How Safe Is Your Fish Tank?

how safe is your fishtank
What on earth is this one about, I hear you ask? The Internet Of Things, that’s what; those millions of things that connect to the internet, like your home central heating, your toaster, webcams, children’s toys and yes, even fish tanks, allowing them to send you messages and alerts, or to be controlled and managed from your smartphone.

“Hackers are a resourceful bunch, and they’ll look for any weakness that can be exploited to break in to a computer network. Once they’re IN, they’ll use any available method to get the data they discover OUT.”

Forbes, July 27, 2017

There is a story from a couple of years back about a casino in Vegas that was hacked using this rather unique exploit. The casino had recently installed a new remote monitoring system for their fish tanks which allowed the temperature, salinity and food to all be controlled automatically. Since to be able to do that it had to be connected to the internet, it was a ripe target to be hacked – and promptly was.

The problem was not that the attackers might use the exploit to feed the fish too much food, but that the device was not isolated from the rest of the casino network. Using it as a doorway, the attackers stole 10GB of data from the casino’s computer systems, sending it offsite in a way that made it look like media streaming.

The story highlights the dangers of allowing weak and insecure devices onto an otherwise secure network.

Devices like these usually have minimal if no security attached to them. Once you are in, you can then use them to leapfrog onto the things you really want to get to. This is called a ‘man in the middle’ attack, where you hack something to indirectly get to something else. (For fans of Mr Robot, this is exactly what the lead character did to bring down the secure backup facility. By placing a small device onto the network, he was able to take down the facility’s heating system and thus destroy all the backups stored inside.)

In 2015, Hacker News revealed that millions of devices, including home routers, were using the same encryption keys hard-wired into the devices themselves. If you get those keys, then you don’t just hack one device, you can get at hundreds of thousands of them.

“When [they] scanned the Internet … the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.

Moreover, the researchers recovered around 150 HTTPS server certificates are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.”

Hacker News, November 27, 2015

When we say to clients ‘you shouldn’t connect devices to your network without telling us’ we’re not trying to be difficult, we’re just aware that these things are vulnerable and that caution needs to be exercised.

IP Cameras have notoriously low levels of security. Network printers can be easily exploited, and often contain a password to your server and/or an email account for scanning. We always change the default passwords on these devices for this reason, though the push back we get sometimes from the print management company for doing so is hard to believe unless you genuinely don’t care about security.

If you’re not taking your printer security seriously, someone else might be.

Another good example is separating your phone system from your main network. VOIP phones are a great example of devices that communicate through the internet, and which as a result can be accessed and controlled from somewhere external – that’s how they ring when someone calls you!

It’s not particularly far-fetched that one of these phones, on your computer network, could be used to try to access your server.

Consider the payoff; an attacker trying to hack into one phone is very unlikely. But, an attack using a common exploit on millions of phones is something else. Like phishing emails, no one is targeting you specifically. They’re just throwing enough out there in the knowledge that at least some of them are going to generate a response. Combine this with an automated use of lists of common passwords tried on every computer on that same network, plus perhaps opening some ports on your router for the service to work, and before long you’re going to be able to get something out of it.

The moral of the story? Be careful what you connect to your network.

The IoT has all sorts of good things going for it, but it also has the potential to bring you a lot more trouble than you bargained for. Security is only as good as the weakest link, and if you do want to connect insecure devices there are ways to do it that do not compromise all the good security you have by placing a back door right in the middle of it.  

Useful Links

Forbes: https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/

Hacker News : https://thehackernews.com/2015/11/iot-device-crypto-keys.html

Video: The Wolf, feat. Christian Slater. “If you’re not taking your printer security seriously, someone else might be”: https://www.youtube.com/watch?v=U3QXMMV-Srs

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

How to Spot a Fake Email, Part 2: The Anatomy of a Scam

In our post on how to spot a fake email, we covered some easy ways to identify the spams, scams and spoofs that inevitably land in your inbox.

But it’s not easy to write one post covering everything. And it’s not uncommon for us to receive a few reports a day from our clients of scamming: there’s a lot of it out there, much of it increasingly hard to identify.

That’s why we’re going to break it down further today and take you through the anatomy of a scam email.

Read More »
how to tame your inbox

How To Regain Control of Your Inbox

Remember the days when your inbox was all shiny and new and empty? When every email arrived with an excited “ping” and you enthusiastically dove in to read and reply? 

Us neither.

Let’s face it, most inboxes nowadays are more like tentacled sea-monsters. They have you in their grasp, not the other way around. They’re uncontrollable. They’re scary.

Read More »
why you need multifactor authentication

Why Use Multi-Factor Authentication?

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top