Casinos Gamble on Unsecured Devices: Two Endpoint Security Breach Post-Mortems

The stakes at casinos are higher than you think.

In casino resorts, it's not just cards that turn over. Resorts and hotels face the unique challenge of a revolving door of guests, most of whom are involved in a number of financial transactions. The high customer turnover generates a huge amount of sensitive data that needs to be protected from cyber attacks, a complex task that takes more than just a solid security team.

The odds are stacked against organizations when it comes to cybersecurity. Modern hotels and casinos rely on thousands of connected products (e.g. remote devices like access control systems, smart locks, kiosks — or security cameras and NVR/VMS). The connected product ecosystem supports vacationers' convenience and relaxation. 

But technological complexity comes with risks. When left unsecured, these same devices are prime targets for cyberattacks that could damage a business’s finances and reputation with customers. 

Two recent breaches demonstrate often-overlooked vulnerabilities related to unsecured remote devices in the hospitality industry. 

How a Fish Tank Thermometer Sunk the House

One breach you wouldn't bet on occurred in 2017 when hackers accessed a North American casino's network using an internet-connected fish tank thermometer. Though seemingly a harmless temperature monitoring device, the thermometer's connection to the casino's internal network gave hackers a gateway into critical systems. Once inside, hackers took advantage of their ability to navigate the casino's internal network, locating and extracting 10 gigabytes of data.

 The breach is a stark reminder of the vulnerabilities introduced by unsecured or unmonitored connected products, especially without employing security best practices like network segmentation. 

What is network segmentation? 

Network segmentation separates sensitive data (like customer data) from less critical systems (like marine habitats) and continuously monitors remote devices using remote monitoring and management (RMM) software, looking for signs of suspicious activity or device malfunctions.

Even the least essential internet-connected devices can pose risks, often in unexpected ways. Through direct insight into each remote device, technical support and security operations teams can mitigate risks. 

Without a way to monitor and manage these kinds of endpoints and edge devices, products like fish tank thermometers will be forgotten. But had this casino been more aware of their remote devices, they could have taken steps to harden these devices against exploits, wall them off, or perhaps notice unusual network activity, reducing the loss to the casino. A custom, automated alert could have been used to observe and notify operations personnel early enough to avoid hackers exfiltrating valuable data.

(For example, support teams can create custom smart alerts and automations using Canopy’s automation engine.)

‍

Hackers Hit the Jackpot Manipulating Connected Products

In September 2023, MGM Resorts International fell victim to a cyberattack orchestrated by the hacking group Scattered Spider. 

The breach, which resulted in significant operational disruptions for MGM, demonstrated that even businesses with robust infrastructures can be caught off guard when comprehensive cybersecurity practices are not in place.

The attackers used social engineering tactics to impersonate an employee, gaining access to MGM's internal network through the IT help desk. The breach wreaked havoc on resort operations, causing slot machines and ATMs to malfunction, disabling digital room keys, taking reservation systems offline, and compromising security monitoring systems. MGM Resorts later reported a $100 million reduction in earnings for Q3 2023 due to the breach's extensive impact.

The breach did not originate from a connected product, but these devices were a target. Manipulating devices (the ATMs, slot machines, etc.) within the MGM Resorts network cost the company money and damaged its brand reputation, a win for the hackers behind the attack.

A comprehensive security system approach would incorporate multi-layered security protocols to help businesses mitigate risks and avoid losses by detecting — and even thwarting — attacks before they escalate. A multi-layered approach might include any or even all of the following layers:

1. Physical security protocols: Access controls such as biometric scans, key cards, and security guards. Surveillance systems like CCTV cameras.
   
   
2. Network security protocols: Firewalls to block unauthorized access to networks. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) that monitor network traffic for suspicious activity.
   
   
3. Application security protocols: Application firewalls to monitor and control input/output from software applications. Regular updates and security patches for applications.
   
   
4. Data security protocols: Encryption of sensitive data both at rest and in transit. Data masking and tokenization to protect data privacy.
   
   
5. Endpoint security protocols: Anti-virus and anti-malware software. Remote device management (RDM) and remote monitoring and management (RMM) software to secure devices accessing corporate resources. (Canopy would fit here.)
   
   
6. Identity and access management (IAM) protocols: Multi-factor authentication (MFA) where more than one credential is required to verify a user’s identity.
   
   
7. Role-based access control (RBAC): to ensure employees can only access information necessary for their jobs.

In addition to bolstering security, RDM/RMM would also give hospitality companies like MGM new tools to strengthen their defenses by ensuring all devices and systems are up-to-date and in sync.

RMM tools automatically manage software and firmware updates across connected products, helping to close any security gaps and reduce the likelihood of successful exploits. This proactive approach enhances the overall security posture of an organization, hardening devices with up-to-date firmware and even continuously monitoring for vulnerabilities and enabling a rapid response to emerging threats.

In MGM's case, an RMM solution could have flagged suspicious activity and initiated automated repairs on the affected devices, minimizing business disruption and reducing the overall impact of the breach.

Are You Rolling the Dice on Cybersecurity? 

Both of these breaches underscore critical cybersecurity vulnerabilities within the hospitality industry. The unnamed casino's breach illustrates the risks posed by unsecured remote devices. In contrast, MGM's breach highlights the dangers of inadequate device management and lack of employee awareness.

Security teams must take a multi-layered approach to security system management. For example, deploying RMM software like Canopy can offer real-time monitoring of network-connected remote devices. How that observability is used to improve the organization’s security posture is up to the technical team. However, options include deploying smart alerts and automations to watch for and escalate anomalous behavior from unsecured devices or flag when internal systems are compromised. RMM can help companies react swiftly to cyberattacks, repair compromised devices, and prevent minor glitches from snowballing into major operational liabilities. 

The hospitality industry cannot afford to gamble with cybersecurity. RMM helps businesses stay ahead of potential threats. By embracing continuous monitoring and proactive device management, hospitality businesses can reduce the risk of costly and disruptive cyberattacks.