HVAC Hackers Attack More than the Thermostat

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,535
This is one of those stories right out of a fictional spy novel. These guys are using airflow in HVAC systems and using temperature fluctuations as bits and bytes in order to "hack" air-gapped networks.


Heating, ventilation, and air conditioning (HVAC) systems can be used as a means to bridge air-gapped networks with the outside world, allowing remote attackers to send commands to malware placed inside a target’s isolated network.

This type of attack scenario — codenamed HVACKer by its creators — relies on custom-built malware that is capable of interacting with a computer’s thermal sensors to read temperature variations and convert these fluctuations into zeros and ones — binary code.
 
So it converts temperature fluctuations to 1s and 0s.... Most buildings turn off HVAC at night, and it takes time to change the temp.... So what, you can send maybe 1Byte an hour? What if you want to send more than one 1 or 0 in a row? If the HVAC system is connected to the internet, I'd like to think it will send out alerts if it's cycling on and off too much, otherwise why would that system be internet connected at all?
 
My takeaway from TFA is just because something is air gapped, doesn't mean you can skip the rest of Security 101. The HVACK still relies on a separate method of delivering the malware to the targeted systems. Still a cool way to C&C a malware infected network.
 
The target system has to be compromised in the first place for this to work. And you have bigger problems if that is the case.

And this assumes there isn't normal temperature variation inside a computer as workload increases/decreases. Plus how do you control the sample rate? If supply duct is far from the computer it could take considerably longer at all just to deliver a few degrees rise and it might be misinterpreted. And I can do things like close the front door on my computer desk and my CPU temperatures will skyrocket.

Stupid hack paper is stupid
 
otherwise why would that system be internet connected at all?

As much as I hate to say it, it's all part of building intelligence systems these days. They are all linked and in some cases remotely controllable. Even my high school in the 80's had their HVAC controlled from a central office.
 
The target system has to be compromised in the first place for this to work. And you have bigger problems if that is the case.

And this assumes there isn't normal temperature variation inside a computer as workload increases/decreases. Plus how do you control the sample rate? If supply duct is far from the computer it could take considerably longer at all just to deliver a few degrees rise and it might be misinterpreted. And I can do things like close the front door on my computer desk and my CPU temperatures will skyrocket.

Stupid hack paper is stupid

Yeah, they are assuming an insider. Malicious USB dropped in parking lot. Worker picks it up. Plugs it in to see who it belongs to. Infected with STUXNET. etc. etc. Conceptually though..It's pretty out of the box. Imagine an infected device that's hooked up to some ICS stuff. It's airgapped in a basement. No connection to the outside world, yet it is able to get C&C from the outside world via a rogue HVAC. That's super villain evil.
 
So it converts temperature fluctuations to 1s and 0s.... Most buildings turn off HVAC at night, and it takes time to change the temp.... So what, you can send maybe 1Byte an hour? What if you want to send more than one 1 or 0 in a row? If the HVAC system is connected to the internet, I'd like to think it will send out alerts if it's cycling on and off too much, otherwise why would that system be internet connected at all?

They're playing the long game. :D I think you're probably right. Depending on how small the fluctuations can be (which would determine the data rate) I could see it only being able to transmit a byte to a few bytes an hour. I still find this very interesting though. I guess you could really use anything at all that oscillates, changes states, or otherwise fluctuates to send data. Now to start hacking in semaphore! Flags and optical sensors!
 
Maybe I'm "old school" but whats wrong with an old mechanical thermostat? Maybe even a stand alone digital model. Why would I want all this crap connected to the Internet?
 
Maybe I'm "old school" but whats wrong with an old mechanical thermostat? Maybe even a stand alone digital model. Why would I want all this crap connected to the Internet?

Nothing. Nothing at all. There are certain things IMO that benefit from automation, new technologies, and progression. There are others that worked just fine already. This is the latter in my opinion.

I guess if you really want to remotely adjust some of this stuff (and I can see SOME instances where that might be useful) then VPN into your company's network FIRST and THEN connect to this sort of thing.
 
Per the article:
According to tests carried out by the research team, they were able to send data inside an air-gapped network via HVAC systems at bit rates of 40 bits per second, a more than acceptable transmission speed.

I'm still not clear on exactly how this is being executed. Regardless, if a target is valuable enough, someone might just be crazy enough to try...
 
Per the article:


I'm still not clear on exactly how this is being executed. Regardless, if a target is valuable enough, someone might just be crazy enough to try...

Wow, that's pretty impressive actually. I must be missing something here.
 
not sure why the HAVC has to be on or not, it has direct control of the system so they can control information between the outside and inside unit and the sample rate and use high CRC to find errored data (same as the IR hack)

what temperature changes happen would have no effect on the speed the data is been sent as they are abusing the temp sensors reporting not the air flow or compressors (it would not have to cycle on and off)
 
I am certainly dating myself, but I remember the "selling point" to go from analog to digital was "security", but like always, never trust what comes out of their mouth.
 
Well analog or digital it doesn't really matter. If something can be made, it can be unmade. If it can be locked, it can be unlocked. There's always a way. You're right about that 'selling point' but it more relates to that the next step is usually more secure until everyone has it and more people try to figure it out. It's kind of like how the early door locks could easily be picked by most today's children but back in the 1800's how many children grew up knowing that?

In my security classes I read articles how someone once showed how you could setup a analog CRT monitor and replicate what was displayed on the screen in another room without even connecting any cables by using static sensitive material over the screen of another unconnected display in another office. In the 90's I read articles explaining interesting antennae concepts that would allow you to see a neighbors analog cable tv. I did a primitive experiment and actually replicated it. Leech/listening devices can now pickup signal thru coaxial or tel-com cables now w/o even splicing like they used to.

I'm very much against connected devices such as appliances and cars. The manufacturers just have not proofed the tech properly enough to be trusted. It still feels like they just kind of threw it in there.
 
Back
Top