Meet Armis at Black Hat 2024

Learn More
Aug 10, 2020

Tonight, You Sleep With The (Flash Frozen and Overnighted) Fishes

Tonight, You Sleep With The (Flash Frozen and Overnighted) Fishes Blog

You may have seen this headline from a couple of years ago: “Criminals Hacked A Fish Tank To Steal Data From A Casino”

It could be argued that the closest we had to someone hacking into a company through an innocuous system was in Mr Robot season 1 episode 5 when Elliot (protagonist) installs a Raspberry Pi behind an electrical panel situated in an Evil Corp’s (antagonist) bathroom. The show has regularly been applauded for its use of real-world hacking capabilities in its episodes.

And then, of course, Vegas, because really, where else could it happen? The casino in question had a large and seemingly so complex fish tank that its systems were controlled via professionals at the other end of an internet connection; monitoring, feeding, changing salinity and temperature etc. It certainly beats my goldfish bowl.

The tank obtained its internet connection via the casino’s existing network, meaning the tank suddenly became that network’s weakest link. Hackers were able to use this vulnerable IoT device to then connect to the network and syphon gigabytes of casino data. Ocean’s 11 doesn’t seem quite so out of the question any more.

This real-life case emphasizes that what we once considered as Hollywood pretentiousness is coming to life for real now. Consider the delivery of your online shopping from some of your favorite couriers. Many of them now offer 30-60 minute slots for when the delivery will be made. In some cases, you can see their location on a map and how many stops they have before you. This works by real-time monitoring of the van’s location and the correlation with other data such as delivery drops, traffic, routes etc.

Based on our fish tank example, it doesn’t require a leap of faith or suspension of disbelief to see these systems could become targets for criminals. Entire shipments could be re-routed into areas prepared for a hijack. Temperature controlled equipment could be tampered with destroying food or medical supplies, as a precursor to further economic disruption.

Protecting the supply chain, and specifically, the role of IoT within that supply chain is of vital importance. The commodification of large swathes of the electronics industry means that many of the tools in commercial use are also available to anyone with an Amazon account. What this allows is the ability to search for vulnerabilities, the leveraging of existing weaknesses in those systems and the creation of new, previously unimagined methods of attack.

Given that many of these devices are shipped with poor security by default, hardcoded credentials and out of date firmware makes this all the more difficult to address. So much so, that the UK Government (like many others around the world) have created a Code of Practice for Consumer Internet of Things Security for manufacturers. Talk about having to get Mum and Dad in to sort this mess out!

If you think the solution is to disconnect these products from the internet and perhaps manage them “in-house” as it were, there are (at least) two problems:

  1. The IoT world is thriving because it can leverage extensive, centralized cloud infrastructure taking the administration and technical overhead away from you as a user. Take that away, and those bulbs and switches become financially out of reach for the average homeowner.
  2. In a word, Stuxnet. Although not an IoT system, the Iranian uranium enrichment facilities were wholly disconnected from the internet, yet the virus was still able to get in because of good-old human fallibility. Social engineering is going to be around for as long as humans are a part of the system; there will be vulnerabilities, human, technical or otherwise for the foreseeable future.

IoT security is going to be a high priority not just for consumers, but for the companies that make them, industries that use them and Governments that pick up the pieces after them.

I know this because the computer inside my hallway mirror told me so.

Get Updates

Sign up to receive the latest from Armis.