Archived Hotel light control hack illuminates lamentable state of IoT security (theregister.co.uk)
submitted ago by bitbomb
Posted by: bitbomb
Posting time: 4.7 years ago on
Last edit time: never edited.
Archived on: 2/12/2017 1:51:00 AM
Views: 65
SCP: 11
11 upvotes, 0 downvotes (100% upvoted it)
Archived Hotel light control hack illuminates lamentable state of IoT security (theregister.co.uk)
submitted ago by bitbomb
view the rest of the comments →
[–] OneNutWonder 0 points 1 point 1 point (+1|-0) ago (edited ago)
I know a great deal about the HVAC industry and I can tell you it is plumb full of gaping security holes. Wireshark can show you the sending and receiving device addresses and the plain text data they are exchanging. A lot of places put their entire HVAC/lighting/security systems on the same IT infrastructure as the rest of the building. My coworker and I tested a phone app for this scenario. We got on a buildings wifi, did a scan for BACnet IP devices, and started overridding lights, fans, boilers, cooling towers, you name it (it wasn't malicious, and was simply to show how vulnerable they were). Besides the password to get onto the wifi, nothing else is protected. This is the case with a ton of buildings. Only recently have supervisory devices started using https for the browser UI connection, but on the same network the data that is doing all the work is completely unprotected. What this guy did is just the tip of the iceberg.
Obviously turning lights on and off isn't too bad, but when there is a giant steam boiler, or a large chiller, it would be very easy to cause hundreds of thousands of dollars of damage and you are now in the realm of really being able to hurt people.