People may think I’m nuts to suggest it, but I truly believe that one of the most important skills needed in the built environment over the next couple decades lies within the realm of computer programming. After all, someone needs to program all the robots…
Each year in Las Vegas, elite hackers from around the world gather at DEFCON to discuss the latest trends in computer network security. Do some googling if you are interested in learning more about the event…
This year, Daniel “unicornFurnace” Crowley, Jennifer Savage and David Bryan will present a topic that should cause professionals in the architecture, engineering, construction, insurance and legal industries to take notice. Their presentation is called, Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices.
In a recent article in Forbes, Kashmir Hill (no relation) describes how she was able to easily gain control over strangers’ home automation equipment:
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.
Thomas Hatley’s home was one of eight that I was able to access. Sensitive information was revealed – not just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world. The names for most of the systems were generic, but in one of those cases, it included a street address that I was able to track down to a house in Connecticut.
Unfortunately, that is just one example. Crowley, who runs a security consulting firm called Trustwave, found other vulnerabilities:
He and his colleague found security flaws that would allow a digital intruder to take control of a number of sensitive devices beyond the Insteon systems, from the Belkin WeMo Switch to the Satis Smart Toilet. Yes, they found that a toilet was hackable. You only have to have the Android app for the $5,000 toilet on your phone and be close enough to the toilet to communicate with it.
“It connects through Bluetooth, with no username or password using the pin ‘0000’,” said Crowley. “So anyone who has the application on their phone and was connected to the network could control anyone else’s toilet. You could turn the bidet on while someone’s in there.”
Tickets are still available for this year’s DEFCON event which kicks off August 1st. One word of advice if you do decide to attend: disable all network communications on any advice you have, or better yet, don’t bring any device with you. Just google “wall of sheep” to see why…
Security researchers from Cylance have identified a serious flaw in the internet-enabled Honeywell Tridium Niagara AX line of building automation products. The researchers demonstrated how hackers could gain root-level access to the control system in less than 25 seconds. The Tridium product line provides control over crucial building systems such as security, mechanical, electrical, and plumbing.
Dan Goodin, writing for Ars Technica reports:
Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or sabotaging large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present.
Luckily, the researchers have been working with Honeywell to patch the flaws, according to Wired:
A Tridium spokesman said the researchers notified the company about the vulnerability last December and has been working on a patch to fix the vulnerability, which they expect to release this month.
“We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today,” spokesman Mark Hamel said in a statement. “The vast majority of Niagara AX systems are behind firewalls and VPNs — as we recommend — but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.”
Not An Isolated Occurrence
Most disconcerting, is that this is just the latest “proof of concept” vulnerability reported relating to building automation and industrial control systems. Goodin writes:
A raft of other ICS devices have been found to contain similar critical defects, including those from Siemens-owned Ruggedcom and another line of mission-critical routers made by a Fremont, California-based GarrettCom…
Security experts have long argued that the convenience often comes at the price of security, and there are some disturbing examples of the risks from the last couple of years. In 2009, a recently discharged security guard who had physical access to ICS computers was arrested after posting screen shots and videos showing him planning to remotely cripple air-conditioning systems at a Texas hospital, where temperatures regularly reach into the triple digits. Last year, hackers illegally accessed the Internet-connected heating and air-conditioning controls of a New Jersey-based company. The vulnerability the intruders exploited was the same one Tridium patched in secret last year.