The Internet of unsecured Things Part 3

Recently one of my students started mapping the Irish IP address space to get an overview of what kind of internet-enabled industry equipment is out there.

Typical HVAC Web Interface

Typical HVAC Web Interface

The search was based on various data repositories (he did not use nmap) and showed some surprising results, which could fall under the headline “country-specific type / model variations of industrial controllers”.

However, it took not long to stumble over an online HVAC (heating, ventilation and air conditioning) system with a wide-open web interface. Its GUI showed the HVAC’s approximate location (a street on the south side of Dublin) and of course any visitor (hostile or not) would have the ability to manipulate its settings, including boiler temperature, heating pump output, alarm settings etc.

A quick look at Google Maps revealed a number of potential locations of the HVAC, including a church, various commercial buildings and an embassy.

The HVAC is operational since 2009, so it is unlikely to disappear overnight and while a manipulation of system settings might not cause any problem now, it could cause havoc in winter time (I mentioned it before: frozen pipes are no fun).

But where to go from here? Who should be notified? Who is responsible?

Justin Clarke from Cylance raised similar questions during a recent security conference in London, where he referred to an internet backdoor in some UK-based hospital building management systems that was the result of a known firmware bug. In his case study the manufacturer would have been able (in theory) to warn its customers about the issue. The HVAC system in Dublin on the other hand was simply poorly configured, so it is not a manufacturer issue.

This is like watching a car speeding towards a cliff and not being able to warn the driver.

Speak Your Mind

*