As buildings get smarter and increasingly connected to the Internet, they become a potential vector for attackers to target.
IBM’s X-Force ethical hacking team recently ran a penetration test against a group of office buildings using building automation systems that controlled sensors and thermostats.
In this particular case, a building management company operated more than 20 buildings across the United States, as well as a central server.
Without any social engineering, or online data gathering about employees, the team targeted one building.
“We did it old-school, just probing the firewall, finding a couple of flaws in the firmware,” said Chris Poulin, research strategist for IBM’s X-Force. “Once we had access to that, we had access to the management system of one building.”