Ken Munro, Managing Partner at Pen Test Partners discusses how vulnerabilities in smart building systems are exposing organisations to real-world security risks as connectivity increases.
There’s a great scene in Hackers, the movie, where the protagonist accesses the sprinkler systems of his school and turns them on, to amusing effect.
Both the security and functionality of smart building systems have moved on somewhat in the past 30 years: Fortunately, passwords have evolved from the clichés of ‘love’ and ‘secret’, but we keep finding plenty of security challenges in the connected buildings of today.
The physical consequences are still the same, though: A flooded office that can’t be used for months until repairs have been completed; or it could be the heating system that’s been nixed, meaning staff are forced to work from home in the winter; or a fresh goods refrigeration plant that fails, trashing millions of pounds worth of stock.
The list of potential issues from weak security in our intelligent buildings is growing in line with increased connectivity.
Since the pandemic, office buildings have received particular attention.
Varied working habits have resulted in the office often being empty on a Monday and Friday, but at or over capacity during the rest of the week.
Managing space has been a challenge. Further, rising energy costs have also driven office owners and operators to look for efficiency and economy.
The value of some commercial office space can depend on its occupancy: An office with a tenant that has good utilisation of the space is likely to be more valuable than one with a tenant using a fraction of their capacity.
Downsizing or renegotiation is likely in the latter case.
Hence, knowing the utilisation of an office building is an important factor in its value.
Enter occupancy sensors, tracking everyone coming and going, so one has accurate stats.
These are typically small cameras mounted on ceilings. You might see one over the doorway of your commuter train, too.
Here’s the rub: The tech is in its infancy, with products being rushed to market.
We’ve looked at a few, only to discover that the actual hardware was a repurposed CCTV camera.
Like so many CCTV cameras, it also had a microphone, that microphone had not been properly disabled, a few keystrokes later and we had audio.
That device could be turned into a listening bug. The cloud platform behind one device we looked at also had security flaws, allowing remote compromise.
The Target breach back in 2014 was attributed to a facilities management firm that managed the HVAC system.
Cellular data costs back in the day were significant, so most remote connections were achieved through discussion with the client and access could be granted and controlled.
Mobile data costs have dropped hugely since.
As a result, we keep finding cellular modems attached to HVAC and other connected office devices.
These are usually installed by the FM provider or the organisation supporting that HVAC system.
The office operator often has no knowledge or visibility of this remote access, as there is no connection to their network.
The first thing they know is when we go fishing around plant rooms, suspended ceilings and under raised floors.
Unmanaged access from unknown sources, installed without discussion by organisations without a clear understanding of security. Wow.
Who doesn’t love meeting room displays and the reduction in arguments about who has booked what room when and for how long?
Those displays are rarely Windows-based, yet they connect to your domain.
They are often Android-based with a tablet form factor or custom hardware that comes complete with the challenges of maintaining these operating systems as they age.
Have a look at the calendar appointment you created for your last in-person meeting.
You probably included the meeting room itself to ensure you had booked it.
Did you include attachments that related to the meeting?
Now we have attachments synced to a non-Windows device that sits outside all of your meeting rooms, yet it’s on your domain.
Tests we’ve conducted on these devices have resulted in us accessing sensitive M&A documents from a boardroom meeting room booking display.
Makes you think, doesn’t it?
Our office atriums and restaurants often contain smart display screens for promoting events and more.
Again, these are often a Windows device or an Android tablet providing high quality, dynamic visuals.
Yet again, we’ve connected a system that is probably provided by a third party who specialises in display systems.
They likely have a different view of security to you and probably provide a ‘service’ whereby they provide remote support to ensure uptime.
And we’ve taken domain admin at organisations through display screens like these.
I get frustrated by organisations that finger the Flipper as a major threat, as they can clone access cards for your speed gates.
The Flipper and plenty of other cloning equipment can clone vulnerable access cards.
Choose the right access card and engage an access control company that can configure it properly, and no, they can’t be cloned.
We keep seeing poorly configured and vulnerable access control systems being installed.
Key points to look for are ensuring that older, deprecated protocols are not supported and that unique, cryptographically robust, non-sequential keys per card (and reader) are used.
But there’s plenty more on that subject.
More than anything, go talk to your facilities teams.
They will know what systems are connected, what legacy is lying around and what support services third parties might be providing via remote connections.
I strongly recommend you ask them to tour you around the plant rooms and machinery spaces in your buildings.
Ask about the various industrial controllers found there, ask about the building management systems and ask them about the consequences of systems going offline.
You might be surprised how keen they are to engage. Coffee and donuts often help though!
Bring your smart building systems into your oversight.
And then have a listen to the Hackers soundtrack whilst you revisit your building management systems security.
This article was originally published in the May edition of Security Journal UK. To read your FREE digital edition, click here.
