Throwback Attack: Smart buildings, smarter hackers

Courtesy of: CFE Media and Technology
Courtesy of: CFE Media and Technology

As society has delved deeper into the fourth — and soon to be fifth — industrial revolution, technology has become more woven into our everyday lives. Once upon a time, smart technology was found only in computers and phones, but now it’s in refrigerators and toasters, as well. This evolution of smart tech has led to a more recent development: smart buildings.

In 2021, a German smart building was attacked by threat actors, who took control of its security system and locked out the building engineer managers. This caught the firm off guard, but they reacted swiftly in an attempt to clean up the mess the attacker had created. Smart building hacks have always been a fear, but this was a manifestation of what could happen, though far from the worst-case scenario.

Smart buildings: A brief history

The concept of smart buildings was first developed in the 1970s, when an oil spill off the coast of California sparked a need for more efficient building environments. This need for efficiency also stemmed from increasing energy costs. Thus, the U.S. government passed a bill called the Green Building Movement, which triggered a push for innovation in building efficiency. The first hint at what the future of smart buildings would hold came in the ’80s when United Technology Building Systems created “intelligent buildings” that allowed heating, air conditioning and ventilation to be controlled remotely.

The term “smart buildings” began to appear in the early 2000s. People were becoming more environmentally conscious, and a shift to smart buildings catered to that new ethos. These improvements were mainly an attempt to reduce buildings’ carbon footprint.

Now, as we reach the end of the first quarter of the 21st century, we are seeing smart buildings that are more adaptable than ever before. Chip-enabled cards let employees enter buildings, doors can be locked and unlocked with an app, and sensors can tell you how many people are in a room. Furthermore, smart buildings can integrate with the cloud and greatly reduce a building’s carbon footprint.

Smart buildings have the potential — and have proven — to be a leap forward in technology and innovation. However, that creates problems of its own, especially when it comes to cybersecurity.

The downside of smart buildings

The problem with smart buildings is very simple to diagnose but complicated to remediate. Because smart buildings are so connected to the internet and must be accessible from remote locations, they are inherently more vulnerable to cyberattacks from threat actors. Everything is networked, from elevators to thermostats to clocks. Threat actors can take advantage of this network in many ways with different attacks (ransomware, DDoS, etc.). For example, it would be possible for a seasoned adversary to access a building remotely and lock the doors, turn the boilers up, and cause mass building fires or explosions. Although this is an extreme example, the further we push into a digitized world, the greater of a risk threat actors pose. Any building that is networked — from nuclear facilities to hospitals — is vulnerable.

Attack on a German building automation system (BAS)

In the case of the German smart building, the threat actor was able to breach their system through an unprotected gate in the internet. From there, they began to cause problems.

According to DarkReading, “The firm … discovered that three-quarters of the BAS devices in the office building system network had been mysteriously purged of their ‘smarts’ and locked down with the system’s own digital security key, which was now under the attackers’ control.”

The hackers were able to use the firm’s own security measures to block out building engineers from directly accessing the BAS. The attackers not only blocked access, but they also wiped the systems, rendering them useless.

Because of this, the engineers needed to go into the system manually to turn the BAS back on. Luckily, the hacker used the same password to get into all of the different systems, making the recovery a relatively simple process.

According to DarkReading, “BAS systems aren’t configured with any logging functions, so the attackers don’t leave behind any digital footprints per se. Their attacks left no ransom notes nor signs of ransomware, so it’s unclear even what the endgame of the attacks was.”

Preventing future attacks

DarkReading warns, “Ransomware and extortion attacks on a BAS could be used to target facility management companies, or more ominously, hospitals.”

There is no 100% infallible way to prevent all attacks on smart buildings — or any technology for that matter. However, there are ways to mitigate risk and enable a swift response. A few examples are:

Employee training – Perhaps one of the simplest implementations is to train employees in good security habits — i.e., not clicking phishing emails or improving password hygiene — and to say something when a piece of technology seems to be acting out of the ordinary.

Software updates – Perform regular software and firmware updates so that any known vulnerabilities are patched.

Regular auditing – Routine audits are a great way to ensure that everything is acting normally, and they allow for a swift response if something isn’t functioning as it should.

Smart buildings are a fantastic way to reduce a building’s carbon footprint. The cutting-edge technology provides new insights and opportunities, making many things easier. However, being on the cutting edge also invites challenges from cyber adversaries and gives them access to more than ever before.




Keep your finger on the pulse of top industry news