Adding risk to our homes
Gaining the ability to remotely control your HVAC might seem like an energy-responsible thing to do, but it might also pose hidden security risks.
In a recent blog titled Security implications in HVAC equipment SANS handler Swa Frantzen wrote of his concerns regarding one energy-saving program in Texas. The utility, TXU, uses what's called an iThermostat, which allows you to program your thermostat remotely over the Internet from any laptop or desktop.
In California, PG&E offers a similar program, SmartAC. PG&E also uses an Internet addressable, programmable thermostat, however, the user guide (PDF) mentions only remote access from the utility, not from the end user.
Frantzen makes it clear that's he's not intentionally picking on the iThermostat system; he's only using it for educational purposes. Nor am I necessarily saying the SmartAC program is flawed either. I do, however, think his academic questions are quite valid because they go beyond just HVAC systems.
Recently there was a security hole identified within an Internet-connected coffee maker. I think the first question here should be: do we really need to access our coffee machine remotely?
It might be argued that these systems (the HVAC and coffee machine) both terminate--they don't necessarily allow a remote attacker access to a home computer network. But that's for right now. Jump ahead a few years when these systems start talking each other, when you'll be able to create a warm and comfy home environment from your desktop at work.
Until then, what if someone remotely views your schedule of when the AC turns on and off? It could tip a potential burglar to when you're likely to be home and when not. And what if, asks Frantzen, the remote lockout on the thermostat fails and some remote hacker cranks the heat or air conditioning setting to its maximum setting while you're on vacation?
Is anyone even thinking about these issues? If not, shouldn't someone be?
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
- Topics:
-
Security
- Tags:
-
security,
-
commentary,
-
SmartAC,
-
iThermostat,
-
Swa Frantzen,
-
SANS
- Share:
- Digg
- Del.icio.us
Jini died as a major marketing effort pretty shortly after that. It still exists (sorta), and can be seen here: http://www.sun.com/software/jini/
The possibilities for mischief are endless. THAT is why this is a bad idea. Besides, in case you haven't heard we now have programmable thermostats that you can tell to run at certain times of the day and even what temperature to run at. I have a cheap one in my house that's set to 55 between 11:45PM and 6:15AM, then 68 until 9:00AM, then 55 again until 5:00PM, then back to 68 (during winter, otherwise I keep it in the "off" mode). Never even have to think about it and no internet access required. People with brains can set these up *BEFORE* leaving on vacation, it's really not hard (since you're on vacation, I'd recommend the "off" setting because it's the simplest and least expensive option). There's even more, I have a coffee machine that also has a timer on it. It makes coffee in the morning, whether or not I've slept in. It's also perfectly unhackable (no internet connection = absolute internet security).