May 3, 2021
This may seem like an odd question, but the reality is that this is a profoundly serious question. At a Cyber Security Conference in 2018 a speaker told the story of a network being compromised via a smart fish tank thermometer.
So, what happened? What went wrong? How could this even happen? All good questions, but really the key factor here is that the fish tank thermometer was “smart” and required internet access to function.
The casino that installed the new fancy thermometers may have saved the fish from heat death or from becoming fishsicles, however they did not consider that connecting the device to the internal Wi-Fi would be a problem. This was the same internal Wi-Fi that was connected to their secure systems with sensitive data like servers and databases. One such server on that network hosted a high rollers database with PII (personally identifiable information) like names, addresses, birthdays, credit card numbers, and driver’s licenses. You see where this is going right?
The tiny little thermometer moved the information bit by bit through its tiny processor while floating down in the water up to the cloud and back down to the server. A fish tank thermometer compromised by a very clever, albeit nefarious, hacker.
Obviously, there were a few faults with this breach, and we will review how to protect yourself against them.
- The Human Factor - This is the hardest thing to navigate.
- How do you stop an employee from picking up a flash drive in the parking lot and connecting to a work computer?
- How do you stop an employee from clicking a link in a phishing email?
- How do you stop an employee from buying an untrusted device?
- The Network Factor - This was also at fault due to poor design and implementation.
- How can you stop an employee from connecting non secure devices to the secure Wi-Fi?
- What else on a network could have stopped this attack.
- Is there safe way to use an unsafe device? And is it worth it?
Smart devices and the entire world of IOT (internet of things)
IOT (Smart devices) have been around for over 20 years and are starting to become even more popular. From smart thermostats to light switches, and even to fish tank thermometers. Things are better with automation and often save energy and in this case the lives of fish.
The Human Factor
The downside to these devices is security. It is critical to address the human factor first. How do we protect the network from humans? Training! Training is first line of defense. Training through online classes is something that all NuWave employees spend 5 hours each quarter doing. We train on phishing, smishing, vising, spear phishing, whaling, and yes, even Angler Phishing.
If you have never heard of the terms listed above, then you could use some training yourself. NuWave Technology Partners works with knowbe4.com to stay current on preventing human error.
The Network Factor
The network in my opinion is even more concerning. To start, this thermometer must be using a pre-shared key to connect to the Wi-fi. Who knows how many people knew that key and what devices were connected using it. Using Wi-Fi that optimizes Radius technology or Active Directory in combination with certificates is the NuWave standard for a secure Wi-Fi network. This approach limits the devices that can connect to only approved devices with the multifactor authentication using Active Directory authorization or Radius authentication.
Furthermore, the Wi-Fi should be setup with zero trust in mind. This means that unless it absolutely needs to be connected, it is not allowed to connect.
Devices that fall into the world of IOT that require being connected to Wi-Fi need to be isolated and segmented from all other traffic and routed to the internet. This is frequently achieved with a unique SSID and/or isolated VLAN (Virtual Local Area Networks) and sometimes a combination of both. It is important that even things like DNS (Domain Name Service) or DHCP (Dynamic Host Configuration Protocol) are not shared between the networks.
Lastly, the design. I often work in the onboarding process at NuWave and have seen some scary things, but most often I see networks that have not been touched for 20 years. More than once I have heard, "if it not broken why fix it". The casino in this case had a 20-year-old network that they saw no reason to change, and therefore they ultimately paid the price. Budget can be a major obstacle when it comes to keeping the network up to date and secure, however the changes needed are not always expensive! If the casino had upgraded to a firewall that reports on abnormal traffic and blocks it, they could have stopped secure information from leaving the unsecure network.
Technology threats change often, and your security practices should too. It's necessary to match these threats in order to keep your data and systems secure.
We want to hear from you! Click below to Reach out for information on zero trust, firewall upgrades or staff Cyber-security training.