Phishing or Fishing for Information: The Dangers of the IoT

In our ever more connected world, the Internet of Things (IoT) is another example of how easy it is to forget “Security 101.”  There are now more devices than ever in the IoT category to please our every whim — devices such as home security systems, appliances, and even our children’s toys communicate with us via an internet connection. Do I really want to talk to my refrigerator?? Hmm. While these devices don’t normally appear in an organization’s internal network, there are a host of similar “corporate” IoT devices that do.  What tends to be forgotten is that every one of these, when connected to your organization’s network, looks just like any other endpoint – one that tends to be overlooked as far as securing it goes.

Here’s an Actual Very Scary Scenario

Let’s take the example of a North American Casino (name withheld for both security reasons, as well as to spare embarrassment to their IT staff)…

A large fish (phish?) tank was installed on the main casino lobby level. Fish tanks are pretty and soothing to look at but can be a pain to maintain. Enter the IoT world!! The casino installed a device that monitored the conditions in the tank, such as water cleanliness, food supply, and temperature. Nice!

The problem was that this monitoring device was then connected to the casino’s internal network. Yep, the bad guys went “fishing,” and before it was discovered, approximately 10GB of data was ‘expatriated’ to a device later confirmed to be in Finland (which is not normally a country you might associate with this type of “phishing!”)

Lesson Learned: Everything is an Endpoint on Your Network

Everything that gets connected to your organization’s internal network is considered an endpoint to the network, and it must be secured in the exact same fashion as if that fish tank monitor had been an employee sitting at home with the company’s PC logged onto the network.

Want to be absolutely sure of your organization’s security posture? That’s what we do! Contact us by filling out the form below or giving us a call for an introductory security evaluation performed by an experienced Cybersecurity Compliance Consultant. It could be the best decision you will make today.

And that’s no fish story!

Published on November 18th, 2021


by Steve Wantola

Steve Wantola has had a long-standing professional relationship with i3 and has the highest respect for the company’s management, its operational integrity, and dedication to its clients. Mr. Wantola holds a Certified Information Security Manager (CISM) certification from the ISACA, is a Registered Practitioner (RP) for the Cybersecurity Maturity Model Accreditation Board (CMMC-AB) and has served on the Cybersecurity Advisory Board of Rutgers University.

Find out how i3 can support your staffing and consulting needs: