A high-tech, internet-connected fish tank in a North American casino has been used to exfiltrate data from the company’s network. Smart drawing pads used in an architectural firm were part of a botnet used to mount DDoS attacks against websites around the world owned by entertainment companies, design companies, and government bodies.
These are just some of the discoveries made by UK-based cyber defense Darktrace, but serve as perfect examples of how lax security when it comes to IoT devices can spell disaster for businesses.
Unexpected doors into the corporate network
In the case of the smart fish tank, the casino had configured the tank to use an individual VPN to isolate the tank’s communications from the commercial network, but the attacker managed to use this foothold into the company network to scan for vulnerabilities in other systems and exploit them.
Ultimately, he or she managed to transfer 10GB of company data outside the network, to a server in Finland. The data was uploaded to the server via the compromised fish tank.
In the case of the compromised smart drawing pads, unbeknown to the firm, the devices were connected to the office Wi-Fi, while still using the default login credentials that came with the design pad software.
“Smart devices are often purchased and introduced into corporate networks by employees without the involvement of the IT or security team, opening an easy route into the network for attackers to exploit,” Darktrace researchers noted.
We’re used to certain devices being considered as a possible way into the corporate network. But with the increasing computerization of devices – whether coffee makers, cameras, smart locks, or fish-tanks – that we still not completely used to think of as “internet-connected,” it would be wise to be extra careful.