I studied the photo to see if I could spot the Internet-connected thermometer, and then finally noticed that the caption said "Ethan Miller/Getty Images", and only after that saw that it also said, "An aquarium at a casino — not the one in question."
Forbes who wrote an earlier story did the same thing, but with a Shutterstock photo. At least the original source of the story (the cyber defense company) used an illustration so it was obvious that it wasn't the real thing.
 https://www.darktrace.com/resources/wp-global-threat-report-... (see page 8)
What the article doesn't mention: IoT devices are harmful not only because they are vulnerable. They can be used to collect data on users. Every enterprise aims to get as much profit as possible; collecting users' data and selling them later obviously gets you more profit than not collecting.
Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.
I think the reason why these devices require an Internet connection is that vendors just want to lock user to their servers and collect "anonymous statistics" from them.
Old news: this is from 2017 
It's just that the attack was part of a new article, and the headline used it to make it sexy.
Regulation to try to prevent weak links in a still perimeter-security-based design is hopeless. We need to stop substituting network of origin for real authentication and authorization systems.
I have a friend who works in a casino, and the industry standard is to put untrusted devices on a segregated network.
Even trusted devices are segregated by vendor.
How does a hack like this work? Is the device somehow connected to the Internet, the attackers take over the device, then since that device has access to the casino network, the attackers could then see anything that wasn't secured on the network?(basically anything that relied on the network being secure for their security?)
At this point I wouldn't be surprised if the high roller database itself were stored on its own IoT device linked to some "high roller analysis as a service" platform.
You’d think these companies would use VLANs or at a minimum a router or layer 3 switch to segregate camera, critical services and fish tank IoT network traffic.
This is such a clickbait article.
It doesnt mention any details of how the data was actually stolen using the thermometer. It doesnt even explicitly say that the thermometer was an IOT device. "Hacked through a thermometer" could mean so many things
Right now /r/movies is having a laugh about a scene from Rampage where a character hacks a corporate network through a thermostat. Much as I love a good chuckle at "Hollywood hacking", this is a thing that can actually happen.
Maybe the fish tank shouldn't be on the same network as high value assets. That way, vending machines could be accessed by the fish tank but not the mission critical data.
How do you verify a database you stole isn’t a decoy with dummy data?
"S" in "IoT" is for Security
what is a high-roller database?
But, like, seriously.
Fuck casinos. Fuck 'em right in the ear.