IN-HOUSE PREVENTION

Siegeware: Don't let hackers hijack your smart building

30 Aug 2022

Have you ever heard of siegeware? This type of ransomware has been around for quite some time now, but is rarely discussed. Attacks on smart buildings are still far from common, but the ever-increasing number of ransomware attacks may change that. Learn more about siegeware and find out how to avoid this threat.

Imagine being in control of a smart building. It could be an office, an apartment complex, or even a hospital. Suddenly, issues start to arise — the doors refuse to lock or unlock, the heating becomes uncontrollable, or the elevators get stuck. You notice that the control system is unresponsive. Then, you receive a message urging you to pay a ransom immediately, or else the system will remain offline.

 

Does that sound unbelievable? With the emergence of siegeware, a type of ransomware that targets smart buildings, people should know that this scenario is real. The owners and operators of smart buildings should be familiar with the threat and prepare an effective response strategy.

 

Ransomware becomes siegeware

With IoT (internet of things) on the rise, cybercriminals can easily get hold of one’s property and use it for extortion — be it via computers, phones or cars (in which case we talk about jackware). Siegeware exploits the digital systems of a networked building, and in some cases uses the access to cause chaos — for example, by cutting the power, shutting down elevators, switching off air conditioning systems, or even doing these things all at once. The owner of the building is led to believe that they will only get control back after paying a generous ransom — but that will not always solve the situation. In the past, criminals have only rarely released the infected systems after siegeware has been triggered. 

 

Siegeware in real life

 

An executive at a real estate company managing a dozen buildings in several US cities received the following message on his smartphone: “We have hacked all the control systems in your building at XXX Street and will switch them off for three days if you do not pay 50,000 dollars in Bitcoin within 24 hours.” The building at that address is one of several medical clinics in the company’s portfolio that use “building automation systems” (BAS) to remotely control heating, air conditioning and ventilation, as well as fire alarms and management systems that include lighting, security systems, and more. The administrator usually has up to eight different systems under remote control.  Fortunately, the company had the foresight to develop an effective crisis response plan and did not act on the attempted blackmail. Although the scenario was completely new to them, the IT team was able to rapidly initiate backup measures. In the end, everyday operations at the hospital were only disrupted temporarily.

 

Source: WeLiveSecurity, 2019 

 

Remote access: source of comfort, or danger?

With the increasing degree of automation and connectivity, “taking buildings hostage” is quite easy: Threat actors “only” have to hack the BAS through the internet to take full control of all functionalities. They are taking advantage of the possibilities offered by remote maintenance, which is supposed to increase comfort at a reduced cost. Nowadays, technicians can solve issues or implement new settings from a central command desk somewhere else in the country. This becomes problematic when remote access is designed for performance and not security. Often, manufacturers rely only on a simple combination of a username and a password as access protection. Security by design, defense mechanisms against brute force attacks, or multifactor authentication (MFA) could provide more security, but they are too often omitted for cost reasons.

 

Victims are surprisingly easy to find

How do cybercriminals find their victims? The search engine “Shodan” (www.shodan.io) makes it rather easy. A search for “BAS” leads to around 11,095 potential targets worldwide that could be reached via the public internet. These include 1,162 in the US (as of 06/06/2022). They’re all neatly listed and supplemented with lots of additional data, from the IP address to SSL information and the router used. In 2015, the University of Michigan came up with Censys, which works similarly to Shodan and unfortunately enables hackers to search for internet-connected devices easily.

 

With this knowledge and a list of victims, an attacker has virtually free rein. In the simplest case, they try to gain access using standard usernames with the corresponding password for the relevant system type. Default credentials for different systems can be found online — and, unfortunately, many BAS operators continue to use those defaults without coming up with a more secure access solution. Even if the credentials were changed, there is often no notification system or limit on the number of unsuccessful login attempts, making it possible for cybercriminals to keep trying to hack the accounts until they are successful.

 

Hackers may rely on the most frequently used credentials and information captured from the dark web, or resort to brute force methods and/or login crackers. The latter are very popular and easy to find on the internet, plus they are getting more advanced and successful — often with minimal effort required. As a result, siegeware attacks can be carried out even by average cybercriminals without extensive know-how.

 

Taking charge of security

How can you reduce the risk of siegeware? Two main questions determine future action: How high is the degree of automation of building technology and how well is the access protected? Builders, property managers, and contractors should sit down together and discuss problematic areas of security and remote access. As handy as it is to have remote access at all times via a web-based login, the administrator/owner often lacks knowledge about the possible dangers.

 

When using a BAS, all parties involved should ask themselves the following questions:

  • Did we change the login credentials from default to a more secure combination of a unique login and a password/passphrase?            
  • Is the login located behind a firewall?
  • Is access secured by multifactor authentication?
  • Is there a restriction on failed login attempts, including blocking?
  • Do we get a notification with any unsuccessful login attempts?
  • Is there a limited list of people who have access to the BAS?
  • Do we have a maintenance contract with the supplier that requires them to update our software regularly?
  • Do we disconnect the system from the internet when the connection is unnecessary?
  • Did we prepare a functional crisis response plan so that we know whom to contact and what to do if any issue occurs?

 

If the answer to any of these questions is no, your BAS may be vulnerable to cyberattack. Apart from causing discomfort, dealing with a siegeware attack can cost large sums of money, and if the incident becomes public, the company attacked may be viewed as unreliable or unsafe. Building owners can also face legal action and high fines.

 

Overall, siegeware can have a much larger impact than just causing a few doors to lock or the heating to stop for a while. Now that you're aware of the risks, be sure to review the questions above and make every effort to protect your BAS.