Another high-profile IoT security breach has hit the headlines as hackers used a connected fish tank to steal data from a North American casino. What lessons can we learn?
The headline of this story might sound like a Hollywood movie, but this storyline is very real. Although the casino has not been named, cybersecurity company Darktrace who uncovered the breach have revealed details of the hack.
A connected fish tank
Hooking up a fish tank to the internet in a home might seem somewhat lavish, but in a commercial setting there’s a lot of sense. The smart tank could be remotely monitored and alert someone when maintenance is required.
It could also reduce maintenance, as the computer could automatically adjust temperature and salinity, and even automate the release of feed. However, in the instance of an American casino, it also allowed hackers in to the casino through the back door, and access a database believed to hold information about some of the casino's biggest spenders.
"The attackers used that to get a foothold in the network," Eagan said at a Wall Street Journal panel as reported in this Mashable article. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."
The breach was only discovered once Darktrace reviewed the casino’s networks. The unusual activity was picked up almost immediately, as it was sending data to a remote server in Finland using protocols that are normally reserved for streaming media.
Another vulnerability identified
The story is the latest in an increasingly public list of Internet of Things security breaches. We’ve written before that just one weak spot in one appliance could expose an entire home or business network to unwanted intruders. In 2016, security researchers uncovered a huge botnet– a hacked network using computers remotely to send out spam – of over 100,000 devices. The network included smart televisions and even a smart fridge.
One Forbes contributor said of the casino hack, “Many of the connected devices for sale today are seriously lacking when it comes to security. They're under constant attack from the moment they're hooked up to the Internet and can fall under hacker control within minutes.”
IoT security principles
While there’s an element of scaremongering in that statement, it’s certainly true that there are some IoT products out there with lax security features. It’s time to remind ourselves of the basic security principles for any connected product development.
Security must be considered from the initial design stages. Going back later in the process often proves a difficult task. It is highly recommended to use well-proven standard security protocols, and if possible, use end-to-end security between the devices. Other devices in the network can still relay, but each device should only have access to what is relevant to them.
Read more: IoT Security: It’s time to talk
A strategy for updates
Being able to patch is essential. If you neglect this, you’re simply storing up trouble for later. Have a scalable system in place, to be able to distribute the updates easily. It should happen as quickly as possible, limiting the exposure to potential attacks. For wireless embedded devices this typically means that they should be flash based and have support for over-the-air (OTA) device firmware updates.
A product that isn’t patched is bad for business. Keep yourself up to date on security flaws and patch before the attackers can do any harm, and maybe even before your customers realize they are vulnerable. Even the slightest chink in the armour can be enough to ruin the reputation of a product or brand.
The future of IoT security
There’s no doubt that security in IoT is a hot topic, and needs to improve as the world becomes ever more connected. Interest is growing in the use of blockchain to address the pressing challenge of IoT security. IDC forecasts that by 2020, up to ten percent of blockchain ledgers could be used for IoT.
Read more: Blockchain for IoT Security
Because it decentralises control, a Blockchain-based security protocol should in theory be more scalable. It has strong data protections built in by design, which should prevent a vulnerable device from transmitting false information.
Whatever the future holds, there is no silver bullet for IoT security. The only way to safeguard data is to bake it into the design phase of your product. Decide upon the most appropriate security level first, and only design the product’s features afterwards.