Is your home really your castle?
In 2013, Google – one of the world’s pre-eminent tech companies – was hacked.
It wasn’t its search engine that was attacked or its advertising platform or even its social network, Google+. Instead, it was a building. Two cybersecurity experts hacked into its Wharf 7 office in Sydney, Australia, through Google’s building management system (BMS).
One of them, Billy Rios, says: “Me and my colleague have a lot of experience in cybersecurity, but it is not something that people couldn’t learn.
“Once you understand how the systems work, it is very simple.”
He found the vulnerable systems on Shodan, a search engine that lists devices connected to the internet, and then ran it through his own software to identify who owned the building.
In the case of the Google hack, the researchers had no nefarious purpose, did no damage and informed Google about the vulnerabilities they found.
According to Mr Rios, who runs security company Whitescope, there are 50,000 buildings currently connected to the internet – including research facilities, churches and hospitals, and 2,000 of those are online with no password protection.
“That is 2,000 buildings where you can access systems that heat and cool the building and potentially gain access to the controls of the doors,” he says.
Martyn Thomas, a professor of IT at Gresham College in the UK states “It is beyond doubt that attempts to attack building management systems are happening all the time.” Making a building smart generally means connecting the systems that control heating, lighting and security to the internet and the wider corporate network.
There was a compelling reason for doing this as energy savings are the biggest factor in connecting building management systems to the corporate network, saving between 20% and 50% of current bills.
But it also makes them less secure.
There are various scenarios where a hacked building could have dire consequences.
Imagine, for instance, a malicious attack at an old people’s home where, in the depth of winter, hackers gain control of the heating system and shut it down.
Or a hospital where hackers take over the lighting or electricity system.
Or thieves who walk into a building they want to rob simply by overriding the system that controls the security.
And if any of these feels like a Hollywood film script, think again.
In 2013, the US Department of Homeland Security revealed hackers had broken into a “state government facility” and made it “unusually warm”.
An attack on US retailer Target, in which millions of customers’ credit card information was stolen, was traced back to the heating and ventilation system.
And, at the beginning of the year, a Ukrainian power station was hacked. Although spear-phishing – where an employee is duped into bringing malware into the system by clicking on an email or link – was blamed as the means of entry, the result was physical – nearly 80,000 customers were left without power.
To minimize risk it is recommended these smart systems are kept entirely separate from corporate networks, because it is virtually impossible to ensure the code behind them is hacker-proof.
The ‘Internet Of Things’ is truly a new challenge to keep yourself safe!