How Safe Is Your Fish Tank?

how safe is your fishtank
What on earth is this one about, I hear you ask? The Internet Of Things, that’s what; those millions of things that connect to the internet, like your home central heating, your toaster, webcams, children’s toys and yes, even fish tanks, allowing them to send you messages and alerts, or to be controlled and managed from your smartphone.

“Hackers are a resourceful bunch, and they’ll look for any weakness that can be exploited to break in to a computer network. Once they’re IN, they’ll use any available method to get the data they discover OUT.”

Forbes, July 27, 2017

There is a story from a couple of years back about a casino in Vegas that was hacked using this rather unique exploit. The casino had recently installed a new remote monitoring system for their fish tanks which allowed the temperature, salinity and food to all be controlled automatically. Since to be able to do that it had to be connected to the internet, it was a ripe target to be hacked – and promptly was.

The problem was not that the attackers might use the exploit to feed the fish too much food, but that the device was not isolated from the rest of the casino network. Using it as a doorway, the attackers stole 10GB of data from the casino’s computer systems, sending it offsite in a way that made it look like media streaming.

The story highlights the dangers of allowing weak and insecure devices onto an otherwise secure network.

Devices like these usually have minimal if no security attached to them. Once you are in, you can then use them to leapfrog onto the things you really want to get to. This is called a ‘man in the middle’ attack, where you hack something to indirectly get to something else. (For fans of Mr Robot, this is exactly what the lead character did to bring down the secure backup facility. By placing a small device onto the network, he was able to take down the facility’s heating system and thus destroy all the backups stored inside.)

In 2015, Hacker News revealed that millions of devices, including home routers, were using the same encryption keys hard-wired into the devices themselves. If you get those keys, then you don’t just hack one device, you can get at hundreds of thousands of them.

“When [they] scanned the Internet … the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.

Moreover, the researchers recovered around 150 HTTPS server certificates are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.”

Hacker News, November 27, 2015

When we say to clients ‘you shouldn’t connect devices to your network without telling us’ we’re not trying to be difficult, we’re just aware that these things are vulnerable and that caution needs to be exercised.

IP Cameras have notoriously low levels of security. Network printers can be easily exploited, and often contain a password to your server and/or an email account for scanning. We always change the default passwords on these devices for this reason, though the push back we get sometimes from the print management company for doing so is hard to believe unless you genuinely don’t care about security.

If you’re not taking your printer security seriously, someone else might be.

Another good example is separating your phone system from your main network. VOIP phones are a great example of devices that communicate through the internet, and which as a result can be accessed and controlled from somewhere external – that’s how they ring when someone calls you!

It’s not particularly far-fetched that one of these phones, on your computer network, could be used to try to access your server.

Consider the payoff; an attacker trying to hack into one phone is very unlikely. But, an attack using a common exploit on millions of phones is something else. Like phishing emails, no one is targeting you specifically. They’re just throwing enough out there in the knowledge that at least some of them are going to generate a response. Combine this with an automated use of lists of common passwords tried on every computer on that same network, plus perhaps opening some ports on your router for the service to work, and before long you’re going to be able to get something out of it.

The moral of the story? Be careful what you connect to your network.

The IoT has all sorts of good things going for it, but it also has the potential to bring you a lot more trouble than you bargained for. Security is only as good as the weakest link, and if you do want to connect insecure devices there are ways to do it that do not compromise all the good security you have by placing a back door right in the middle of it.  

Useful Links


Hacker News :

Video: The Wolf, feat. Christian Slater. “If you’re not taking your printer security seriously, someone else might be”:

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

Information Security

You can’t have IT without Security!

There, we said it, but what does that mean and perhaps more importantly, what does it mean for our customers?

Read More »

To Save or to Auto Save?

Save as you go. If ever there was a golden rule of working with computers, this is it. Anyone who has ever worked on a document before losing their progress to an application crash or power cut knows only too well the dangers of not saving your work. So the introduction of Auto Save in Office seems to be, on the face of it, an absolute gem. But how does it work and what if you need to turn it off?

Read More »

How to reset your Windows Hello PIN

Windows Hello allows you to unlock your PC or Laptop using a PIN instead of a password, or if you have biometric inputs, facial recognition or a fingerprint. This is considered more secure than a password, even though it’s less complex, because it’s unique to the device you are using, and doesn’t leave the device to be authenticated somewhere else.

Read More »
Scroll to Top