Botnets coming soon to a smart home or automated building near you

At Hack in the Box (HITB) security conference in Amsterdam, Steffen Wendzel, head of Fraunhofer FKIE, presented "Alice's Adventures in Smart Building Land – Novel Adventures in a Cyber Physical Environment"(pdf). This wasn't "just" weaponizing your coffee pot. Brace yourself because Wendzel warned that a new class of botnet is coming. In fact, smart building botnets won’t be used for boring things like denial-of-service attacks or even refrigerators sending spam. Instead he predicts “novel scenarios” like remote access to sensor data for mass surveillance, or remotely locking the building and holding the people inside for ransom. An example of a regional attack might include when heating levels are slightly increased in buildings overnight in order to sell more oil or gas.New class of botnet attack coming to smart automated buildings

First, building automation systems (BAS) were defined as “IT components integrated in and capable to control and monitor buildings. BAS are aiming to improve the energy efficiency of houses, to increase the comfort and safety for people living or working in a building, and to decrease a building’s operation costs. Therefore, it is necessary to enable a BAS to control critical equipment like smoke detectors or physical access control components.”

A building is “smart” if it is integrated into the Internet of Things to allow for remote monitoring and management. “Smart” buildings could include smart homes, commercial buildings or large complexes. Nobody knows exactly how many building automation systems (BAS) are accessible via the Internet, but there are more than 15,000 in the US and 9% of those have known security vulnerabilities. “Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals.”