How an IoT hack could be a line from a modern-day cartoon

For movie buffs and television fans, some lines are enduring classics. For example, how many times have you heard the phrase: “Step away from the vehicle?” in one form or another? From movies like The Saint (1997) and Herbie Fully Loaded (2005), to television classics like Law & Order: Special Victims Unit, That 70s Show, Blue Bloods and JAG, this is a phrase that has endured.

The fun part is that the audience usually knows what’s coming next – common responses include someone running away, driving away or pulling a gun on the police officer issuing the command.

In contrast, there is not a standard response to this command: “Step away from the fish tank – it’s locked and loaded!” – which is perhaps why it’s not yet become part of movie and television history.

However, as per a fairly recent incident in which 10 gigabytes of data was stolen from a casino, there might in fact be a very good reason to step away from the fish tank, and towards the relevant threat intelligence experts instead. So how did the phrase “Step away from the fish tank!” come to enter this narrative?

Well, as they say in some movies (usually the animated ones), once upon a time: ‘There was a casino somewhere in the US, and this casino had, as one of its soothing background features, a rather impressive fish tank, which was linked to the internet for remote monitoring, temperature and salinity adjustment, and feeding schedules for the fish. It was a very lovely and fairly unusual example of the Internet of Things (IoT).

One day, the beautiful, smart IoT fish tank was attacked by hackers, who used the internet to infiltrate the fish tank system and thereby the bigger network of the casino, from which they stole 10Gb of data before, finally, the intelligence experts managed to establish that the ‘smart’ fish tank installed in the casino was being used as a conduit to hack data.’

Bryan Hamman, Arbor Network’s territory manager for Sub-Saharan Africa

Doesn’t that sound like the most remarkable type of modern fairy tale? You can almost see the animation studios jumping up and down to get their hands on the script! But the thing is, says Bryan Hamman, Arbor Network’s territory manager for Sub-Saharan Africa, it’s simply not a story, however modern it might sound – it’s based in reality, albeit of the most far-fetched kind.

Hamman says, “This interesting story showcases some points about data that are good to remember. Firstly, we are reminded about the value of data – hackers go after data because it’s valuable, and can be used for gain. In this case, there were the casino patrons’ personal and financial details potentially at stake. Secondly, we remember that hackers today are resourceful, and IoT only adds to their possible exploitation points. Thirdly, once they’re into the system, they’ll find a way to get the data out.

“In the case of the fish tank, its internet communications with the casino’s network seemed to continue as normal. However, in addition to the normal operations, the fish tank system was also sending data to a remote server in Finland. It was a clear case of data exfiltration, and a very clever one at that.”

Hamman notes that the ongoing growth in number of online devices will lead to potential system compromises and security risks in the most unusual ways, as outlined above. “The greater the expansion of the internet, the more scope there is for hackers to infiltrate internet-connected devices, which may include PCs, servers, mobile devices and IoT devices, and then infect and control them through malware.

“The fish tank example is obviously a very unusual case – more ‘routine’ IoT devices which can be hacked generally include webcams, digital video recorders (DVRs), and cable and satellite television set-top boxes. The lesson to learn is that, while the IoT brings the promise of efficiency and innovation to the enterprise, it also profoundly expands the threat surface for your organisation.”

Arbor Networks notes that IoT devices are attractive to attackers ‘because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all. Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that they’re being exploited by threat actors to launch attacks.’

Hamman concludes, “In these times of expanding IoT surfaces, organisations are advised to defend against malware attacks, including Distributed Denial of Service (DDoS) attacks, by implementing best current practices for DDoS defence and making sure that they have complete visibility into all traffic entering and leaving from their networks.

“Other advice includes practical suggestions like changing the default password of your IoT device once it’s been installed, and placing IoT devices onto separate networks to limit the number of routes into your network. Nobody wants their company to enter digital history under the title of ‘World’s Weirdest IoT Hacks’, but this day could well be coming – I don’t think that the fish tank hack is going to remain an unusual incident for too much longer.”