The Internet of Things (IoT) is – a buzzword, but also – a technology with a huge global potential in many industries. The origin of IoT is from the growing number of connections between computing devices, machines and objects creating an enormous network without requiring human interaction. IoT is becoming increasingly popular, available and implemented. With prices of sensors being at all time low, this is the time to invest in IoT networks. In line with this, the market of Smart Buildings is vastly growing. But, this increasing connectivity of devices to the internet bring security questions. Since all these devices have an internet connection, all of them are potential gateways from hackers to the internet. Increased building automation creates new risks and enables increased impact for traditional risk. Therefore, are smart buildings really that smart?
Globally, the market for smart buildings was valued at around USD 5.800 million in the year 2016 and it is expected to reach approximately USD 61.900 million by 2024 (Zion Market Research, 2019). In the Netherlands 95% of all newly built buildings are smart. And next to that, building automation is growing in established houses. The main control of a smart building is a Building Automation System (BAS). The system controls all smart components of a smart building. The BAS usually governs access & identity control, power management and assurance systems, heating ventilation and air conditioning (HVAC), fire detection and alarm systems.
So what could possibly go wrong?
Data Breach
Hackers see smart components of smart buildings as a point of entry for obtaining data. Logging into a BAS is not difficult and can be reached through the internet. Default usernames and passwords are often used, which makes it even easier to crack open a system (van Hooijdonk, 2019). Entire IT networks of companies can be accessed through the BAS, making data vulnerable. This happened in Emmen to a housing corporation where unsecure solar panel IT systems were hacked and data has been breached at their residents (RTV Drenthe, 2017). Similarly, a Brazillian bank has suffered from a data breach, where hackers accessed their systems through their IoT devices (Geenens, 2018).
Control over systems
As described earlier, accessing a BAS is not too hard for an experienced. When hackers have obtained access to the BAS, they could control the whole building. Imagine that a hacker changes the temperature in a server room to very high levels, making servers crash (Korolov, 2016). Similarly, imagine that it happens to your own house. This has happened to Arjun and Jessica Sud from Lake Barrington, a village in the US state of Illinois. Their cameras, speakers and heating system were hacked, resulting in a hacker screaming through a speaker, turning up the heating to 32 degrees Celsius and talking to their 7-month old baby through their baby monitor (van Hooijdonk, 2019).
Ransomware & Siegeware
Smart buildings are becoming popular ransomware targets for hackers, called Siegeware when they target a BAS. With this Siegeware, a hacker disables all smart systems within the building, rendering it useless. Extorting companies through this method is becoming more popular with criminals. In an Austrian hotel, all locks could not be unlocked or locked since a ransomware attack has shut down parts of its BAS (Higgins, 2019).
DDoS Attack
A DDoS attack is an attack where a server is overloaded with traffic from multiple sources in order to make it unavailable. If a BAS is overloaded through a DDoS attack, various systems could get inaccessible as they are not able to cope with the enormous amount of traffic and can completely freeze/ shut down as a result. This happened in Finland, where heating systems two residential buildings were completely shut down (Higgins, 2019).
To answer the question ‘How Dumb are Smart Buildings?’: Too many smart buildings are very dumb! If your residence is a smart building, definitely consider testing the security of the system. You could even try to hack your own smart heating system yourself after some Googling. Personally, I think it is ridiculous that organizations accommodate people that live in an unsecure environment. It is like having a house without any locks, when a BAS is vulnerable.
Sources:
Geenens, P., 2019. IoT Hackers Trick Brazilian Bank Customers into Providing Sensitive Information. [Online]
Available at: https://blog.radware.com/security/2018/08/iot-hackers-trick-brazilian-bank-customers/
[Accessed 6 October 2019].
Higgins, K. J., 2019. Malware Built to Hack Building Automation Systems. [Online]
Available at: https://www.darkreading.com/vulnerabilities—threats/malware-built-to-hack-building-automation-systems/d/d-id/1333671
[Accessed 6 October 2019].
Korolov, M., 2016. IBM’s X-Force team hacks into smart building. [Online]
Available at: https://www.csoonline.com/article/3031649/ibms-x-force-team-hacks-into-smart-building.html
[Accessed 6 October 2019].
van Hooijdonk, R., 2019. Smart homes and buildings are a new battlefield for hackers and security experts. [Online]
Available at: https://richardvanhooijdonk.com/blog/en/smart-homes-and-buildings-are-a-new-battlefield-for-hackers-and-security-experts/
[Accessed 2019 October 2019].
Zion Market Research, 2018. Smart Building Market by Automation Type. [Online]
Available at: https://www.zionmarketresearch.com/report/smart-building-market
[Accessed 6 October 2019].