Aquarium at the entrance to the casino hotel Silverton in Las Vegas (something like this was in the casino, which was subjected to hacking)

If you need to penetrate the local network of a well-protected casino - what will you do in the place of a hacker? Try to find out the passwords of users and admin? You will get biographical information about employees, send them personal letters on behalf of relatives with personal attachments, which they will definitely open - and set yourself a Trojan? Scan the server ports exposed to the outside? Yes, these methods have been effective for targeted attacks in the past. Some are effective now. But the problem is that the computer infrastructure is ready to repel such attacks. The security department has long introduced authorization through cryptographic tokens, so the admin password will not give you anything.

Therefore, hackers are looking for new attack vectors. A huge help is provided by the Internet of Things (IoT) devices. At first glance, these are harmless devices: wireless thermostats, temperature sensors and lighting controllers, smart meters, surveillance cameras, smart air conditioners and many other devices connected wirelessly to a local network and controlled remotely. Through them and penetration occurs. This is not a theoretical, but a very real threat. Moreover, sometimes stories of successful hacks, which took place just according to this scenario, are leaked to the press.
')
The executive director of Darktrace, which specializes in information security, Nicole Eagan recently told the visitors of the London-based WSJ CEO Council Conference about one such case.

Hackers managed to penetrate the local casino network and copy a high roller database (VIP players at high stakes). This base is a commercial secret and is of exceptional value to competitors. Perhaps the operation was ordered by the very same competitors in order to lure the richest clients to them.

According to the expert, the attackers gained access to the network through a wireless thermostat installed in the aquarium at the entrance to the casino. “The attackers used it to gain a foothold in the system,” said Nicole Egan. “Then we found a high roller database and pulled it out of the net.”

Robert Hannigan, head of the British intelligence agency GCHQ in 2014-2017, spoke at the conference along with Egan. He agreed that attacks through IoT devices are becoming an increasing problem for companies: “The Internet of Things generates thousands of new devices. In the coming years they will be pushed into the Internet, which complicates the situation. I saw a bank that was hacked through security cameras, because these devices were bought solely because of the low cost. ”

The main problem - the default passwords

Robert Hannigan believes that minimum security standards should be adopted for Internet of Things devices, because the market is not able to regulate itself independently by market methods. But even if this happens, there is still a few years of “chaos” ahead, when everyone will defend himself as much as he can. During this time, hackers will have many relatively simple hacking methods.

Recently, researchers from Ben-Gurion University (Israel) published an article analyzing the main vulnerabilities in smart home devices. They bought 16 popular commercial gadgets - and learned how easy it is to hack them. The results are disappointing: for 14 out of 16 devices, it was possible to pick up the password and connect the gadget to the botnet in less than 30 minutes. Initially, the researchers planned to disassemble the devices and look for weak points in the defense, but it turned out that it was not necessary. In the overwhelming majority of cases, the easiest way was to find the default password.

As it turned out, most mass market gadgets have simple default passwords that users rarely change . It is possible that the story of a thermostat in a casino aquarium is just such a case. Perhaps the casino owners have not taken care of reliable thermostat authentication on the network through a secure PKI platform for IoT using hardware encryption modules.

Experts give such advice on the basic security of the Internet of things:

1. Buy IoT devices only from reliable manufacturers and vendors.
2. Avoid used devices.
3. Collect online information for each device — find out if the default password for it is known.
4. Set a strong password of at least 16 characters.
5. Do not reuse the same passwords.
6. Regularly update the software.
7. Carefully consider the benefits and risks of connecting the device to the Internet.

The default password is not the only security failure point when using IoT devices. Attackers can also take advantage of vulnerabilities in applications through which remote control is performed. For example, unauthorized access to the robot vacuum cleaner allows you to conduct a full-fledged video tour of the victim's house.


Surely in the near future we will hear a lot more news about such interesting hacks, like the theft of a casino database through a thermostat in an aquarium.

---

We announce the action “More cyber defense to sports”!


GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVEN 1 YEAR SSL PROTECTION! *

Terms of action:
* When you purchase any one - year DV-OV or EV -level SSL certificate , you get the second year as a gift.
• The promotion applies to all sites of sports.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .

The promotion will last until July 15, 2018.

You can get additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.

MORE PROTECTION with GlobalSign!