companies improve the security of their consumer-grade products as a result of this standard.”
Security is finally working its way into IoT. Most companies will likely want the option to be used by government agencies so even though it would only affect a small set of the devices in the world it could cause a shift in the entire industry. For many organizations, it might already be too late. Billions of old devices are already installed and most of them will not be updated to make them more secure. In the end, the hardest thing about stopping hacks is you never know where and how they are going to find a way into a system. Who knows what the next fish tank will be?