By Leo Kelion, BBC Technology desk editor
15 December 2017
Dozens of British schools' heating systems have been found to be vulnerable to hackers, according to a probe by a security research firm. Pen Test Partners says the problem was caused by the equipment's controllers being connected to the wider internet, against the manufacturer's guidelines. It says it would be relatively easy for mischief-makers to switch off the heaters from afar. But an easy fix, pulling out the network cables, can address the threat. Even so, the company suggests the discovery highlights that building management systems are often installed by electricians and engineers that need to know more about cyber-security. "It would be really easy for someone with basic computer skills to have switched off a school's heating system - it's a matter of clicks and some simple typing," Pen Test's founder Ken Munro told the BBC. "It's a reflection of the current state of internet-of-things security. Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can't be set up this way."
The cyber-security company made its discovery by looking for building management system controllers made by Trend Control Systems via the internet of things (IoT) search tool Shodan. It knew that a model, released in 2003, could be compromised when exposed directly to the net, even if it was running the latest firmware. Mr Munro said it had taken him less than 10 seconds to find more than 1,000 examples. In addition to the schools, he said he had seen cases involving retailers, government offices, businesses and military bases. Pen Test blogged about its findings earlier in the week, but the BBC delayed reporting the issue until it had contacted and alerted all of the schools that could be identified by name. West Sussex-based Trend Control Systems advises its customers to use skilled IT workers to avoid the problem.
But it responded to criticism that it could have done more to check its kit had been properly installed after the fact. "Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible," said spokesman Trent Perrotto. "This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access." He added, however, that the company would "assess and test the effectiveness" of its current practices. One independent security researcher played down the threat to those still exposed, but added that the case raised issues that should be addressed. "The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override," said Dr Steven Murdoch, from University College London. "However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from. And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in."
[Just when you thought you’d heard it all along comes ‘hackable heating systems’. Of course it plays strongly to one of my hobby horses (two actually) of the security – or lack of – issues of the Internet of Things as well as the fact that this sort of thing is sold on the premise that technology, and internet technology in particular, will automatically solve all of our problems – even the ones we didn’t know we had. Instead we have heating systems that can be turned on and off from the other side of the planet, played with like toys and them trashed if a bored teenager feels like it. What happens when your home security system is at risk or your networked baby monitor or your car on the way into work or the traffic lights on that really busy corner or that flight you just made or the nuclear power station 5 miles upwind of you? Come on people! Learn before someone, or many someone’s, die. Think like a criminal, think like a terrorist, think like a bored teenager and then fix the problem before someone malicious exploits it!]
5 comments:
giant steps into "1984"...
This is interesting, but why would someone try to hack a heater other than as a prank? I could see unscrupulous power companies or electricians 'tweaking' the system so they could bill for more than was actually used...
@ Mudpuddle: You're never alone in a fully connected world.
@ Stephen: That's part of it - giggles. Also you can easily imagine that the heating management system is hosted on the schools main computer (why have it separated) so you gain access to the school via its insecure heating system and then into the schools personnel records, student test scores etc.... There may be a CCTV system too that can be accessed (or bugged so that it records activity in the school) and so on..... The insecure heating system is just an entry point.
CK: i see stuff like that on the movies, but didn't realize that it's now, not someday... i'm glad i live in a 5'X5' room, black with no phone, in the middle of the Sonoran desert with the nearest road a humdred miles away... (not really, but occasionally i wish...)
I suspect that the bored teenager may be the one to do mischief to the school's heating system. However, I agree that our systems are vulnerable to some very bad folks who are much worse then bored teenagers. I hate to say it, but action will likely come after there is a serious incident.
Post a Comment