IBM staffers were able to quickly gain access to a building's central server.
IBM staffers were able to quickly gain access to a building's central server.

All of the convenience created by installing smart appliances and controls in an office is being countered by the inherent threat these devices can then pose to the network to which they are attached, according to a new IBM X-Force report.

The problematic appliances are not limited to those generally thought of when smart devices are discussed, but instead include a building's heating, lighting and air conditioning systems, said Paul Ionescu, IBM X-Force ethical hacking team lead.

“Little attention is being paid to the potential cybersecurity risks created by smart office technology since these devices fall outside the scope of traditional IT. In fact, a recent survey of building automation system (BAS) operators found that only 29 percent had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems,” he wrote in a blog.

To prove this point Ionescu and his team conducted an ethical hacking exercise against a “smart office”. The test was conducted against a volunteer building with the aim of cracking into its main monitoring and control server, that controls not only the building in question but also other locations in North America.

A lack of basic security hygiene made the task simpler than expected.

“We were surprised by the amount of very basic security errors that we found which allowed us to break into the system. Things like shared passwords and information stored in clear text within the devices made it significantly easier for us to eventually hack into the central command server, along with the vulnerabilities we identified in the router and BAS (the building automation system) software,” Ionescu said to in a Thursday email.

The X-Forcers were able to defeat the security through a design flaw that gave them control of a wireless access point and another huge help was finding the device password stored unencrypted in cleartext. From this point the BAS was accessed and a flaw found in the diagnostic page gave the team access to the device's settings, which in turn led to the ability to discover, and then decrypt, the password for the central command server giving the white hat hackers access to several building across the country.

Not only did this give the IBM researchers the ability to alter basic environmental controls in all the buildings, but also door locks, fire alarms, security systems and even refrigeration units leaving the building vulnerable to a physical burglary, Ionescu noted.