Original PDF Source (See Page 8)
tl;dr: >10 GB of data was exfiltrated from a North American casino using a recently installed Internet of Things fishtank.
There’s not a TON of info on this (since no casino wants to divulge too much about how it was hacked or what data was lost), but there’s two details that really stand out to me:
- Because the device was rather new on the network, the traffic on it was never properly profiled before the hack took place.
- The communications took place using a audio/video protocol. Similar to ping tunneling, where the data is hidden inside a ping, I think the data here was exfiltrated using an AV protocol so that it would be less likely to be noticed by the casino. If, say, video logs were being sent off-network, it wouldn’t be unusual to see this type of traffic leaving the casino’s network.
- (Confusion): The article says the fishtank was “configured to use an individual VPN”; I don’t know what they mean here. I think they’re trying to say that it had its own VLAN, so it wouldn’t be able to interact with devices on the main VLAN? By my understanding, VPNs are just used to create an excrypted internet connection through a third party.
This story got me thinking about the relatively recent rise of the Internet of Things and how these devices are likely to present increased vulnerabilities. In the case of the casino fish tank, the internet-connected device was fairly simple in nature, much like many such devices on the IoT. This simplicity also means there are less protections on the device to prevent unauthorized access and use, as evidenced here. Although the casino made some sort of vaguely described attempt to separate the device from the main network, it clearly failed. Instead of removing large chunks of data at once, the attacker used the device to slowly and quietly transfer data over a period of time, which could be the future of how these attacks are carried out on IoT devices.