“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence.
The casino’s name and the type of data stolen were not disclosed in the report for security reasons, Darktrace said. The report said 10 GB of data were sent out to a device in Finland.
“This one is the most entertaining and clever thinking by hackers I’ve seen,” said Hemu Nigam, a former federal prosecutor for computer crimes and current chief executive of SSP Blue, a cybersecurity company.
As more products with the ability to connect to the Internet become available, opportunities for hackers to access data through outside-the-box ways have risen. The report, which was first reported by CNN, comes a few days after the FBI warned parents about the privacy risks of toys connected to the Internet, which could help a hacker learn a child’s name, location and other personal information.
Fier said that with the recent FBI toy warning and the many ways by which hackers are trying to break into systems, he wouldn’t be surprised if the government eventually got involved in regulating Internet of Things, IoT, products. But he said, even if it did, that would raise other questions.
“Everything has to go through FTC approval, I’d be curious to see if that happens on the cyber front,” he said. “That you have to do the bare minimum to protect these products. But that’s just for the U.S. How do you do this globally?”
As for what people can do to protect themselves against these kinds of attacks, customers should educate themselves about IoT products and take advantage of any security protection the product offers, Nigam said. He added that people should use the latest operating systems and software and constantly update them.
The fish tank incident was one of nine unique threats mentioned in Darktrace’s annual report of innovative hacks. Some of the other threats mentioned included hackers using company servers to acquire bitcoin, a digital form of currency, and former employees using their old login credentials to steal company data.