There’s always a way in.
There’s a term that’s caught on in recent years, one that’s increasingly relevant to cybersecurity: the “internet of things.” The term refers not to the internet as people commonly understand it, but rather, to the internet-equipped network of physical appliances, devices, and other pieces of practical tech that people don’t often think of as being hackable.
But hackers can indeed target them, like when a casino got its high-roller list hacked by someone who accessed the water temperature thermometer in a fish tank.
As Business Insider detailed this week, a cybersecurity CEO named Nicole Eagan―she runs the firm Darktrace―told a story during the WSJ CEO Council in London this week about how one prominent casino suffered a serious data breach thanks to an aquarium thermometer.
“The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud,” Eagan said.
Internet of Leaky Things: "Hackers stole a casino's high-roller database through a thermometer in the lobby fish tank" https://t.co/kQhiIe6wBU
— Walter Olson (@walterolson) April 15, 2018
It’s not known which casino Eagan was talking about, which makes sense since it presumably wouldn’t want its cybersecurity woes being put on blast for the whole world to hear. But it’s a compelling reminder that devices which include internet connectivity for any purpose are theoretically vulnerable to being hacked or compromised.
This isn’t the first time a Darktrace executive has mentioned a thermometer hack of this sort, either. Last year, as The Washington Post noted, Darktrace included reference to the hack in a report, and the company’s director of cyber intelligence, Justin Fier, specifically mentioned it.
“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” Fier said. Once again, the name of the casino was not revealed, although it was reportedly based out of North America. It would probably be an embarrassing story for the casino if its identity were ever revealed, and it would probably paint a bright bullseye on its fish tanks for more unexpected hacks in the future.