Casino’s Aquarium Leaks High Rollers’ Personal Data

It might have been a deleted scene from one of the Ocean’s Eleven movies. Data thieves hack into a major casino. They attack not through the main but a secondary network and, once inside, bootstrap their way into other parts of the casino network until they get lucky and find a cache of sensitive data that they proceed to steal.

Unfortunately, the above scenario has happened in the real world.

Speaking at the Wall Street Journal CEO Council in London last Thursday Nicole Eagan, the CEO of cybersecurity company Darktrace, retold the story of how an aquarium thermometer in an unnamed North American casino’s lobby contained an exploitable vulnerability that allowed remote attackers to get onto the casino’s corporate network. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud,” she said during the panel discussion.

The story about the casino was widely reported last summer. “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech in July 2017. He said the attackers then exfiltrated the data to Finland before it was stopped.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” Eagan said on Thursday. “There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

In general, internet connected devices are very basic by design. Beyond using basic Wi-Fi protocols, which encrypt data in transit, IoT devices do not have very sophisticated security. Nor do many of them allow for updates and upgrades of their firmware or software. This creates a challenge: If a vulnerability were found, how would the vendor push out a fix? And, sadly, how many IoT vendors even bother to continue their software development lifecycle beyond release?

The common Wi-Fi protocols used to connect devices to the internet have changed over time as attackers have figured out new ways of breaking the encryption. In 2007, TJ Maxx suffered one of its largest data breaches in history with 47.5 million accounts compromised. Attackers accomplished this by sitting in the parking lot of one of its stores and hijacking the now-outdated wireless encryption protocol (WEP) communications as the store settled its credit card transactions with the credit card processor. The Payment Card Industry (PCI) council no longer allows its retail store members to use WEP with point of sale devices.

What happens if a device uses outdated software or protocols? What if that device is brought into an office environment? What if the device were intentionally brought in? In this case the aquarium at the unnamed casino had to use the local network. While it allowed remote temperature regulation for the exotic fish, it also contained a flaw that opened the door to an attack.
This, too, has happened before.

In 2013, Target suffered a data breach of over 40 million accounts compromised during the period between Black Friday and Christmas. A forensic exam later revealed that the criminals had entered the Target network through a remote access vulnerability within the company’s in-store Heating, Ventilation, and Air Conditioning (HVAC) system. The investigation found that the third-party HVAC system provider had both default and weak passwords on their network. Once the attackers realized that Target used this provider, they would be able to guess the passwords and bootstrap their way onto the larger Target corporate network. There they poked around undetected until they found the cache of credit cards used by customers during the holiday season. In June 2014 Target Chairman, President, and CEO Gregg Steinhafel took the heat for the data breach and resigned.

The recent aquarium story offers two important takeaways.

One is that the internet of things is not inherently secure. Hooking every device to the internet without securing them first is unwise. These should be tested for known security flaws before being added to any network. We have been warned repeatedly about third-party vulnerabilities affecting a core network. Performing software composition analysis as part of the procurement process for any vendor or service should be due diligence for all.

The second takeaway is basic cybersecurity 101: segment your network. There is no reason that any third party should have direct access to part of the corporate network containing the crown jewels. Be it high rollers’ data or credit card transactions, these sensitive parts of the network should and must be separate from the public facing parts of the network used to interact with third-party vendors and the internet.

A SANS white paper discusses other mitigations following the Target breach.

Also appearing on the Wall Street Journal panel with Darktrace last Thursday was Robert Hannigan. He ran the British government’s digital spying agency GCHQ from 2014 to 2017. Following Eagan’s aquarium anecdote, he said, “I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.” He concluded that IoT is “probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself. The problem is these devices still work. The fish tank or the CCTV camera still work.”