Penetrating a Casino's Network through an Internet-Connected Fish Tank

Attackers used a vulnerability in an Internet-connected fish tank to successfully penetrate a casino's network.

BoingBoing post.

Posted on August 4, 2017 at 6:22 AM • 47 Comments

Comments

AlexT August 4, 2017 6:48 AM

Any idea what OS the fish tank is running...!?

Seriously I'd love to learn more in this one... I can't imagine it was hooked to a production network.

parabarbarianAugust 4, 2017 11:03 AM

"Any idea what OS the fish tank is running...!?"

From what I've read, they got in using the PC the tank sensors were attached to. That implies a Windows platform.

PhAugust 4, 2017 11:04 AM

Any sysadmin who puts IoT devices in the same subnet with the same firewall rules should be sacked for incompetence imho.

Who?August 4, 2017 11:20 AM

@ AlexT, parabarbarian

Don't know about the operating system, but it seems there was not a Puffy in the fish tank!

The idea of controlling a fish tank using a small computer and sensors is fine, but I would have choosen a small low-power computer (a Raspberry Pi, a Beaglebone, an Arduino...) running a simple operating system (a small BSD or Linux) to monitor it. Networking the entire thing and, even worse, connecting it to the main network used by the casino is not a clever idea.

A small computer should be able to take the same corrective actions as a big and unsecurely networked one and, if the only action possible is sending an email to the fish tank maintainer, a similar goal may be achieved by displaying a few tips on a LCD display near the tank.

My guess is that if they are fool enough as to connect a huge IoT device to the casino's main network (a IoT device is not necessarily small and lightweight!) they must have a lot of other exploitable mistakes on their network right now.

JDMAugust 4, 2017 12:38 PM

Connecting to their network via the internet was probably the easiest way. Connecting to their network would be to monitor, and possibly change, conditions in the tank from a central management point. In a large business that makes some sense - much more than your home fish tank being networked for instance, although even there you have the advantage of monitoring it while you're away on a trip for instance. But it needs to be done well, and compartmentalized.

WaelAugust 4, 2017 12:54 PM

I see we're gonna have a field-day with puns here!

@Me,

But I thought Blowfish encryption was secure?

Me too! The tank had Two fish in it. They added a few more fish, and the rest is history. Case in point: cascading cipher algorithms isn't necessarily more secure.

@Bill,

Talk about a phishing attack!

+1

BillAugust 4, 2017 1:08 PM

@Me: But letting Ernst Stavro Blofeld anywhere your network is a bad plan. He'll just use it to take over the world.

@Wael: Red fish is OK, blue fish is better.

albertAugust 4, 2017 1:16 PM

'...hacked through [insert name of IoT device here]...'

@Jim,
I would assume that fish tanks are maintained by an outside agency, and a big selling point would be to handle the maintenance 'automatically' (with casino security only having to provided access). Certain tasks have to be done on a periodic basis, like replacing/cleaning filters. Others, like replacing sensors, are done as needed. Like most big business, the casino doesn't want responsibility for -anything-, especially replacing fish that die as a result of poor maintenance.
..

The more important the system, the more complex it is, and the likelihood of attack is greater.
..

@Ph,
Of course we'll probably never get enough details to know, but that's the beauty of the whole computerization thing; no one is liable. Businessmen don't know the tech, so they can't judge, and God forbid, you ever get into court!

IT pros need to keep accurate records of bad management decisions for their own protection. As a former boss used to say: "Send him an email and copy the world."

@Who?,
Of course you would; you're an expert! Many companies, even large ones, are loath to hire experts. They'd rather contract out the automation. The 'lowest bidder' approach doesn't guarantee expertise. Your proposal is OK, as long as the 'password' isn't 12345!

@AlexT,
Dollars to donuts says the casino runs Windows. What's the problem connecting another whatever OS to a Windows network? It was probably another default password thing.

I don't know what records the hackers got away with, but a business that takes in a lot of cash is more likely to under report income. Like secret offshore bank accounts, those sorts of records don't get recorded on the server, in theory, that is.

. .. . .. --- ....

Clive RobinsonAugust 4, 2017 1:58 PM

It's not just computer
networks...

A little story from the early days of VoIP, home working and a PABX and a receptionist replacment gizmo.

There was a company that had a medium sized light industrial unit in a science park. They had growing pains caused by a lack of space and a lease that was just a little to expensive to get out of with a year or so to run.

The office had a PABX with spare ports which becomes the villain of the story. As space got short the reception area got shrunk to a small lobby by building office space where the reception area was. To get around the lack of receptionist problem they installed an electronic lock and entry phone device to the front door which plugged into a spare port on the PABX. Thus when the entry phone button was pressed it used the "night service" to ring all the extentions, so that anyone on an extension could pick up an extention and could talk to the person at the door. Pressing "0" would unlatch the door so they could get into the lobby.

Part of the changes to the reception area ment the fire evacuation routes changed, which in effect put push bar latches on a door in the office behind the new office into the warehouse area that would then alow emergancy exit out of the back of the building.

But the preasure on space went up and some of the design engineers started homeworking and shared desk rotation. The home workers were provided with mobile phones to call into the office when they needed to. Two of the software engineers decided to move abroad, one to France the other to Singapore, but still work for the company. It was decided to put in a VoIP system, which worked fine except for conference calls. So the VoIP system got conected as extentions to the PABX.

Nobody realised the implication of this at first... Then one day the engineer in France picked up her extention to discover she had a parcell delivery person on the phone, without thinking she buzzed him in...

He wandered in and as it was lunch time and somebodies birthday both the new office and the office behind it were open but unattended. The delivery man walked into the warehouse as he normally did and put down the parcels and it was only by luck that a contractor was there.

On looking into the problem later it was discovered that the VoIP unit had a bug and would take any Internet side conection. A little experiment was carried out with an early Smart Phone VoIP client and it was discovered you could connect to it press the door entry talk button answer it on the Smart Phone and then buz yourself in...

It was very very shortly after that I was contacted and asked if I could sort out an emergancy solution there and then. I found a two step solution, first reprogram the PABX so it nolonger night serviced the door entry phone but had a restricted call group. Secondly replaced the defective VoIP unit...

As they say "Even the best laid plans of mice and men...".

Clive RobinsonAugust 4, 2017 2:37 PM

Reading through the article the second to last paragraph says,

    As for what people can do to protect themselves against these kinds of attacks, customers should educate themselves about IoT products and take advantage of any security protection the product offers, Nigam said. He added that people should use the latest operating systems and software and constantly update them.

It's rather pointless advice.

Firstly man IoT devices are becoming "thin clients" with all the major functionality being carried out on some server in a foregin country half way around the globe. The company in effect controls the working of the device not the person who purchased it. Even if you are paying the company a fee as we saw the otherday the company can change it's mind about it does with the data it has collected not the purchasor.

Secondly the "use the latest operating systems and software and constantly update them" is actually not the reasonable advice it once was. The unholy debacal that Microsoft has repeatedly caused with Win10 and it's forced telemetry should make anyone stop and think about that advice. Microsoft in effect used other versions of Windows securiry updates into Trojaned Horses carrying their Win10 malware downloader instalker and tried to force consumer users into an unwanted and in some cases damaging upgrade. It won't be long before other major software suppliers go down a similar route.

The problem as people have found is they don't own the devices they are paying for. The same applys to entertainment systems such as TVs. Other manufacturers are doing similar with white good kitchen appliances. And farmers have found the tractors they purchased from John Deere are not theirs. Thus the same is probably heading for you in a family car real soon now.

My old two system advice still applies one as totally disconnected as you can to do your private work on, and one older system running some CD/DVD based OS to go browsing with. With luck you will be able to use older hardware that is not adulterated with flash devices in the IO.

Clive RobinsonAugust 4, 2017 2:47 PM

@ Wael,

I see we're gonna have a field-day with puns here!

You could be subtle and twist a Skein into the thread of this story.

But be carefull what you do with the thread, and do not stray into the realm of "macrame" after all it is "the art of getting knotted" ;-)

WaelAugust 4, 2017 5:17 PM

an Internet-connected fish tank

If I were to hack it, I would use the tank as a lens, then focus it on one of the tables and "get prepared" for the next round. Using computers in a casino to "assist" in game decisions carries a jail sentence! They call that cheating!

@Jim,

Why in the world does anyone need an internet-connected fish tank?

Must be the same casino with IoT commodes

From the article:
He added that people should use the latest operating systems and software and constantly update them.

Rrrrriiiiiight!

@Clive Robinson,

You could be subtle and twist a Skein into the thread of this story.

Come on! You know what happens when I try to be subtle! I miss-say things and you punish me immediately[1]! I'm, most of the time, as subtle as a freight train. But, let me give it a try:

I'm not as subtle as John Marwood Cleese. See? There is a fine line between subtlety and obscurity.

[1] Can't find the link where I said: "I went with Occam a few times and was not disappointed" and you replied: "You should be careful how you state that. You nearly made me spray the room with tea". Perhaps my search string isn't perfect. Memory fading... Next stop: Alzheimer!

SystateAugust 4, 2017 5:34 PM

Clive Robinson
lol you should be working for an advertisement company.

I was thinking seperate your network.
Iot - Network A
Non iot - Network B

Even though i heed your wisdom but it is not just possible for a lot of people i know to give up their iot devices. They think i am paranoid. i can only imagine what they tell you, your bp must go through the roof! His advice might suck but with the money being pumped into iot, it is here to stay.... Except you have the cash to counter it or come up with a more profitable and secure alternative.

My only problem with the livecd. You cant update a livecd, you need to burn a new one. Tails have a set date for update but if debian finds a vulnerability, you need to burn another one. I cant even update the software that comes with the livecd.

tyrAugust 4, 2017 9:45 PM


I thought the whole reason for a fishtank
was so the could be spied upon. I seem to
recall that UseNet used to be a hive of
fish fanciers with hardened opinions.

Clive RobinsonAugust 5, 2017 4:27 AM

@ Systate,

i can only imagine what they tell you, your bp must go through the roof!

No Coke&Mentoes like fountains of blood out the ears yet but their have been times when it's been close.

The problem is that IoT has fallen into it's own self created tar pit of being cheaper than alternatives. Which means it has to chase it's own tail in speedily decreasing circles... As I've noted there is only so far you can go in that direction without loosing money.

Therefor you get the real evil of near zero cost comms comming into play. To be a companies product not a customer you have to give freely of your data, if the IoT device is fully self contained, not only is it more expensive to make it can easily be stopped from sending data back. If it's not fully self contained the hardware is less costly to make, has lower support costs as most of the fancy stuff is back in the companies computers. Importantly this means not only does the company get your data as an extra income stream they can turn you into a subscriber and hit real pay dirt...

This by the way is the way the tablet and pad markets are moving as well (see ChromeBook etc). You end up owning not a lot and having to pay over and over whilst hemorrhaging PII that is either ill protected or will be by law (see UK Politico Amber Rudd's recent comments). Thus various Government Guard Labour entities will be privy to it.

This will have a knock on effect which you are starting to see in the Health Insurance Industry. Initially incentives will be given for handing over fitness information. Supposadly you will get discounts for being fit. Infact the opposite will happen the charging system will be rigged to exclude those who are not unfit but unhealthy. When Governments get their hands on such data they likewise will use it as a revenue raising system, which will fall heavily on those that can least aford them.

It's the way of the future "Fines are the new taxes" and that only goes one way, towards more draconian legislation to raise more income to reduce taxes. The wealthy will of course be easily able to "arms length" them selves from fines by getting the low paid to do their dirty work.

People may say "they would'nt" but history shows otherwise. Thus the only way to stop it happening is not to play in the first place.

People that have a real financial or personal interest in maintaining privacy such as those who's lively hood depends on it or they are in effect being stalked by the MSM and worse are usually on the "bleading edge" of the problem thus do take an interest in privacy and prottecting themselves. It's the large group that belive the "If you've done nothing wrong you've nothing to hide" nonsense who are the real enemy as they are in effect the willing sacrificial offerings that become the enablers of such policies...

As someone noted the way you sell a fridge to an eskimo is to first get him hooked on beer and the myth that it needs to be at an exact temprature of cool, and only a fridge can do it without worry...

With regards,

My only problem with the livecd. You cant update a livecd

That is the argument for it's security strength. It used to not be a problem when computer mags used to push livecd's of the likes of 32bit Puppy Linux. You could use it on a 386 upwards, thus "Grand Papies old HP computer" made when HP still had the "Instrument manufacturer" ethos was ideal as it in effect came with it's own TEMPEST hardening.

The other thing with the magazine CDs was if there was anything wrong with them there were "many eyes looking" and it would become known fairly quickly.

There are ways you can make your own liveCDs but as you note it's not something you would try to do with a LiveCD it's self (although you can with some if you have two CD/DVD drives and enough RAM). I've been known to use internet cafes for downloading then use a sacrificial machine elsewhere to make the live CD, but I have other measures in place, and the liveCDs I make are not used for Internet connection.

LiveCDs make the point that security actually gets harder as time go on without any other factors such as increase in complexity of code.


Who?August 5, 2017 11:21 AM

@albert

I'm not an expert, just someone with a little (sometimes very little) common sense. If the computer attached to the fish tank can automatically correct any problem with relation to the tank then there is no need to be connected to the Internet—the computer must fix the problem, period. If the computer cannot correct an issue by itself then it does not make sense sending an email to someone that may be hundred of kilometers away, just display a warning on a small screen so people that works in the Casino can take the required steps to fix the issue.

I love technology, I love computer networks, I love the Internet. It just does not make sense connecting everything to public networks*. Why doing that?

I think that, in some way, Internet has evolved in the wrong way since the beginning of the 90s. I am not talking about the NSA and mass surveillance this time. I am talking about how protocols have become more and more convoluted, how technology has become more difficult to understand (not from the end-users point of view, where it is becoming easier to use each day, but from a technical standpoint). In the past, all was simpler. At that time, Internet had high quality computers, clever users, and valuable contents. The only improvement we have seen in these years is that now anything is designed to be secure (even if "secure" is most times just a buzzword without real meaning).

A lot of times I miss that old Internet I joined when it had less than two million users. It was a nice community at that time!

*To me the Trojan Room coffee pot made a lot of sense, it was a nice experiment. Connecting everything to the Internet, on the other hand, does not make sense at all.

TatütataAugust 5, 2017 2:27 PM

Clive,

There is a video of the hack of a GSM-based entrance phone system, where a BS-emulator would induce the device to home on to it. Any outgoing call to any number would be forwarded to the same extension. So the hacker comes in, pushes the button for a random apartment, waits for the call to complete, and opens the door himself.

At one of my first jobs the PA system was a mere extension that pick up the call and connect with the loudspeakers through ~200 employees without any warning. I don't remember whether the extension was dialable from outside, but it did happen a few times that unsuspecting callers would be transferred to that number. You could hear them breathing, humming and talking until they eventually got tired of being put on "hold".

djAugust 5, 2017 9:55 PM

A leaky fish tank? Somebody borrowed a page from the script of the 1999 South Korean thriller "Shiri" ...

albertAugust 6, 2017 12:03 PM

@Who?,

Megafishtanks are very popular. There's even a TV series about them. Big, busy businesses (like casinos) don't want to deal with -anything- not business related, so the fish tank supplier handles everything for them. Small (portable, non-custom) tanks may not even be owned by the business, they may be (like trees, plants and flowers* in malls or big buildings) leased. The leasor (lessor) assumes maintenance duties.

The tank company requires only:
1. Wifi access
2. Building access as needed

It's simple, easy, and possibly insecure:)

--------
*I expect plants are already Internet-connected:

"Joe, get to the Mall, the peonies are complaining about kids peeing in them."

WaelAugust 6, 2017 12:13 PM

John Marwood Cleese. See? There is a fine line between subtlety and obscurity.

John Marwood Cleese --> A Phish Called Wanda

Clive RobinsonAugust 7, 2017 10:51 AM

@ Wael,

John Marwood Cleese --> A Phish Called Wanda

If you said Lady Guest wife of the 5th Baron of Saling (Essex, England and alumni of Spinal Tap) I would have made the connection immediatly.

Poor PunAugust 7, 2017 4:27 PM

why wasn't it in a sandbox? All the data will have been ex-filterated by now and be well off-shore, even if it went by snail-mail.

CWAugust 7, 2017 9:39 PM

@Wael,

[1] Can't find the link where I said: "I went with Occam a few times and was not disappointed" and you replied: "You should be careful how you state that. You nearly made me spray the room with tea".

The original was posted here on August 16, 2016, with the heading

    "Major NSA/Equation Group Leak"
.

WaelAugust 8, 2017 1:35 AM

@CW,

Thanks!

Original quote:

That nearly caused me to spray the room with tea... Perhaps you want to rephrase that B-)

I searched for:

"You should be careful how you state that. You nearly made me spray the room with tea".

I think I mixed up two replies. I'm losing it; I used to remember things verbatim :(

Haven't heard from you since 2012. Or have I gotten that wrong as well?

WaelAugust 8, 2017 1:55 AM

@Clive Robinson,

If you said Lady Guest wife of the 5th Baron of Saling (Essex, England and alumni of Spinal Tap) I would have made the connection immediatly.

Subtle reply: Of course!

Not so subtle reply: Don't you stiff-upper-lip me! I know your upper lip trembled like a leaf when you saw "John Marwood Cleese" and couldn't make the connection :)

But in all fairness, it was too obscure.

Clive RobinsonAugust 8, 2017 1:34 PM

@ Wael,

I know your upper lip trembled like a leaf..

And you have not said who the 5th baron of Sailing is, not who his august wife is...

So I suspect "tis yar lip ah trembling" ;-)

cgAugust 8, 2017 1:57 PM

  • They're professional gamblers.
  • They're responsible for their own security.

RCW 4.24.070

Recovery of money lost at gambling.

All persons losing money or anything of value at or on any illegal gambling games shall have a cause of action to recover from the dealer or player winning, or from the proprietor for whose benefit such game was played or dealt, or such money or things of value won, the amount of the money or the value of the thing so lost.

[ 1957 c 7 § 2; Code 1881 § 1255; 1879 p 98 § 3; RRS § 5851.]

NOTES:

Gambling: Chapter 9.46 RCW.

WaelAugust 8, 2017 2:29 PM

@Clive Robinson,

And you have not said who the 5th baron of Sailing is, not who his august wife is...

I couldn't decipher that one, and couldn't distract you from the fact! Ok, I suspect I'm not the o-o-o-only[1] one. Tell me, tell me.

"tis yar lip ah trembling" ;-) [...] A curse on the dam spell checker >:)

We know you're no spelling-bee champ and that your spell-checker is compromised.

[1] Lips trembling :(

Clive RobinsonAugust 8, 2017 4:19 PM

@ Wael,

As you --should know-- "Wanda" who did the interesting walk around to Russian, was played by "The Queen of Scream" daughter of Psycho actress Janet Leigh and Tony Curtis. Well she married another actor Christopher Guest who she had first seen in a photograph taken from the film This is Spinal Tap, from which we get the joke about "turn it up to eleven" and the gag about the difference between ' and " when the stage set of the monolith is lowered and is not 18ft but inches. She saw it in "Rolling stone" magazine, which was the subject matter of the film "Perfect" that had not just very memorable photographs of her as an aerobics instructor, but a comment made by John Travolta that still gets used today.

She became "Lady Guest" when her husband inhereted the title of Baron back in the late 1990's

WaelAugust 8, 2017 4:55 PM

@Clive Robinson,

As you --should know-- "Wanda"...

You're right, I should have known as I linked twice to one of her movies here. I didn't know her history, though (Jamie Lee Curtis.)

I know which links I shared, but my Google Fu is weak.

Dirk PraetAugust 8, 2017 5:00 PM

@ Fredric L. Rice

... all of the locals laughed at the tourists who think they're gambling when in reality all they're doing is handing over a percentage of their money to organized crime.

Hmm. I know people who have lost *everything* to their gambling addiction: their house, job, family and health. Even in the pub around the corner, I see people putting hundreds of euros a night into this stupid gambling machine that has become ubiquitous in plenty of bars because the profits of even one machine for the bar owner on an average month easily cover several months of rent and more.

I don't mind the occasional friendly wager, but for as far as I'm concerned, those machines for many people are the equivalent of hard drugs and - rigged or not - should be treated as such.

@ Wael

As you --should know-- "Wanda"...

My money was on the Lady Mondegreen 8-)

Clive RobinsonAugust 8, 2017 5:42 PM

@ Dirk Praet,

My money was on the Lady Mondegreen 8-)

I think it was Dr Hook that sang "Silvia's mother said, Silvia's to busy to come to the foam" ;-)

RachelAugust 9, 2017 2:36 AM

Dirk Praet:Human Being ( not everyone gets this title! You do)

Thanks for the comments about gambling. It doesn't help the way US popular culture overly indoctrinates the message 'lets go holiday in Vegas cos we may come home richer'
With sensitivity to being off topic,
let me add that whilst comparing gambling to hard drugs is appropriate it is also apples and oranges in the words of our late friend. In some respects I would consider gambling, of the degree you describe, to be far worse than hard drugs.
There are rumours about Australian casinos in cities of Brisbane and Melbourne having a removable panel in every toilet cubicle that allows discrete access to remove the bodies of people whom have taken their own life - taken to the casinos private morgue underground. All to avoid publicity.

What hasn't been mentioned here: and would apprecicate feedback from some of the experts here: is the beast that is internet gambling.
Firstly it is, unlike slots, accessible via a smart phone 24/7 for maximum destructive impact. And, the potential for manipulating the maths is unlimited with no regulation or oversight and - who cares if there is because they can't get caught either. Oh and nice full blown GUI for utterly owning the users dopamine receptors.
S


Clive RobinsonAugust 10, 2017 9:44 AM

@ vas pup,

Did you mean to put the Chinese sat comment on this thread or the current Squid thread?

vas pupAugust 10, 2017 11:29 AM

@Clive:
Guilty as charged. Squid is probably better place, but I guess Moderator will provided expanded version soon due to importance of that information for US (and UK) IT security.

Clive RobinsonAugust 10, 2017 2:14 PM

@ vas pup,

Guilty as charged

Not charged, I just thought you might have had a couple or more windows open on different threads and typed in the wrong one. I've done it myself once or twice.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.