BY KERRY TOMLINSON, AMPERE NEWS

November 14, 2022

Feeling a bit chilly at the office?

Researchers say cyber attackers have found a way to take over smart devices that control lights, heating, door locks, and other services in office buildings.

They've hit at least 20 buildings so far.

Watch here:

Cold and dark

 It's 6:00 am at the office. The lights turn on, the heating ramps up, doors unlock. The building is ready for a day of work.

Until attackers decide it's time for a long break.

"It was just a random Friday afternoon call. A technician [told] us that his building was completely locked down, and he couldn't operate the building anymore," said Felix Eberstaller with cybersecurity company Limes Security in Austria and Germany.

"For example, he could not control the light anymore," added colleague Peter Panholzer, "He could not control heating and ventilation anymore. Very essential functionality for a building, right?"

They launched an investigation to find out why the devices turned froze up, and to hopefully bring the building back to life, as Panholzer described in a talk at the S4x22 cybersecurity conference in Miami.

They are not revealing where the building is located, though they say a German engineering company is the one who requested help for one of the company’s customers.

Tables Turned

 Some of the devices are motion sensors to turn on lights in a room. Others control ventilation. There are hundreds of them in the building. The researchers broke open some of the device cases to get to the electronics inside and investigate further.

You can give these devices a special key --- like an extra password --- to keep attackers out. But in this case, the attackers were the ones who set the key and locked the real owners out, according to Eberstoller and Panholzer.

"We're very curious. Once we see a problem, we're very hooked, so we don't give up," said Panholzer.

"The operators couldn't use the building in the meantime," said Eberstoller. "So, there was some pressure behind it."

Four Years?

The researchers tried "brute-forcing" the devices, where they tried many different passwords to see if they could guess the secret key. But it was slow going.

"We did some math," said Panholzer. "And at the end, we had to say, 'Well, if we continue with that --- that brute-force --- that will take four years. And it might be that they would be happy to access the building before that.' So, that was obviously not the way to do it."

Haystack, needle

Finally, they decided to try the "needle in a haystack" approach, going through all the data in one of the devices to see if they could find a pattern that would reveal the 8-character special key.

They narrowed in on what they thought might be area that might hold the needle.

"Had a look at it under the microscope because it's very small. What are the parts where we most likely will find the key?" Panholzer explained.

After a week’s worth of research, they found an 8-character code that looked promising.

Would it work?

"Actually, had an online call together with the technician where we could remotely see his screen on the engineering software where he typed in our key," said Panholzer. "And fingers crossed."

Success.

"At the end, actually could see one component after the other, how it gets re programmed and is up and running again. So, that was a good moment," he said.

Back in action

Lights on, heating and cooling in motion. Even a dentist's office in the building returned to work.

"They have air pressure for the drill, like they use to drill into the teeth," said Eberstoller. "The dentist couldn't operate anymore because the pressure wasn't working anymore."

"You've prepared for this situation [for] weeks. And finally, you are there. And the dentist tells you, 'Nope. We cannot work,'" said Panholzer. "Yeah, it's not funny."

"I mean, now, the aftermath, it's funny, right?" Panholzer added. "It's a curious situation. But it could actually lead to a really devastating situation."

Unprotected

The number of building automation system hacks like this one has slowed recently, Panholzer said, but still occur.

The smart devices themselves are not the problem, according to the researchers. Instead, some people are connecting them to the Internet without protection.

Then attackers can then search up the devices and take them over. So far, the attackers are not holding them for ransom, but simply shutting them down. It could be cyber vandalism or practice for something bigger in the future.

If you use these devices, don't connect them to the Internet without a firewall and/or a VPN, or virtual private network, the researchers said.

And it could be a good idea to set the extra security key before attackers use it against you. 

The vendor of the building automation system technology, KNX, also provides advice on how to protect the system.

More in industrial cybersecurity:

• How cyber attackers are targeting industrial machines in 2022 & 2023

• What can ransomware do to your water?

• Teams battle for victory in industrial hacking competition

• Cyber attackers try to shut off power for 2 million people in Ukraine

• Trains as targets: why attackers want to raid the rails

More from Ampere News

FEATURED STORIES