Get all the news you need about Smart Buildings with the Memoori newsletter
“Technology is changing the most fundamental truth about commercial real estate, that value is based solely on location,” according to Deloitte. Offering a workplace in a good location is no longer enough to attract the top tenants, nor is it enough for those organizations to entice the best talent. Leading companies and their workers are increasingly demanding smarter offices.
“The Internet of Things (IoT) is now fostering new avenues of value creation for customers, greater differentiation from competitors, and fresh sources of revenue for commercial real estate through the collection and use of information,” Memoori discussed in April last year, within an article entitled ‘3 New Rules of Real Estate: Information, Information, Information.’
As such, commercial buildings have become the highest users of IoT technology, according to Gartner, and our own research projects that the combined global market for the IoT in Buildings will grow from its $26.65Bn level in 2015 to $75.5Bn by 2021, at a CAGR of 20.7%. IoT devices and infrastructure provide a host of benefits but with that also comes vulnerability to cyber attack.
In early 2017 the Romantik Seehotel Jaegerwirt, a 4-star hotel in Austria, was the victim of cyber attack. The hackers managed to disable the hotel’s electronic key system thereby locking guests in or out of their rooms, as well as disrupting the hotel’s reservation and cash desk systems. The cyber criminals then demanded a €1500 ransom for undoing the damage that had brought the facility to a standstill.
“The hotel was totally booked with 180 guests. We had no other choice. Neither police nor insurance companies can help you in these circumstances,” the hotel’s managing director said when justifying their decision to pay the ransom.
In the US, market leading InterContinental Hotels Group Plc annouced that 1,200 of its franchises – including the Holiday Inn, Crowne Plaza, Hotel Indigo, Candlewood Suites and Staybridge Suites – were victim of a prolonged cyber attack aimed at obtaining customer payment card data. “The breach lasted a month,” said InterContinental spokesman Neil Hirsch, who did not clarify the financial impact or whether losses were covered by insurance.
It is not just the hotel industry that has suffered the effects of cyber attack on smart building systems. A massive data theft at the US retail giant, Target, all started with hackers finding their way into the firm’s network using the access credentials of a company that remotely maintained the retailer’s heating, ventilation and air conditioning (HVAC) system – as we reported in an article named, ‘The Very Real Cyber Security Threat in Smart Buildings.’
Very recently, researchers at IoT security firm Senrio discovered a serious flaw in a commonly used code library known as gSOAP. Named ‘the Devil’s Ivy flaw’, it has exposed millions of IoT devices, such as security cameras, to a remote attack. Senrio found the issue when testing the remote configuration services of the M3004 dome camera from Axis Communications. They were then able to reboot the camera, change network settings, block the owner from viewing the video feed, and even reset the camera to factory default – allowing them to change the credentials, and gain exclusive access to the camera feed.
Senrio, estimates there are approximately 14,000 Axis cameras exposed on the internet. Axis Communications confirmed that 249 of its 251 surveillance camera models were affected by the flaw, tagged as CVE-2017-9765. On July 10th it released a firmware update to address the issue.
“Products exposed and accessible from public Internet (via router port-forward or UPnP NAT) are at much higher risk and need immediate attention,” Axis notes in its advisory, which also states that it believes the risk is “limited” for cameras behind a firewall.
Be it Devil’s Ivy, WannaCry, ExPetr or Mirai, cyber attacks on IoT devices and smart building systems are increasing. Before racing into the connected, cyber physical world, organizations need to seriously consider the vulnerability they open up and whether benefits justify that risk. Those benefits maybe to hard to ignore but the same mentality must be given to the threat of cyber attack.
As mentioned in our recent report ‘Cyber Security in Smart Commercial Buildings 2017 to 2021’: “This rise of the IoT offers up tangible business benefits and tantalizing new opportunities for innovative business approaches, but these need to be carefully weighed up against the potential risks of increased cyber security vulnerability.”