AquaHack – IoT attack through an aquarium

The number of cyber attacks on IoT (Internet of Things) devices will continue to increase steadily in 2018.

Over the past few years, growth forecasts by industry analysts have overturned: 50 billion devices should be networked on the Internet of Things (IoT) by 2020, 150 billion, perhaps even 200 billion. More realistically, Statista.com expects linear growth and predicts “only” 20 billion devices for 2020. Gartner, too, is currently talking about 20 billion.

All these devices are, if they and the systems behind them are not properly secured, potential inroads for cyber criminals. Hackers are increasingly accessing IoT devices to attack their underlying enterprise systems. For example, via surveillance cameras, air conditioning – and possibly also other devices that are used in building management, for example.

Nicole Eagan, CEO of Darktrace, said Thursday at the WSJ CEO Council Conference in London:

“There’s a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems (Heating, Ventilation and Air Conditioning), to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface, and most of this isn’t covered by traditional defenses.”

In the course of her presentation, Eagan referred to the AquaHack of a US casino last year – into which hackers had invaded to obtain the database of “high rollers” (gamblers who always play/bet for the highest amounts of money). The perpetrators penetrated the casino via the thermostat of an aquarium connected to the Internet, gained access to the connected network and channelled the later captured data back out in the same way.

“This one (AquaHack) is the most entertaining and clever thinking by hackers I’ve seen,” said Hemu Nigam, a former federal prosecutor for computer crimes and current chief executive of SSP Blue, a cybersecurity company.

There seem to be no limits to the creativity of imaginative hackers – so it is all the more important not to neglect the security when using or retrofitting IoT devices and systems.