Casinos Face New IoT Security Threats
As IoT Devices Collect Vast Amounts of Data, Casinos Must Prioritize Data Protection, Privacy, and IoT Security
The Las Vegas Strip is an iconic landmark in the Nevada desert. A shimmering temple to entertainment, glitz, and the possibility of hitting it big on one of the many games of chance in a massive casino. That same Strip has long been a target for criminals in and out of fiction.
For decades the threat was physical. Casinos dealt with people who tried to “beat the house” through cheating or other methods in the physical realm. But with the evolution in digital technology, including connected security cameras and facial recognition systems, the modern Las Vegas gaming establishment is building a target-rich environment for a different type of gambler.
Cybercriminals have now aimed at the target and money-rich environment casinos have created. The addition of numerous Internet of Things (IoT) devices into the modern gaming facility – including IoT security cameras, slot machines, fish tank thermometers, and more – means that casinos have a vast network and attack surface with many options for cybercriminals.
The Game of Chance in IoT Security
IoT devices are transformative for casinos. Connected slot machines, for example, may track user behavior and preferences to customize the gaming experience. IoT security cameras can transmit data to a central location for analysis and monitoring. They might use IoT thermostats or lights in guest rooms to enable a customized guest experience from an app.
There are RFID tags that can be used for better inventory management to track things like equipment, beverages, and gaming chips. These ID tags can show the casino’s usage patterns to make them more efficient with ordering what they need when they need it.
The possible uses for connected devices in a casino are endless. Smart gaming tables to combat cheating. Monitors to ensure efficient water usage. Tailored marketing strategies based on actual customer patterns.
For all the benefits of IoT in the casino gaming industry, this adoption of distributed technology also creates extensive risk. Data privacy and data security need to be paramount in an environment with so many endpoints that cybercriminals could attack. In 2017, in one of the classic IoT security hacks, a casino was breached because of an IoT thermometer in a fish tank.
The broad use of connected devices opens up casinos to the game of chance that an attacker could breach them and steal customer data or other information. So casinos remain a target, but not for the cash they have on hand in vaults like in Ocean’s 11. Rather, the new money is data and cybercriminals are looking.
MGM and Caesar’s: Real Examples of Casino Cyber Risks
There are other threats facing casinos outside of the inherently risky nature of connected devices. In September 2023, Caesars revealed that customer data had been stolen via a social engineering attack conducted on an outside IT vendor. The perpetrators managed to exfiltrate a copy of the company’s loyalty program database. This information included customer Social Security numbers and driver’s license numbers among other personally identifiable information.
Caesar’s didn’t disclose which third-party vendor was the origination point of the attack in the Form 8-K that they filed about the incident. In the filing, Caesars wrote “We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate, and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”
It’s unlikely that the full scope of the impact on Caesar’s will be known for several months. According to the filing, they did pay a ransom to the cybercriminals with the hope of the data that was stolen being deleted. There’s no real way to ever know for sure if that happens or not, but cybercriminals are likely to follow through on that. If they take a target’s money and then don’t do what they say, more people may refuse to pay and then the ransomware gangs lose out on revenue.
At roughly the same time as Caesar’s, MGM Casinos was completely taken down by a ransomware attack. The security incident affected key cards, slot machines, escalators, and more. Guests were locked out of their rooms and none of the gaming equipment worked. MGM refused to pay any ransom, unlike Caesar’s. Some commentators have speculated that the attackers took down MGM’s systems because they refused to pay the ransom.
There’s no real way of knowing if that is the case. However, the attack started the same way as Caesars – with a phishing phone call. These two attacks are examples of the new class of social engineering focused on help desks. Attackers understand that with security systems becoming more complex, cybercriminals are getting more creative in terms of getting through defenses.
These two recent examples are the reasons that attackers are becoming more searched online. Security teams would do well to understand how their systems work now that during the attack.
How Asimily Helps Secure Casinos
Asimily’s platform is designed to streamline IoT security. The IoT is among some of the biggest risks for casinos and other companies, so locking down traffic and being able to determine traffic sources or any weird traffic connection can be very powerful.
Separately, organizations can also use Asimily’s risk simulation to assess different ways to mitigate the risk from a given vulnerability on a device. Simulating a fix without going through the effort of doing it can help you determine criticality and whether the weakness is even of interest to attackers in the first place. That’s critical information when you’re deciding how best to support your security posture. For instance, you may find that certain devices or access controls are inadequate.
Asimily’s technology reduces false positives for serious weaknesses, while also speeding remediation of vulnerabilities through NAC integrations and more. Risk Simulator also empowers your security team to reduce risk 10x faster than with traditional vulnerability management.
Casinos are under attack from increasingly creative cyber attackers. They need a way to track the riskiest assets while also being able to benefit from the power of IoT devices to streamline customer experience. Asimily can resolve that issue. Schedule a consultation with an Asimily expert to see how you can efficiently prioritize and remediate vulnerabilities with the leading IoT security risk management platform.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.