National Security and Your Home Thermostat

William R Soley
Sr Staff Engineer
Sun Microsystems

Nov. 18, 1999

Abstract

This position paper illustrates the national security risks associated with home automation and entertainment products that are connected to the Internet through home area networks and residential gateways. Examples are given showing how potential security flaws in networked home thermostats, burglar alarms, sprinkler systems, and telephones might be exploited in a synchronized attack causing failures of critical public infrastructures such as the electric power grid, public switched telephone network, and police, fire, and medical emergency response systems. The conclusion urges manufacturers of such devices to give more attention to security features than might be justified solely by market demand based on users' concern for their individual safety and property.

Introduction

Numerous manufacturers are developing home automation and entertainment devices to connect to home area networks. (Bluetooth, CEBus, HAVi, LonWorks, VESA, X10). These home area networks will ultimately be connected with each other and the Internet through residential gateways. Such interconnection provides many advantages for the homeowner, but at the same time creates an enormous security risk that is much farther reaching than it first appears. Security weaknesses in devices such as thermostats, modems, burglar alarms, and sprinkler systems could put the homeowner's safety and property at risk, but closer examination reveals that a synchronized attack on a large number of such devices could compromise critical infrastructures such as the electric power grid, public switched telephone network, and police, fire, and medical emergency response systems.

Isolated Attacks

We are used to thinking about isolated attacks where one target system is attacked at a time. The damage from a successful attack would generally confined to the system that is under attack or the data it stores or controls. For example, an isolated attack on a home thermostat might result in the house being cold when the owner gets home. Maybe the pipes could be frozen, or a sensitive pet might die. The consequences would not be much different than if the attacker physically broke in to the house and adjusted the thermostat. Although isolated attacks can be of very serious consequence to the homeowner, and even friends and family, I will not be addressing them in this paper.

Synchronized Attacks

In a synchronized attack, many systems would be attacked at precisely the same instant. We are not used to thinking about this kind of attack because today's networks are so complex that the lack of uniformity generally makes synchronized attacks difficult. Another factor is that the potential targets are mostly unrelated so there is generally no motivation for a synchronized attack. The majority of synchronized attacks today are denial of service attacks on the network itself (or parts of it).

These factors change when we consider a home automation network. These networks would be populated by highly uniform mass market devices. Since the devices would be targeted at a non technical population they would have very few, if any, configuration options. Many of the devices would control physical systems around the house. Some of the physical systems would interact with systems outside the home. They consume electric power, place telephone calls, report burglary, fire, and medical emergencies, consume water, etc. In normal operation, that effect would be insignificant and well within the bounds for which the public infrastructures were designed. Even if some of the home automation systems were victim of an isolated attack, it would not violate the infrastructure's operating limits. However, if thousands, or even millions, of home automation devices were attacked at exactly the same instant, it would multiply the otherwise insignificant effect on the infrastructure by thousands or millions probably resulting in infrastructure failure.

Examples

The following examples illustrate how a synchronized attack on selected home automation devices could result in public infrastructure failure. The first example, a home thermostat, is described in the most detail and serves as a template for the other devices for which the scenarios are very similar.

Thermostat

The external interface to a thermostat can be expected to have a method to allow the user to configure a night/day setback schedule for conserving fuel while the house is unoccupied. This kind of feature is the essence of home automation since it would allow, for example, the burglar alarm to tell the thermostat when the house is occupied so the thermostat could switch modes. If the attacker is able to invoke the method on the thermostat, either directly from the Internet or indirectly through another device that the thermostat trusts, then this attack is possible.

The thermostat would be likely to have some access control mechanism to prevent unauthorized access. Also, the residential gateway would probably act as a firewall providing additional protection. However, experience shows that these mechanisms are often unreliable due to bugs, misconfiguration, poor design, or poor operational habits. Hackers have proven their proficiency at bypassing even the most sophisticated access controls even when managed by expert network administrators. Due to the uniformity of these devices, an exploit that is effective on one home's thermostat would be likely to be effective on thousands (millions) of others and could be automated so it could be executed on a massive scale.

The attack scenario is:

find an exploitable weakness in the thermostat access control and write a program to automate the attack
use the program to configure as many thermostats as possible to COOL mode, and to set the temperature to 0°C at a specified time in the future
at the specified time, thousands (millions) of air conditioners turn on at the same instant causing an electric power grid overload

If it is not possible to schedule the temperature change in the future, the same thing can be accomplished using a variety of cruder techniques. If a no direct attack on the thermostat or a device trusted by the thermostat can be found, then the thermostat software could be altered at the manufacturer before it is signed, or at any point in the software distribution path if it is not checked for signature.

Sprinkler System

Smart sprinkler systems might be exploited in the same manner as thermostats with the consequence being a severe drop in water pressure, which among other things would hinder fire fighting efforts.

Telephone or Modem

Any device that is able to place a telephone call, whether conventional, or wireless, might be exploited in a number of ways. The basic attack would simply overload the telephone switch in the same manner as often happens in an earthquake which knocks telephones off the hook and instigates thousands of simultaneous "did you feel that?" calls. Other scenarios could target specific organizations or geographic areas by placing thousands (millions) of calls to a single number. If the number targeted is 911, then this attack could simultaneously affect the telephone network and the emergency response services. [NOTE: what safeguards are in place in PSTN, 911?]

This problem already exists today with cable boxes and satellite receivers that require a telephone connection so they can report pay-per-view usage to the service provider. The service provider can send a signal over the cable or satellite causing an individual box to initiate a report. [NOTE: find more on this, has it been done, can they change the number to call, what safeguards, can they tell all boxes to phone home, can the call be scheduled in advance]

Burglar Alarm

Most burglar alarm systems are capable of reporting burglary and possibly fire and medical emergencies to a central station or directly to the police. Often this is done by telephone, but many other techniques are in use. No matter what technique is used, a successful synchronized attack on burglar alarm systems could seriously impair police, fire, and medical emergency response capabilities by overwhelming them with false alarms. This attack is expected to be the most difficult of these examples because the nature of the device is centered on security and it can be expected to be hardened against this kind of tampering, but, it is conceivable that it might detect an attack in progress and respond by intentionally sounding an alarm in which case it would not be necessary to actually compromise the device in order to achieve the desired effect.

Residential Gateway

Residential gateways are prime targets. Other devices in the house are likely to trust the gateway, which might act as a firewall for other devices and in some cases be their only line of defense. Most residential gateways are being designed to allow applications to be downloaded and executed. A trojan horse hidden in one of the applications which the user willingly downloads might be able to access most of the devices in the house. It would not be hard to create a fake company and distribute an application that does something cool but has one little undocumented feature allowing the authors unlimited access to the home area networks. Table 1 compares the infrastructures potentially affected by the various attacks described here. The residential gateway is shown to potentially affect all of the listed infrastructures because attacks on all the other devices might be launched from the gateway on the assumption that most security policies would have the devices trusting the gateway. Since the residential gateway is relatively complex compared to the other devices there is likely to be only a few popular manufacturers, thus increasing the uniformity and allowing the attacker to focus more effort on fewer attack variations for a higher yield.

**Table 1. Infrastructures Potentially Affected by Various Attacks**
device attacked	difficulty	power	phone	water	police	fire	medical
thermostat	low	X
sprinkler	low			X		X
telephone/modem	low		X		X	X	X
burglar alarm	high		X		X	X	X
residential gateway	medium	X	X	X	X	X	X

Conclusion

This is a serious risk. The problem is not widely recognized because we are used to thinking only about individual attack scenarios. The purchaser of home automation devices has little knowledge of the risk of synchronized attacks, little influence on a solution, and little motivation to get involved. It is only the accumulated effect of thousands (millions) of purchases that creates the national security risk, so there will be no consumer market pressure for manufacturers to specifically address these issues.

The stakes are much higher for synchronized attacks than for individual attacks and it will attract the attention of a different set of attackers. Foreign governments and terrorists could use synchronized attacks as a powerful weapon, especially in combination with conventional attacks. Cyber warfare is attractive because it costs very little compared to conventional warfare, it can be implemented remotely, and it can be hard to trace.

Manufacturers, service providers, and standards bodies must recognize this risk and carefully define measures to manage it. At the same time the public infrastructure organizations must design safeguards and contingency plans. Safety requirements and standard practices (like the National Electrical Code) should be developed by the industry.