Will we, the users, start to hack the IoT through ‘cheats’ and shared codes if we get the opportunity?
The video gaming community is well known for its proclivity to share secret codes that open up cheats and shortcuts to get fellow gamers through in-game levels and obstacles. This same mentality could, arguably, start to evidence itself in areas of technology where the IoT helps to control our lives.
A large number of hotels in North America and beyond use a standardized Honeywell air conditioning thermostat as shown above.
These same hotels have a habit of setting the room temperature maximum to 75 degrees Fahrenheit, especially as the summer season approaches. While 75 is a comfortable enough 24 degree Celsius, it’s not exactly toasty – and, given the huge drafts of super chilled air that waft down many hotel corridors, it’s often hard to get a room warm enough to sleep in.
Thankfully, there is a widely shared cheat to get past the Honeywell system as detailed here on BoardingArea.com
- Hold down the “display” button
- While holding that button, press “off”
- Release off, continue to hold down display, and press the “up” arrow button
- Release all buttons
Once a user carries out the above steps the heat unit can be upped to around 85 degrees Fahrenheit, which should be enough to send most of us off to the Land of Nod. This really works, by the way.
When the apps come
The Honeywell unit is not IoT-controlled and does not have a corresponding ‘app’ where the user controls the room temperature via a smartphone or tablet. But this device’s next generation surely will… and we all know that to be true.
Could such hacks and cheats cause wider problems? Hotels will want to be able to use big data analytics to manage every aspect of their ambient environments for control and cost purposes – so what happens if the users (in this case, guests) start over-riding those policies and processes?
Global director for critical systems security at Synopsys Mike Ahmadi spoke to Internet of Business this week about this story. He said that the biggest issue with users being able to override controls could be the potentially cascading tangential effects of doing so.
“If we extend the example here to a scenario where the temperature is controlled by a web-facing application, this opens the potential to allow for a global override, where changes are applied to all devices in the same manner,” said Ahmadi.
As a company that works to produce security controls for IoT devices, autonomous cars, wearables, smart medical devices and secure financial services, Synopsys has an arguably useful view to share here. The company advises that that in sensor-based networks, the sensor used for one system often provides another system with information it uses to make other changes… and this gets passed on.
Cascading knock-on effect
“A user changing one system can cascade into a larger global system of changes. Another issue may be that a user might be able to access central building management systems that control all temperature environments, including refrigerators and freezers. The user may be able to control freezers and inadvertently (or maybe purposely) raise the temperature causing all items to thaw,” postulated Ahmadi.
The end result here (in a worst-case scenario) could lead to food poisoning if everything is thawed and then re-frozen before a hospitality company is aware.
Free mini-bars, here’s how
Fuelled by his colleague’s comments, Synopsys manager for security solutions Adam Brown also spoke to Internet of Business on IoT hacks and cheats. Brown notes that, in their early days, it was relatively easy to bypass the pay-per-view system and watch hotel movies for free.
“Further still, there are other tricks such as using the TV’s online room service commands to unlock the mini bar, or set it as re-stocked. Given that refurbishments are usually on a six- to seven-year cycle at top hotels (and a lot longer on very large or lower end ones), hotels can be a bit behind when it comes to security,” said Brown.
An attack at the Romantik Seehotel Jaegerwirt reported in January this year saw the hotel ransomed by hackers who locked all guests out of their rooms. The truth is, hackers don’t even need to be in the hotels, or even on the hotel’s Wi-Fi, in order to pull these stunts, if hotel systems are controlled by internet-connected services.
NOTE: Speaking from personal experience, a heating engineer actually showed me this trick five years ago now… the fact that this information now exists on the Internet is kind of inevitable. You thought you were turning up the heating system, but you end up giving 300 people food poisoning. It hasn’t happened yet. But it could.