January 16, 2019 at
While smart buildings are mostly considered to be a good thing which advances the automation of buildings that house different institutions, businesses, and even homes — their security measures seem to be far from perfect.
According to a recent report by the cybersecurity company ForeScout, smart buildings (homes, hospitals, airports, government buildings, etc.) are extremely vulnerable to malicious attacks. Most of the modern buildings are filled with IoT (Internet of Things) devices which contribute to BAS (Building Automation Systems).
IoT devices are known for their lack of security, as they often use weak passwords which their users never bother to change or strengthen in any way. These devices may include anything from fridges and smartwatches to cars, security systems, and even entire homes. The popularity of smart devices has been growing in recent years, and the automation of buildings is seen as the way to go.
While this is certainly helpful in numerous situations, researchers claim that the security of such machines continues to be a huge problem. During their research, ForeScout managed to discover thousands of devices that had no real protection by simply using search engines Cenys and Shodan. The worst part is that a lot of the vulnerable devices are being used in schools, hospitals, airports, data centers, businesses, and alike.
Researchers have also stated that vulnerable devices do not even require hackers’ full attention and that most of them can be endangered by malicious software which can access them and cause harm. This is not exactly a new discovery, as there were countless malware attacks on industrial controls systems (ICS) in recent years.
Some of the best-known attacks are those against Ukrainian power grids and the Bushehr, the Iran-based nuclear power plant which had its programmable logic controllers hit by a Stuxnet worm which remained there undetected for months. In recent years especially, malware attacks grew not only in quantity but also in sophistication.
New Proof-of-Concept Malware
To prove their point and show how easy it would be for the right malware to target and take control of smart buildings and their devices, researchers have created their own proof-of-concept malware. According to them, it might only be a matter of time before BAS systems end up being as endangered as ICSs, with just as devastating consequences.
According to their findings, attackers could use similar malware to overtake smart buildings for a variety of purposes. Not only would they be able to manipulate heating, ventilation, and air conditioning (HVAC) systems, but they could also use their access to steal sensitive information.
However, consequences could be even worse than that. Since all kinds of different institutions are using BAS, potential attackers can also harm people in a variety of ways. Numerous hospital devices could be disabled or permanently damaged, the airport security systems could be affected, and even tunnels and mine workers could be harmed as they rely on vital, yet unprotected technology.
Numerous vulnerabilities that researchers have discovered (which are supposedly patched at this point) would be easy for their malware to exploit.
According to ForeScout’s Elisa Costante, one of the report’s authors, data centers might be one of the prime targets of smart building attacks. Data centers depend on HVAC systems which provide a proper environment for servers in need of cooling. If those systems were to shut down, the damage to hardware would be irreversible, while massive amounts of data would be lost.
As mentioned, the vulnerabilities have been patched, but that doesn’t mean that all of the vulnerable devices have applied those patches. Researchers say that the bad update strategies are the reason for this and that approximately only one-third of the initially discovered devices have applied the newly-created patches. In other words, a lot of smart buildings (and individual devices) still remain highly vulnerable, and attacking those might be the next big hacking trend.