A smart fish tank left a casino vulnerable to hackers

Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Feir, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

The report cites examples compiled from Darktrace’s threat detection technology. Darktrace makes security technology that sits on a company’s network and monitors the activity taking place. That could be anything from data transferred between computers or actions taken by a connected coffee maker.

When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

In another example of an unusual attack, smart drawing pads connected to insecure wifi were used to send data to websites around the world in what’s called a “denial of service” attack. A hacker had scanned the internet looking for vulnerable devices, and exploited them to try and flood other websites with too much traffic.

We’ve seen cybercriminals leverage connected devices for destructive purposes before.

Last year, the Mirai botnet took control of smart home devices, like security cameras, all over the world, effectively turning them into zombie machines directing web traffic to take down popular websites like Netflix and Twitter.

Feir, a former U.S. intelligence contractor, says he anticipates threats coming from more unexpected places. Phishing emails will be one way hackers can get onto systems. But things like insecure fish tanks connected to the internet will be another.

“In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors,” Feir said.