Jestersix

A Casino Gets Hacked Through a Fish-Tank Thermometer

Wouldn't be surprised is casino left default password and login on the controller or thermometer. That's why good practice would be to change defaults always.
 
Further to changing the default password. People need to stop having every tcp/udp port open. If you locked down the ports it would make it harder to exploit things.

also use of NAT and firewalls is a must.
 
Further to changing the default password. People need to stop having every tcp/udp port open. If you locked down the ports it would make it harder to exploit things.

also use of NAT and firewalls is a must.
But I need to open them up so I can view my cameras! I can’t remember crazy passwords too!
 
The problem is both less of a problem, yet more insidious, than you might think.

Most people do have a basic firewall already, provided by internet service provider.
They deny unknown messages coming in from the outside, so a simple hack like trying to
get in with default password will not work because the outside cannot even see
or send a message to your device.

Of course ... some of those routers have bugs.

The bigger problem is all these random unknown devices calling out.
Devices like thermometer and Apex send messages from inside your network to the cloud.
Like: (guessing) Apex -> Fusion : My temperature is 79.

Done right, that is fine. But done wrong, you can get something like:
Local -> cloud : Hey, should I update firmware.
Hacked/Spoofed Cloud response -> local : Yes, here is code (with a nice virus)
Since many devices use the same library routines for that, it is not as hard as you might think.
Once that completes, that virus takes over the device, and is INSIDE your firewall,
and it can do anything it wants.
Rare, but really bad when it happens.

You can get fancy with double networks. One for all those little devices, one for critical devices,
but that gets tricky with double-NAT issues and so on.
There is no simple fix.
 
The problem is both less of a problem, yet more insidious, than you might think.

Most people do have a basic firewall already, provided by internet service provider.
They deny unknown messages coming in from the outside, so a simple hack like trying to
get in with default password will not work because the outside cannot even see
or send a message to your device.

Of course ... some of those routers have bugs.

The bigger problem is all these random unknown devices calling out.
Devices like thermometer and Apex send messages from inside your network to the cloud.
Like: (guessing) Apex -> Fusion : My temperature is 79.

Done right, that is fine. But done wrong, you can get something like:
Local -> cloud : Hey, should I update firmware.
Hacked/Spoofed Cloud response -> local : Yes, here is code (with a nice virus)
Since many devices use the same library routines for that, it is not as hard as you might think.
Once that completes, that virus takes over the device, and is INSIDE your firewall,
and it can do anything it wants.
Rare, but really bad when it happens.

You can get fancy with double networks. One for all those little devices, one for critical devices,
but that gets tricky with double-NAT issues and so on.
There is no simple fix.


that's why you lock your network down at the MAC address level using an ACL.

also you don't need to double NAT. You create a separate network for your IOT devices.
 
that's why you lock your network down at the MAC address level using an ACL.

also you don't need to double NAT. You create a separate network for your IOT devices.
Possible - sure.
Simple - not so much. :)
That is gibberish to most people.
And you are often stuck with a service provided router that is fairly locked down.
 
So poking around....

I have 32 devices on my network. Ouch.
My nice mesh wifi (eero) is too user friendly and does not support hardly anything special.
My ATT router is actually pretty powerful, and does support MAC filtering and subnets. Interesting.
My wired ports use an unmanaged switch at the top and a couple of hubs in various areas.

Hmm....

What I could do:
Put all the sketchy wifi devices on the ATT router, with strict MAC filtering.
Get some sort of fancy managed switch for the wired connections.
Probably not though.
 
I'm a network engineer (one my roles) .... I trust no one when network access is involved. Lock it down baby.
Zero-TRUST FTW!!!!

I use Unifi and I don’t zero trust as it messes with sonos and any layer two stuff (chromcast). BUT it does have deep inspection and I segment all the other stuff via vlan. No open ports!

I use to sport a Palo Alto but I’m much simplistic now.
 
So as a less tech involved person, I've heard allowing access to a "guest account" (if your router supports it) is better? True? not?
By guess account, I am assuming you mean a guest WiFi/network. Most routers would isolate the guest network from the main network. Some routers do layer 2 Isolation. Layer 2 isolation only allow access to the internet but won’t allow the devices to see each other. Isolation is very good! So good, most company are practicing it as most things move to the cloud.

Either way, moving your APEX to the guest network is good practice(I haven’t done this LOL). This will help you if the APEX every get compromise.

I would move any IOT devices to the guest network that rely on the internet for you to access. Be careful with some devices that needs to “talk to each other”. You can move a few things like NEST, RING, etc. You won’t be able to move Sonos or any other devices that rely you to see them on the same network. You won’t be able to move stuff that integrates with home automation. So if you all in on google home, maybe moving it will hurt the experience.
 
Yeah right now other than phones/tablets/laptops, the only other things that use wifi is my Roku, and probably my TV will too (I say probably because I'm going from a "dumb" TV to a "smart" one). Oh yeah the Ecotech light dohicky also is connected via wifi (not using Mobius), the rest of my reef apps are bluetooth connected.
 
Zero-TRUST FTW!!!!

I use Unifi and I don’t zero trust as it messes with sonos and any layer two stuff (chromcast). BUT it does have deep inspection and I segment all the other stuff via vlan. No open ports!

I use to sport a Palo Alto but I’m much simplistic now.
Lol. Fortinet is better choice anyway... :)
 
Back
Top