
Schools warned over hackable heating systems - QAPereo
http://www.bbc.com/news/technology-42355665
======
gehwartzen
>Even so, the company suggests the discovery highlights that building
management systems are often installed by electricians and engineers that need
to know more about cyber-security.

Or maybe if you release a product with a network jack that replaces a legacy
item you put safeguards in place and don't expect your customer to hire a
electrician who also happens to have a cyber security degree...

------
TheCapn
It'll continue to be a systematic issue until there's an "event" that makes
international headlines. I work for a small industrial control company and
even the mentality of my coworkers is the security I enforce is an
"inconvenience" to their jobs.

I've started training another young engineer in training in the work I do
since I can't keep up with the workload and he's questioned every single piece
of my setup guides to deal with security. "Why do we need to do it this way?
Isn't it easier to skip that?" "How come we block this? Why is that feature
disabled?" etc. etc.

Heck, I've found that vendors are frequently pretty upfront about their
devices and hide no secrets that their devices are exploitable if you go
against their recommendations for basic security. But as soon as a know-it-all
hears of how convenient opening a firewall port is or enabling config access
from the public interface its a fight to explain to him why it's a bad idea.
Maybe it hasn't blown up _yet_ but we don't want an incident before we do it
the right way.

~~~
eric_h
When I was a wee lad just out of college I worked in a relatively shitty job
that was basically 1/2 tech support consulting and 1/2 software development.
My boss insisted that every single server we managed have the same 7 character
root password (both our own and for clients) and that those machines be
exposed to the open internet (with root ssh and other remote access protocols
enabled!) accessible via that password.

Since a number of those machines were inevitably pwned, and had to be cleaned
up by none other than yours truly, I learned the extremely painful lesson of
what happens when you sacrifice security in the name of usability (it was so
easy - you only need to remember one short password!)

As an aside - he was just as bad a boss on the software development side of
the job.

On the bright side it was interesting observing how various automated attacks
succeeded in installing botnet C&C software, and how it worked to conceal
itself.

Edit: Of course I'll never know about the most sophisticated versions that
escaped my detection :) Fortunately that was more than a decade ago.

------
samuellb
These kinds of attacks are already happening. It has actually happened in the
apartment area where I live:

We have a hot water central heating system that distributes heat to the
apartments buildings. To improve efficiency, this system was upgraded with
"weather forecast" functionality. The supplier stated that this system would
_not_ work behind NAT or a firewall, and required a public IP address, so it
was connected directly to the ISP's switch.

A couple of years later, in the summer, the system got cracked and the heating
system was turned on and the system temperature was increased to the maximum.
Because all radiators have (analog) thermostats on them, it didn't affect the
indoor temperature, and it took a week until it was noticed.

If nobody had noticed, it would have resulted in a huge district heating bill.
And if done on large scale, I guess it could overload or underload power
plants (if using electric heating). So I disagree that there are little
incentives (to bad guys) to crack heating systems.

------
dmlorenzetti
_It would be relatively easy for mischief-makers to switch off the heaters...
The risk is limited because ... it should be possible for building managers to
notice what is happening and manually override_

If you really wanted to be malicious, you would curtail fresh air, rather than
cut off heat. It would be harder to notice, and would give you an attack that
didn't depend on cold weather.

And arguably the long-term consequences would be greater. The kids who got
cold would bundle up and complain, leading to a (possibly energy-wasting) fix.
The kids who got a low-grade headache and fatigue every afternoon might
conclude "I'm just not cut out for learning."

~~~
newman8r
hilariously evil

------
tcd
Damn, the future of IoT is so exciting.

Hackable fridges, microwaves, showers...The possibilities are endless. Maybe
Anon can hack Ajit Pai so he only has cold showers from now on :P.

------
bitwize
"What the hell is going on?"

"Pool on the roof must have a leak."

------
titzer
I think the ridiculous overdeployment of software might be some kind of
elaborate joke. I mean, really, hackers can take out the heating systems of
schools from across the globe? That is too stupid to have been done by
accident and too convenient to not be made up. Somebody is laughing their ass
off over this. Aliens maybe?

~~~
jstarfish
In grade school (well before the internet/IoT age) the central heat would be
blasting well into spring and the central air would run well into winter. The
thermostats installed in every classroom did nothing at any point in the year.

The excuse for this was always that "the district controls it from downtown."

I don't know whether or not that was true, but a hacker certainly couldn't
have done any worse.

------
AdmiralAsshat
I guess we'll have to revert to controlling our HVACs via Amiga:

[http://woodtv.com/2015/06/11/1980s-computer-controls-grps-
he...](http://woodtv.com/2015/06/11/1980s-computer-controls-grps-heat-and-ac/)

~~~
sexydefinesher
And our repair shops will have to be equipped with Commodores:
[https://sploid.gizmodo.com/this-old-ass-commodore-64-is-
stil...](https://sploid.gizmodo.com/this-old-ass-commodore-64-is-still-being-
used-to-run-an-1787196319)

------
chasemiller
>Mr Munro said it had taken him less than 10 seconds to find more than 1,000
examples.

I, too, can use Shodan.

------
sverige
Future generations are going to marvel at our stupidity in creating IoT, if we
survive this phase so that future generations can be born.

------
prophesi
Did they not watch Mr. Robot?

