How Safe Is Your Fish Tank?

What on earth is this one about, I hear you ask? The Internet Of Things, that’s what; those millions of things that connect to the internet, like your home central heating, your toaster, webcams, children’s toys and yes, even fish tanks, allowing them to send you messages and alerts, or to be controlled and managed from your smartphone.

“Hackers are a resourceful bunch, and they’ll look for any weakness that can be exploited to break in to a computer network. Once they’re IN, they’ll use any available method to get the data they discover OUT.”

Forbes, July 27, 2017

There is a story from a couple of years back about a casino in Vegas that was hacked using this rather unique exploit. The casino had recently installed a new remote monitoring system for their fish tanks which allowed the temperature, salinity and food to all be controlled automatically. Since to be able to do that it had to be connected to the internet, it was a ripe target to be hacked – and promptly was.

The problem was not that the attackers might use the exploit to feed the fish too much food, but that the device was not isolated from the rest of the casino network. Using it as a doorway, the attackers stole 10GB of data from the casino’s computer systems, sending it offsite in a way that made it look like media streaming.

The story highlights the dangers of allowing weak and insecure devices onto an otherwise secure network.

Devices like these usually have minimal if no security attached to them. Once you are in, you can then use them to leapfrog onto the things you really want to get to. This is called a ‘man in the middle’ attack, where you hack something to indirectly get to something else. (For fans of Mr Robot, this is exactly what the lead character did to bring down the secure backup facility. By placing a small device onto the network, he was able to take down the facility’s heating system and thus destroy all the backups stored inside.)

In 2015, Hacker News revealed that millions of devices, including home routers, were using the same encryption keys hard-wired into the devices themselves. If you get those keys, then you don’t just hack one device, you can get at hundreds of thousands of them.

“When [they] scanned the Internet … the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.

Moreover, the researchers recovered around 150 HTTPS server certificates are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.”

Hacker News, November 27, 2015

When we say to clients ‘you shouldn’t connect devices to your network without telling us’ we’re not trying to be difficult, we’re just aware that these things are vulnerable and that caution needs to be exercised.

IP Cameras have notoriously low levels of security. Network printers can be easily exploited, and often contain a password to your server and/or an email account for scanning. We always change the default passwords on these devices for this reason, though the push back we get sometimes from the print management company for doing so is hard to believe unless you genuinely don’t care about security.

If you’re not taking your printer security seriously, someone else might be.

Another good example is separating your phone system from your main network. VOIP phones are a great example of devices that communicate through the internet, and which as a result can be accessed and controlled from somewhere external – that’s how they ring when someone calls you!

It’s not particularly far-fetched that one of these phones, on your computer network, could be used to try to access your server.

Consider the payoff; an attacker trying to hack into one phone is very unlikely. But, an attack using a common exploit on millions of phones is something else. Like phishing emails, no one is targeting you specifically. They’re just throwing enough out there in the knowledge that at least some of them are going to generate a response. Combine this with an automated use of lists of common passwords tried on every computer on that same network, plus perhaps opening some ports on your router for the service to work, and before long you’re going to be able to get something out of it.

The moral of the story? Be careful what you connect to your network.

The IoT has all sorts of good things going for it, but it also has the potential to bring you a lot more trouble than you bargained for. Security is only as good as the weakest link, and if you do want to connect insecure devices there are ways to do it that do not compromise all the good security you have by placing a back door right in the middle of it.  

Useful Links

Forbes: https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/

Hacker News : https://thehackernews.com/2015/11/iot-device-crypto-keys.html

Video: The Wolf, feat. Christian Slater. “If you’re not taking your printer security seriously, someone else might be”: https://www.youtube.com/watch?v=U3QXMMV-Srs

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

Better Web Privacy – Browsers, Trackers & Blockers

Surfing the web in private is a minefield.

Everywhere you go, something is watching you, tracking your search results and the pages you visit.

And more often than not the goal is to target you with advertising based on the things that you’re probably interested in (probable because hey, that’s what you’ve been looking at isn’t it?)

Read More »
travel booking apps for business

Trip planning? Try these 5 must-have travel apps.

If you’re in charge of booking staff travel, you know all too well how time-consuming it can be. 

How do you find a flight that gets there on time and in budget? How do you search multiple airlines and booking platforms at the same time? 

How do you avoid sneaky fees, confusing information and misleading quotes? And how do you keep track of all the travel details once everything is booked?

Read More »
sharing office password security

Is it ever a good idea to share office passwords?

At first glance the answer is obvious. No, of course we should never share our passwords, why would we? 

I agree and yet, here’s an oddity: we often encounter small companies where password sharing is common. It may not be obvious at first but with a little digging the practice turns out to be the norm. 

In fact, anecdotally, I would say offices in which some degree of password sharing goes on are more common than those that absolutely ban it.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top