Sometime in 2017, somewhere in North America, a casino is somehow robbed. The stolen goods: data exfiltrated via a networked temperature sensor in the aquarium in the lobby. Apparently, 10GB of internal data is said to have flowed out of the casino via the fish tank to an IP address in Finland. With such a starting point and all the cinematic associations, it’s not surprising that the fish tank hack quickly became a popular story.

But what exactly is there to the story? Let’s dive a little deeper.

Articles like How a fish tank helped hack a casino from the Washington Post spread the word about the event in late summer 2017, and the fact that an aquarium could be involved in a hack seemed to intrigue many writers. The British-American IT security company Darktrace was referenced as the source for this story.

Darktrace describes itself as a leader in AI-based cyber defense. Darktrace’s system is said to analyze the internal data streams and connections in a network, learning to distinguish typical from atypical patterns. This is intended to detect subtle deviations and consequently identify threats. Darktrace puts it this way, “Darktrace is now executing on a Cyber AI Loop, an industry-first set of cyber capabilities that will not just prevent, detect, respond, and heal from cyber-attacks, but do it all at once. An always-on, feedback system with deep, interconnected understanding of the enterprise creates a virtuous cycle in which each capability strengthens and hardens the entire security ecosystem.” (source).

The Global Threat Report from Darktrace presented individual case studies of their customers and aimed to highlight incidents or relevant IT security topics. In 2017 this Report contained an Item called: “Compromised Connected Fish Tank”. If you want to look for yourself, Darktrace has deleted this report from their page, but hey there is wayback, so you find the fish tank story as item 6 here.

All articles on the topic are based on this case study of an unnamed Darktrace customer. So let’s take a look at what exactly is described in this report about this incident and discuss the thin factual basis and the possible conclusions to be drawn from it.

An unnamed casino in North America had acquired a new aquarium and installed a high-tech sensor that monitored salinity, temperature and feeding at the same time. This sensor is said to have been at least partially isolated from the actual network, but unfortunately no detailed (technical) statements are made here about the implementation, or if this was ever actually verified by anyone.

The suspicious activities of the sensor were then detected by:

  • Data transfer of 10GB outside the network.
  • No other device of the casino ever had anything to do with the external address.
  • No other device sent this amount of data outside the network.
  • The protocol used is normally more suited for video streaming.

Darktrace concluded that attackers had taken large amounts of data via the sensor from the casino’s internal network.

Credit @marilarifari

So, in summary, an IoT (Internet of Things) device that had vulnerabilities and was externally accessible was taken over and used to penetrate the internal network. From there, the inadequate network segregation was overcome and sensitive data was accessed, which was then exfiltrated through the sensor using UDP. The monitoring system then classified this process as suspicious after(!) a data transfer of 10GB and detected the incident.

Unfortunately, it is not unusual that such sensors are accessible from any external IP address, that the internal network separation was implemented incorrectly, and that no further, meaningful protective measures (such as access controls) were established internally. What is unusual for me is rather to use this case as a positive example for ones own monitoring solution, aimed at preventing data loss, which then seems to have no problem with the temperature sensor requesting credit card numbers from the database and only becoming active after sending 10GB to unknown recipients.

With the exception that it was a sensor from an aquarium, this case is not special at all. The lessons learned are therefore not very surprising. A sensible IT security concept naturally includes everything, whether it’s a laptop, a temperature sensor or an “intelligent” refrigerator and of course some deny-lists and network segmentation need to actually be implemented and tested. In retrospect what surprises me the most is that Darktrace themselves made this story public. Judging from them removing this report, maybe they now think a little different on this case.