Aquarium at the entrance to the Silverton Hotel and Casino in Las Vegas (something like this was in a casino that was hacked)

If you need to penetrate the local network of a well-protected casino - what will you do in place of a hacker? Try to find out the passwords of users and admin? You will get biographical information about the employees, send them personal letters on behalf of relatives with personal attachments, which they will certainly open - and install a trojan? Scan server ports exposed outside? Yes, these methods have been effective for targeted attacks in the past. Some are effective now. But the problem is that the computer infrastructure is ready to repel such attacks. The security department has long implemented authentication through cryptographic tokens, so the admin password will not give you anything.

Therefore, hackers are looking for new attack vectors. The Internet of Things (IoT) devices are of great help. At first glance, these are harmless devices: wireless thermostats, temperature sensors and lighting controllers, smart meters, video surveillance cameras, “smart” air conditioners and many other devices connected wirelessly to the local network and remotely controlled. Through them penetration occurs. This is not a theoretical, but a very real threat. Moreover, sometimes the stories of successful hacking that took place just in this scenario leak into the press.

The executive director of Darktrace, a company specializing in information security, Nicole Eagan recently toldvisitors to the London WSJ CEO Council Conference about one such event.

Hackers managed to break into the local casino network and copy the database of high scooters (VIP players at high stakes). This base is a trade secret and is of exceptional value to competitors. Perhaps the operation was ordered precisely by competitors in order to lure the richest customers to themselves.

According to the expert, the attackers gained access to the network through a wireless thermostat installed in the aquarium at the entrance to the casino. “The attackers used this to gain a foothold in the system,” Nicole Egan said. “Then we found the database of high scooters and pulled it from the network.”

Robert Hannigan, head of the British intelligence agency GCHQ in 2014-2017, spoke at the conference with Egan. He agreed that attacks through IoT devices are becoming an increasing problem for companies: “The Internet of things spawns thousands of new devices. In the coming years, they will be pushed onto the Internet, which complicates the situation. "I saw a bank that was hacked through CCTV cameras because these devices were bought solely because of their low cost."

The main trouble is the default passwords

Robert Hannigan believes that for Internet of Things devices, minimum security standards should be adopted, because the market is not able to regulate itself by market methods. But even if this happens, there are still several years of “chaos” ahead, when everyone will defend himself as best he can. During this time, hackers will have many relatively simple hacking methods.

Recently, researchers from the University of Ben Gurion (Israel) published an article, which analyzed the main vulnerabilities in home smart devices. They bought 16 popular commercial gadgets - and learned how easy it is to crack them. The results are disappointing: for 14 of 16 devices it was possible to find a password and connect the gadget to the botnet in less than 30 minutes. Initially, the researchers planned to disassemble the devices and look for weak spots in the defense, but it turned out that this was not necessary. In the vast majority of cases, the easiest way was to pick up the default password.

As it turned out, most mass market gadgets have simple default passwords that users rarely change. It is possible that the story with a thermostat in the aquarium of a casino is just such a case. Perhaps the casino owners did not care about reliable authentication of the thermostat on the network through the PKI secure platform for IoT using hardware encryption modules.

Experts give these tips on basic security for the Internet of things:

1. Buy IoT devices only from reliable manufacturers and vendors.
2. Avoid used devices.
3. Collect information on each device online to find out if the default password is known for it.
4. Set a strong password of at least 16 characters.
5. Do not reuse the same passwords.
6. Regularly update the software.
7. Carefully consider the benefits and risks of connecting your device to the Internet.

The default password is not the only point of failure in security when using IoT devices. Attackers can also take advantage of vulnerabilities in applications through which remote control is carried out. For example, unauthorized access to a robot vacuum cleaner allows a full-fledged video tour of the victim’s house.


Surely in the near future we will hear a lot of news about such interesting hacks as stealing a casino database through a thermostat in an aquarium.

---

We announce the action “More cyber defense for sports”!


GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVES 1 YEAR OF SSL PROTECTION! *

Promotion conditions:
* When you purchase any one - year SSL certificate of DV, OV or EV level, you receive a second year as a gift .
• The promotion applies to all sports-related websites.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .

The promotion will last until July 15, 2018.

You can get additional information on the campaign from GlobalSign Russia managers by phone: +7 (499) 678 2210.

MORE PROTECTION with GlobalSign!