Sounding like something out of the Oceans 11 movie franchise, a fish tank was used to hack into a casino and steal data.
In 2017 it was reported that an unnamed North American casino had a fish tank on its premises. Attached to the tank were sensors to monitor temperature, cleanliness and food levels.
These sensors were connected to the internet to enable automated fish feeding and maintain environmental control.
Being an internet-connected fish tank in a casino, additional security measures were in place. However this security amounted to little, as the tank was compromised by hackers who used the tanks connectivity to get into the casino’s network.
The hackers managed to shift 10GB of data to a device in Finland. Although the type of data wasn’t disclosed – 10GB of anything being stolen via a fish tank is alarming.
While the case of the great fish tank hack isn’t the first case of cybercriminals abusing the Internet of Things, and it certainly won’t be the last, it does shine a light on how everyday items can be hacked.
Hacking the Internet of Things
More and more internet-connected items are being made available for use and hackers are finding new ways to access networks and data.
Many people think that internet connectivity comes just from computers, tablets and phones, but the Internet of Things (IoT) means there are more connections than ever. Think televisions, lighting, smartwatches, fridges, elevators, air conditioners, and even cars.
IoT growth is fast paced with Forbes reporting that by 2025 there will be approximately 80 billion devices connected to the internet.
Part of this growth is coming from children using internet-connected devices, ranging from tablets, fitness trackers and even dolls and figurines that enable users to interact with online tools.
Access to these devices and toys can also be gained by cybercriminals, as much of the firmware running on these devices is not secured and vulnerable to attack. Once they infiltrate the system, cybercriminals can obtain sensitive data, or even use the device to listen, watch or communicate.
An internet-connected smart doll named My Friend Cayla was banned from sale in Germany due to hacking concerns. The doll was capable of listening to children’s conversations and responding in real time – however Germany’s telecommunications watchdog – Federal Network Agency (Bundesnetzagentur), labelled the toy a “concealed surveillance device”.
While in the United States, the Federal Bureau of Investigation (FBI) warned families in a July 2017 statement about internet-connected toys, which could present privacy and contact concerns for children.
“The FBI encourages consumers to consider cybersecurity prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.”
“Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions.”
“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options.
“These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”
Even more concerning is vulnerabilities exposed in internet-connected medical devices. In 2017, the U.S. Food and Drug Administration (FDA) advised of cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers. The FDA confirmed that these vulnerabilities, if exploited, could allow an unauthorised user to access a patient’s device using commercially available equipment.
Once cybercriminals gained access to these cardiac devices, they could deplete the battery or administer incorrect pacing or shocks. The FDA said the vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. Hackers could control a device by accessing its transmitter. Imagine the power this could provide cybercriminals and the fear inflicted on those exposed to the vulnerable devices.
Securing the Internet of Things
So whether it’s the latest and greatest toy, your new car or even that life saving device in your chest, consumers need to be mindful of their cybersecurity.
PC Mag has provided these four straightforward security IoT lessons that organisations and individuals should consider to protect themselves and their data:
- Devices that cannot have their software, passwords, or firmware updated should never be implemented.
- Changing the default username and password is recommended for the installation of any device on the internet.
- Passwords for IoT devices should be unique per device, especially when they are connected to the internet.
- Always patch IoT devices with the latest software and firmware to mitigate vulnerabilities.
What would a serious cybersecurity incident cost you or your organisation? Contact CyberHound today to find how our cybersecurity solutions can help.