Recent Target POS system attack shows the danger of remotely accessible HVAC systems.
In Target’s case, it now appears that hackers stole login credentials belonging to a company that provides its Internet-connected heating, ventilation, and air conditioning (HVAC) systems services and used that access to gain a foothold in the company’s payment systems.
HVAC systems connect to networks at various retail companies, government buildings and even hospitals, and vendors and other third parties often have remote access right to these systems for administrative and support purposes.
Researchers have indicated that more than 55,000 Internet connected HVAC systems have been connected to the Internet in just the last three years alone, and many of these have security flaws that can easily be exploited by hackers and/or malware, gaining access to networks and other corporate systems.
Most companies have no idea HVAC systems are connected to the Internet and can serve as gateways into the corporate network and sensitive data. This means that this breach could affect many other control systems connected to a company, without the companies knowledge.
Often, the companies that have remote access to HVAC systems fail to realize that the systems can be used as a gateway to sensitive corporate networks. So they typically tend to have lax security measures, he said. For instance, many HVAC management companies use the same password to access systems belonging to multiple customers.
Ironically, many DVR’s used for business security purposes and unsecured wireless access points have similar vulnerabilities.
If you would like to have you systems checked for vulnerabilities, please contact the CCS Retail Systems Support Department.
– John