Smart Building Tech Adoption Creating Fertile Ground For Hackers
The use of connected building technology is exploding amid the coronavirus pandemic, forcing property owners and managers to find more ways to provide services to residents without face-to-face interaction. But as adoption of the Internet of Things has grown, awareness of its security risks hasn’t kept pace.
Merely managing a building during the pandemic has overwhelmed many property managers, and they haven’t been able to educate themselves on all the security protocols with IoT, Institute of Real Estate Management President Chip Watts said.
“There are so many different items out there right now that can be hacked and be a concern for security,” said Watts, who also is CEO of Alabama-based Watts Realty Co. “[The pandemic] has forced property managers of the world to embrace this technology faster than anyone imagined. We would have anticipated [we were] three-to-five years from embracing this technology as much as we have.”
The IoT market grew from $34.8B in revenues in 2017 to $42.8B in 2019, according to smart building research firm Memoori. That growth is expected to pick up in the next two years, with a projected $84.2B in revenues for IoT providers in 2022. Memoori estimates that there were 1.7 billion connected devices installed in buildings worldwide by the end of last year, and projects that figure to nearly double by 2025, reaching nearly 3 billion.
As of 2019, 26% of all cybersecurity incidents were due to unsecured connected smart devices, according to the Ponemon Institute, a research firm focused on privacy management.
“What I find is the clients don't have a strong enough set of radar to understand the level of risk that they're confronting. It always seems to be the other guy's problem,” said Kenneth Citarella, senior managing director of investigations and cyber forensics at Guidepost Solutions. “People still like to operate under the presumption that ‘I'm safe until I'm proven not to [be].’”
Some of the most notorious corporate hacking incidents of all time were the result of breaches in smart building tech. In 2013, hackers accessed the HVAC system in some Target stores and pushed their way into the retailer's main network, eventually stealing the information from 40 million credit and debit cards used at Target stores.
A hacker in Finland managed to break into a casino's mainframe by accessing a remote thermometer in an aquarium in 2017. And in 2019, Microsoft warned industry leaders that Russian-backed hackers were attempting to infiltrate a number of large organizations through connected printers or VoIP phones.
Kevin Kornegay, an IoT security professor at the Cybersecurity Assurance and Police Center at Morgan State University, said for every security advancement, there is a malevolent actor who has likely figured out a workaround.
“It’s a race. Like there was the [arms] race. There’s a cyber race,” Kornegay said. “And it’s tit-for-tat. And the consumer is stuck in the middle, kind of in the crosshairs.”
Building owners and managers aren’t prepared for how much exposure the devices they are adding to their buildings have to these hackers, known as black hats, Prescient Managing Director Alex White said. White, who is a cybersecurity consultant, also is a member of the geopolitical risk consulting firm the RANE Network.
“You hit it right on when you say unprepared. A lot of what we're seeing is reaction,” White said. “Organizations have grown to pandemic-style remote work environments, but they don't know what they really need other than what is required.”
The pandemic has only accelerated the adoption of IoT in commercial buildings. A 2020 survey by Vodafone found that 76% of companies surveyed said their IoT adoption plans were accelerated by the pandemic, and another 79% planned to launch new IoT projects due to the coronavirus.
As an organization, IREM is making IoT security education a priority for its members, Watts said. But the pandemic has made that hard to roll out when many property managers are just trying to figure out the best ways to keep tenants and employees safe from the coronavirus.
“A lot of our members, they're not IT people. It is a matter of education,” Watts said. “I wouldn't say we're behind the ball. I would say that a lot of our property managers are busy on a day-to-day basis. Once COVID hit, our membership literally went to 24/7 dealing with residents and tenants.”
Atlanta-based Regent Partners Development Director Keith Mack said his firm is facing the question of network security more frequently today than it ever has before, especially as it develops two Thompson-branded hotels — one in Atlanta and another in Savannah.
Mack said the firm is exploring features in the room that will be controlled solely by a guest's smartphone, such as unlocking bedroom doors using radio frequency devices in the locks, being able to control room temperatures, ordering room service and even checking out without ever having to go to the front desk.
In years past, security would have likely been a secondary thought, he said.
“We didn't have it as a point of focus. We knew that hacking and cybersecurity was an issue, but it wasn't a point of focus,” Mack said. “Going forward with an office building, especially with new office buildings, internet security is going to be more prevalent. In the past, it was an afterthought. You get Norton 360 and then you move on.”
Landlords could be amplifying their risks if they simply buy devices from the lowest bidder, cybersecurity experts say. Some vendors aren’t on top of the security measures needed for the IoT equipment being installed, which then become weak links in a larger network chain.
While landlords are growing more sophisticated with their network security, they could be compromised by their vendors. Landlords may not be paying attention to what products their vendors are buying, and what inherent security flaws may be built in the equipment, PWV Consultants Managing Partner Pieter Vanlperen said.
Once those devices get integrated into the landlord's network, they become vulnerable gateways exploited by hackers, Vanlperen said.
“In general, there's a lack of understanding of risk around IoT outside the [information security] community,” he said. “There are definitely companies who do this correctly, but it's in the minority.”
Citarella said he recently consulted with a New York City commercial landlord to examine the firm's online security with all its IoT devices. He demonstrated how a vendor the firm was using to collect tenant rent payments by dipping into their bank accounts could be used to steal data.
“Suddenly, [they] realized the risk profile was much larger,” he said. “They could be hacked and hackers could get to their customer accounts.”
Cybersecurity has been on the minds of CRE professionals in recent years. In a 2019 Deloitte survey on the commercial real estate services outlook, the consulting firm found many concerned with the damages that unauthorized access through an IoT system can have on a CRE firm, including to its reputation and financial and identity thefts.
But the report noted that developers and landlords were struggling “to find the right balance of investments and efforts to handle such cyberattacks.”
Mack said Regent has found that an issue as well, especially when examining added costs. Getting the top-of-the-line systems for every little aspect of a building may be too cost-prohibitive for developers, so there needs to be compromise while still focusing on network security.
“The technology moves so quickly. You can cast that net so far in the future to not where you try to have the very best, but where you can get 80% of the way there,” he said. “You also have to walk a tightrope. You don't want to have huge data breaches as a result of a hacker coming into your hotel system and doing what they will with 300 guests' data.”