One of the most memorable examples of IoT insecurity occurred at a Las Vegas casino, where hackers exploited a vulnerability in a smart thermometer connected to an aquarium in the lobby.
The device, intended to automate water temperature and quality, provided attackers with a foothold into the casino’s internal network. From there, they were able to locate and exfiltrate the high-roller database, routing the stolen data back out through the fish tank’s internet connection.
As Nicole Eagan, CEO of cybersecurity firm Darktrace, recounted:
“The attackers used that (a fish-tank thermometer) to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”
This incident has become a cautionary tale in cybersecurity, demonstrating how even seemingly innocuous smart devices can open the door to major breaches if left unsecured.
Well, surely this type of breach is rare nowadays, isn’t it?
Let’s take a look using our favourite tool to uncover public facing open ports and devices – Shodan.
We’re looking for devices whose web interfaces mention the terms “temperature” or “humidity” which are likely smart thermostats, environment sensors or controller UIs. We also search for common web interface ports that often host configuration pages. And we’re looking in NYC.
This query often reveals:
Industrial temperature/humidity control systems
Smart thermostats in commercial buildings
Environmental sensors in server rooms or greenhouses
Custom controllers for fish tanks or water systems
And here’s the kicker, many of them:
Require no login at all
Still use default usernames and passwords
Run on outdated software with known exploits
So, the dots on the map show a potential target for hackers looking to emulate the Las Vegas attack.
Just like the Las Vegas casino breach, if one of these devices is connected to a corporate or high-security internal network, it can act as a weak link for attackers:
They gain access to the exposed interface
Exploit a vulnerability or default password
Pivot into the internal network
Steal data or install malware, all starting from a temperature sensor
How many IoT (Internet of Things e.g. doorbells, fish tanks, washing machines, fridges) devices do you have in your office or home? When was the last time you updated the firmware on your smart devices? Do all your IoT devices use strong, unique passwords or the factory defaults still? Do you segment your network so that smart devices are separated from your work or personal computers?
We recommend at least the following for managing your IoT devices –
Change all default usernames and passwords on IoT devices to strong, unique credentials.
Regularly update device firmware and software to patch known vulnerabilities.
Place IoT devices on a separate network or VLAN, isolated from sensitive systems like workstations or servers.
Enable multi-factor authentication (MFA) where possible for device management dashboards.
Contact SME Cyber Solutions for a friendly discussion about your cyber security.
One of the most memorable examples of IoT insecurity occurred at a Las Vegas casino, where hackers exploited a vulnerability in a smart thermometer connected to an aquarium in the lobby.
The device, intended to automate water temperature and quality, provided attackers with a foothold into the casino’s internal network. From there, they were able to locate and exfiltrate the high-roller database, routing the stolen data back out through the fish tank’s internet connection.
As Nicole Eagan, CEO of cybersecurity firm Darktrace, recounted:
“The attackers used that (a fish-tank thermometer) to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”
This incident has become a cautionary tale in cybersecurity, demonstrating how even seemingly innocuous smart devices can open the door to major breaches if left unsecured.
Well, surely this type of breach is rare nowadays, isn’t it?
Let’s take a look using our favourite tool to uncover public facing open ports and devices – Shodan.
We’re looking for devices whose web interfaces mention the terms “temperature” or “humidity” which are likely smart thermostats, environment sensors or controller UIs. We also search for common web interface ports that often host configuration pages. And we’re looking in NYC.
This query often reveals:
And here’s the kicker, many of them:
So, the dots on the map show a potential target for hackers looking to emulate the Las Vegas attack.
Just like the Las Vegas casino breach, if one of these devices is connected to a corporate or high-security internal network, it can act as a weak link for attackers:
How many IoT (Internet of Things e.g. doorbells, fish tanks, washing machines, fridges) devices do you have in your office or home? When was the last time you updated the firmware on your smart devices? Do all your IoT devices use strong, unique passwords or the factory defaults still? Do you segment your network so that smart devices are separated from your work or personal computers?
We recommend at least the following for managing your IoT devices –
Contact SME Cyber Solutions for a friendly discussion about your cyber security.
Recent Post
Do you remember the casino that got
June 9, 2025UK Cybersecurity Breaches: April 2025 Roundup by
April 24, 2025Most Hacked Websites Have This One Thing
April 15, 2025