At Hack in the Box (HITB) security conference in Amsterdam, Steffen Wendzel, head of Fraunhofer FKIE, presented "Alice's Adventures in Smart Building Land – Novel Adventures in a Cyber Physical Environment"(pdf). This wasn't "just" weaponizing your coffee pot. Brace yourself because Wendzel warned that a new class of botnet is coming. In fact, smart building botnets won’t be used for boring things like denial-of-service attacks or even refrigerators sending spam. Instead he predicts “novel scenarios” like remote access to sensor data for mass surveillance, or remotely locking the building and holding the people inside for ransom. An example of a regional attack might include when heating levels are slightly increased in buildings overnight in order to sell more oil or gas.
First, building automation systems (BAS) were defined as “IT components integrated in and capable to control and monitor buildings. BAS are aiming to improve the energy efficiency of houses, to increase the comfort and safety for people living or working in a building, and to decrease a building’s operation costs. Therefore, it is necessary to enable a BAS to control critical equipment like smoke detectors or physical access control components.”
A building is “smart” if it is integrated into the Internet of Things to allow for remote monitoring and management. “Smart” buildings could include smart homes, commercial buildings or large complexes. Nobody knows exactly how many building automation systems (BAS) are accessible via the Internet, but there are more than 15,000 in the US and 9% of those have known security vulnerabilities. “Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals.”
BAS sensors include temperature, humidity, or presence sensors; BAS actuators are things like electronic light switches or HVAC (heating, ventilation, air-conditioning). Both can be remotely controlled and are prone to attacks at physical, software (code injection) and network levels. Although BACnet (“Building Automation Control network”) is used worldwide by more than 730 vendors, authentication and encryption are rarely implemented. There is a large attack surface such as smurf attacks, router flooding, traffic redirection, DoS re-routing, malformed messages, and inconsistent re-transmissions.
If that talk didn’t deal more with Eve’s adventurers than Alice’s, then the research paper titled “Envisioning Smart Building Botnets” (pdf) certainly does. It discusses how building automation botnets will be added to current botnet infrastructure to “enable attackers to cause various critical damage on whole regions and economies.” Researchers expect that, after some tweaks, the flow of info from command and control communications could be hidden by using covert channels.
The benefits for malware developers are manifold. First, malware attackers could monitor events (e.g. movement patterns) in a large number of buildings and could thus create usage profiles of inhabitants, which could be sold later on a black market. Second, miscreants can aim at causing a denial-of-service in a building (e.g. forcing an evacuation by a false fire alarm). Third, in contrast to mobile devices and PC systems, BAS are permanently available, rarely modified, face nearly no security features, are designed for long-term deployment and are rarely patched. This makes them an excellent choice for placing bots. Fourth, buildings can be used to blackmail their inhabitants and owners (e.g. forcing the transfer of money to a bank account to end a disruption on a critical system such as an airport baggage transfer system or lifts in a hospital).
Attackers could use malware to “take advantage of the actuators of a building such as heating, air-conditioning, ventilation or elevators.” The researchers suggested that actuator-based attacks on physical control systems could be aimed to hit multiple airports or hospitals simultaneously. An attacker could disable fire alarms and then set the building on fire, or set off the fire alarm at the airport as an evacuation would cause chaos.
“According to the botnet’s size, entire smart cities or even economies could theoretically become part of a smart building botnet.” The researchers listed seven new BAS botnet attack scenarios, which included some odd botnet-for-hire attack scenarios such as:
- Coordinated attacks on smart appliances as well as turning up the heat or air conditioning levels at night could increase energy consumption sales over an entire region.
- Excessive heating affects people’s efficiency and capability to work, so an attack on a Stock Exchange building could include increasing the temperature to slow down a trader’s reaction time.
- A BAS botnet could simultaneously crank up the heat to a high number of server rooms, which would cause denial of service due to server failures.
- BAS integration can be part of ambient assisted living (AAL) for the elderly, so “an assailant could try to blackmail inhabitants of a high number of buildings by attacking these buildings. Elders, handicapped and weak people could be locked inside buildings (by closing windows and doors automatically) if they do not transfer an amount of money to a given bank account.”
The research paper then looked at ways that BAS installations could be infected with botnets:
- Search for vulnerable BAS via SHODAN to find internet-connected control systems worldwide and then exploit vulnerabilities. How many are there? “In the USA, BAS are available even more often than SCADA systems, PLC systems, HMIs and other automation equipment.”
- There’s a manual approach of BAS wardriving, during which attackers drive through a city or region to find wireless BAS. That’s a slow painful process and therefore unsuitable to setup botnets, but it might be made easier in the future if GPS-enabled smartphones can find all wireless BAS within a region.
- Or go back to SHODAN, find directly accessible BAS installations, and probe to determine if they respond to BAS protocol commands. If so, no botnet software is required to execute monitoring commands. This approach is more likely to be discovered than a botnet using covert channels.
Oh boy, oh joy, researchers concluded that botnets are coming to smart buildings unless security is enhanced on existing and upcoming BAS. They said it is only a matter of time before organized crime overcomes the hurdles of mastering BAS environments and setup smart building botnets in the BAS infrastructure for profit.
You can read more about Wendzel's research: “Envisioning Smart Building Botnets” (pdf) or check out the slides for "Alice's Adventures in Smart Building Land – Novel Adventures in a Cyber Physical Environment" (pdf).