Darktrace, a security firm which works with North American casinos, said that hackers used a smart fish tank to steal data from a casino. The security threat via the fish tank has been fixed.
Darktrace released a report which included 9 strange stories of casino hack attempts, though the fish tank cyber-attack apparently was the oddest one. It was a high-tech fish tank with a smart system.
Used Tank’s Smart Systems
Despite added security measures to the smart-tank’s software, the hackers were able to compromise the system. Once they did, the hackers found the tank networked with other systems, so they were able to gain access to other computers in the casino.
The hackers sent data to Finland before the threat was discovered.
Tank Networked with Casino’s Computers
Justin Feir, the Cyber Intelligence and Analysis Director at Darktrace, said, “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network.”
Darktrace did not release the name of the casino which was hacked, though the security firm’s report noted it was a North American casino. The nine cases cited by Darktrace were chosen to warn casino operators of the dangers posed by clever hackers.
Systems Monitored Water, Air, Food Supply
In the case of the fish tank, it had cyber systems which monitored the water and air quality of the tank, while also feeding the fish automatically throughout the day. Hackers are becoming more clever all the time, due to the pervasive security used by top companies. Last year, the Mirai botnet took control of smart home devices such as security cameras to launch “denial of service” attacks. The cyber-attack took down websites worldwide, including Twitter and Netflix.
Mr. Feir, who once worked as a US security contractor, said hackers are required to find clever new ways to hack systems. He warned users about psishing attacks through emails, but said cases like the smart fish tank would continue to happen.
Brick-and-mortar casinos and racinos are vulnerable, due to the large number of smart devices on the gaming floor. Most slot machines and video poker machines are highly-advanced and have complicated internal security, especially those which are linked in wide-area networks. That does not mean there are not smart devices that help with dispensing money, reading cards, maintaining surveillance for security staff, or controlling the air conditioning unit.
“Creative in Their Attack Vectors”
With the highly-publicized political and financial hacks of the past few years, hackers are going to have to brainstorm new ideas. Justin Feir said, “In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors.”
The report is important for all casino management to read, because they need to know that the installation of any electronic computer systems in the casino might lead to a cyber-attack. Vulnerabilities can be found in anything linked to the central database. Even computer applications sometimes have vulnerabilities which can be exploited. Companies update their software constantly for a reason.
Iranian Cyber-Attack on Las Vegas Sands
Hackers might target casinos for a variety of reasons, besides the obvious financial ones. In 2014, the Iranian government launched a cyber-attack on the Las Vegas Sands Corp‘s database. Millions of customer files were accessed, though no credit card information was stolen. Instead, they wiped computers and destroyed data, which brought the casino company’s operations to a halt for a time. Las Vegas Sands owns world-famous casinos like the Venetian and the Palazzo, as well as the Parisian Macau and Venetian Macau in China — the world’s most lucrative casino.
The Iranians targeted Las Vegas Sands for political reasons. The company’s CEO, Sheldon Adelson, is a major Republican donor and a vocal supporter of Israel. He owns the Israeli newspaper with the largest circulation and is a friend of Benjamin Netanyahu. Adelson said earlier in the year (2014) that Israel had a right to bomb Iran’s nuclear facilities, if other states did not act to keep Iran from getting control of nuclear technology.
People assumed hackivists might have attacked the LVS database for political reasons, or the cyber-attack was an old-fashioned attempt to steal credit card information. Three months later, the U.S. Director of National Intelligence James Clapper released a statement saying the US intel services had tracked the cyber-attack back to Iran. Given the sophistication of the attack, it had the backing of the Iranian government.
Such an attack was designed to silence one of the regime’s critics. Because casinos generate a lot of money and social critics of such businesses exist, any casino might be targeted. Thus, every casino’s security staff must know every possible “attack vector” available to hackers.