Finland seems to be in new due recent house automation IoT security incidents. Slashdot tells that DDoS Attack Halts Heating in Finland Amidst Winter. Metropolitan.fi article DDoS attack halts heating in Finland amidst winter tells that a Distributed Denial of Service (DDoS) attack halted heating distribution at least in two properties in the city of Lappeenranta, located in eastern Finland. In both of the events the attacks disabled the computers that were controlling heating in the buildings (causing them to constantly reboot) thus disabling central heating and warm water circulation. The attacks lasted from late October to Thursday the 3rd of November.The incident was also covered by Etelä-Saimaa newspaper article “Hakkerit iskivät lappeenrantalaisen kiinteistön pannuhuoneeseen” and TiVi article “Verkkoisku kylmensi useita taloja Suomessa – ES: “Lämmitys ja kuuma vesi pois päältä”“.
The heating is now pretty important as Winter has came to Finland, so the temperatures outside are at freezing temperatures – well below zero degrees Celsius. Long-term disruption in heat will cause both material damage as well as the need to relocate residents elsewhere.
According to TiVi article ““Oli vain ajan kysymys” – suomalainen ennusti tuhoisien verkkoiskujen tulon jo 3 vuotta sitten” Professor at Aalto University Jukka Manner of Communications and Networking Department warned already in 2013 that there were approximately 3,000 automation devices connected network without any security. At that time the researchers submitted their report to the authorities in order to warn the owners of the equipment.
Finnish Communications Regulatory Authority Viestintävirasto has been after that been looking for unprotected automation systems on the network and notified owners of the dangers. At summer 2015 Finnish Communications Regulatory Authority Kyberturvallisuuskeskus (cyber security center) was still concerned about the large number of unprotected automation equipment – the numbers had not changed considerably from 2013 to 2015. The results were about the same in research done in 2016. Largest single group account for an ever associated with building automation systems, which were found unprotected around 2000.
According to YLE news article Viestintävirasto: Taloautomaatiojärjestelmiä kaataneen verkkohyökkäyksen takana oli rikollisia Finnish Communications Regulatory Authority estimates that the people behind Lappeenranta house automation systems cyber harassment were cyber criminals: “Our data show that the systems in question were not the actual objects in this case, but these have been used in the implementation of a network attack against European operator.” It seems that the heating control computers started again and again when the attack traffic in the affected their hardware performance too much. “The attack is carried out in such a way that it is controlled by attack traffic through a variety of vulnerable systems, and in this case, these systems have been such that they are used to control house automation. Due to the lack of performance of the system of systems breaking down, causing heat supply disruption.“
It seems that the problems in those cases are related to poor security coupled with poorly designed automation hardware implementation. Maybe the house automation companies should really start to think about security. Remote administration is in many cases a good thing, but only if the data security is not taken care of at a sufficient level. That was now a good warning of the vulnerability of in-securately networked society.