22 April 2018

Casino Hacked Through Its Internet-Connected Fish Tank Thermometer; Whether It Is This Technique/Method, Or, Compromising A Network Through A E-Cigarette Charger — The Vulnerabilities In The Internet-Of-Things Is Almost Endless


Wang Wei posted an April 15, 2018 article in the security and technology publication, TheHackerNews.com, with the title above. “Internet- connected technology, also known as the Internet-of-Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa, to cars, watches, toasters, fridges, thermostats, lights, and the list goes on, and on,” Mr. Wei wrote. But, as I have written many times on this blog, the IoT, has also become — ‘The Internet of Threats (IoT).’ The more and more we become connected to the IoT, the more expansive our digital footprint becomes; thus, providing cyber thieves and other malcontents, with more ways to compromise our sensitive data. An unnamed casino recently found out the hard way, that anything connected to a wifi, or network — is susceptible to being hacked.


Mr. Wei writes that Nicole Eagan, the CEO of the cyber security firm, DarkTrace, told attendees at a meeting in London last week “how cyber criminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.” Ms. Eagan explained “the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers, and then, “pulled it back across the network out of the thermostat and up to the cloud.”

The Internet-Of-Things Has Turned Into The Internet-Of-Threats — Hackers Can Even Use Heat Effluents Of E-Cigarette Charger To Hack Networks

This hack utilizing the thermometer of an aquarium actually occurred sometime around the summer of 2017, so this is not a new technique. The Internet-of-Things has turned into the Internet-of-Threats. Anything in your home, office, elsewhere, that is connected to the Internet — is either already been hacked, or is vulnerable to being hacked. You should NEVER assume your network is clean. As my old boss, Donald Rumsfeld was fond of saying, “the absence of evidence, does not constitute evidence of absence.” Just because you haven’t seen or discovered a breach, doesn’t mean your systems are ‘clean.’ Remember, the best cyber thieves — haven’t been caught yet.

Whether it is a breach through the aquarium, using the power lines, a thermostat, or in another case an e-cigarette charger, if it can be hacked, cyber thieves will find a way. In the case of the e-cigarette charger, Ross Bevington (@FourOctets on Twitter), demonstrated how to hack a computer/mobile device using an e-cigarette charger, at the London B-Sides Conference on cyber security held on June 7, 2017. Mr. Bevington’s technique involved using the heat/effluents from the e-cigarette to “trick” the mobile device or computer into believing that “it” [the e-cigarette], “was a keyboard.” And, Mr. Bevington was also able to “interfere” with the targeted computer/mobile device’s “network traffic,” as well. Hackers are able to successfully utilize this technique, “because most of the e-cigarette’s come with a rechargeable, lithium-ion battery, which can be plugged into a cable, or directly connects to the USB port of a computer,” Wagas posted on the June 6, 2017 edition of the HackerNews.com.

In a conversation with Europe’s Sky News, Mr. Bevington said that” “He had modified the [e-cigarette] vape pen, by simply adding a hardware chip — which allowed the device to communicate with the laptop…as if it were a keyboard, or a mouse — A pre-written script that was served on the vape made Windows open up the Notepad application; and, typed, “Do you even vape Bro!!!”

Wagas added that, “it is unclear what kind of malware infection can be done,” using this technique; “however,” he warns, “based on [the] WannaCry malware attack, one can expect the worst”; and, one should be even more cautious when using a mobile device around someone, or in a room where vaping is going on. 

Mr. Wagas/HackRead.com, recommends “to avoid such risks, it is advised [that you] to disable data pins on the USB, and keep only the cable charge[r] to prevent any information exchange between the devices it connects. Alternatively,” Mr. Wagas writes, “use a USB [digital] condom, a gadget that connects the USB, and makes data pins ineffective.”

The technique does require that the targeted victim’s device be unlocked; so, one is reminded again not to leave the digital keys to your device openly available. ‘Poison Tap,’ is a very similar style attack [technique], that will work on — even on locked machines [devices],” Mr. Bevington told Sky News.

The damage from this kind of hack/technique appears to be limited, as does the aquarium breach in the unnamed casino; but, for a persistent, and sophisticated cyber adversary, these kinds of initial breaches may be just an initial way to get inside a targeted company, or your personal devices. Rather than releasing malware and setting off digital alarms, a more worrisome scenario would have the hacker using this technique; and, once successfully inside, proceed to lay low or dormant until they are ready to strike. Once again, the cleverness and ingenuity of the cyber thief never ceases to surprise. Remember, the best cyber thieves haven’t been caught yet; and, it is always the second cyber mouse — that gets the digital cheese. V/R, RCP

No comments: