back to article Brrr! It's a snow day and someone has pwned the chuffin' school heating

Britain's freezing weather has reanimated the issue of insecure building control systems. Security researchers at Pen Test Partners have discovered that the web interfaces of heating controllers in many schools are accessible on the public internet and fundamentally insecure. The problem largely stems from lax installers who …

  1. AMBxx Silver badge
    Facepalm

    lax installers who have disregarded installation advice

    You sure? Surely the responsibility of the manufacturer to have secure defaults.

    1. Stuart Castle Silver badge

      Re: lax installers who have disregarded installation advice

      The manufacturers can put in the most secure defaults possible, but if an installer changes them or the systems staff give the control systems publicly accessible IPs, then you have a security problem.

      1. I ain't Spartacus Gold badge

        Re: lax installers who have disregarded installation advice

        Stuart Castle,

        But this isn't the installer changing the safe defaults to unsafe. This is a unit that the manufacturer knows will be installed onto the building network by people who don't understand security or networking. So it's certain that it'll be installed wrongly. Which makes it the manufacturers fault too.

        1. FIA Silver badge

          Re: lax installers who have disregarded installation advice

          This is a unit that the manufacturer knows will be installed onto the building network by people who don't understand security or networking

          Why do they know this?

          Many aspects of a building wide heating system will be unsafe if installed incorrectly. Why shouldn't the assumption of competence on the part of the installer be extended to the 'bits on the internet' too?

          I'm sure the salesperson 'knew all about it'. ;)

          1. I ain't Spartacus Gold badge

            Re: lax installers who have disregarded installation advice

            FIA,

            The people who install the heating controls and the BMS are usually not the same as those who install the actual explodey bits of the heating.

            There is basically no internet security expertise in building services - becuase it wasn't part of the job description until very recently. Whereas Gas Safe training (formerly Corgi) has been around for decades.

            It's a bit like consumer electronics, in that people buy kit that they expect to work. It's probably a bit different in the world of BMS contractors, but I almost never talk to them, so don't know. I usually talk to the installer or design engineer and tell them what info our kit passes to the BMS, and they then tell them to set it up appropriately.

            1. Doctor Syntax Silver badge

              Re: lax installers who have disregarded installation advice

              they then tell them how to set it up appropriately.

              Wouldn't this version have been better?

            2. Anonymous Coward
              Anonymous Coward

              Re: lax installers who have disregarded installation advice

              "consumer electronics ,,, people buy kit that they expect to work. "

              In which parallel universe does this happen?

              What I see 365 days a year (or thereabouts) and have increasingly seen for the last few years, is that vast numbers of people buy consumer electronics with the expectation that if it depends on software, there's a high risk it won't work as a reasonable person would expect it to, either at time of purchase or within a couple of years. And in the knowledge that the law as it applies to fitness for purpose etc in many allegedly civilised countries seems not to apply in any meaningful way to gadgets which are reliant on computers.

              How do the rest of us make our universes match your land of milk and honey?

            3. FIA Silver badge

              Re: lax installers who have disregarded installation advice

              ...

              There is basically no internet security expertise in building services - becuase it wasn't part of the job description until very recently. Whereas Gas Safe training (formerly Corgi) has been around for decades.

              It's not that new though is it? It's been around for a few years, and we've had several high profile 'connecting stuff to the internet is dangerous' events that surely there's at least basic training? Don't you have to recertify for Gas Safe every 2 years? Keeping up with things applies across the board doesn't it?

              i get that this is due to intransigence but as a customer I expect things to be done correctly; however I also don't think it's unreasonable to extend this professionally too, I assume people I talk to in a professional context know how to do their job (even if bits of their job are relatively new), just as I hope they extend the same to me.

              Maybe it's working in IT, which due to it's newness has probably had a more than average rate of change over the last few decades?

      2. wolfetone Silver badge

        Re: lax installers who have disregarded installation advice

        "The manufacturers can put in the most secure defaults possible, but if an installer changes them or the systems staff give the control systems publicly accessible IPs, then you have a security problem."

        But if the installer doesn't change the default settings, wouldn't it be easy for someone to just use the default settings on that system to gain access to it?

        Y'know, a lot like how "admin" is both the username and password out of the box for most routers?

        1. AMBxx Silver badge

          Re: lax installers who have disregarded installation advice

          You just force the installer to create a secure password as part of the inital bootup. Even Windows manages to do this!

    2. macjules

      Re: lax installers who have disregarded installation advice

      You would have thought so. Sky Facilities are true leaders in that special British practice of turning the heating up on the hottest day of the year and making sure that the aircon is at its coldest in bleak December.

      It takes a special level of vindictiveness to do that.

  2. Stevie

    Bah!

    This is what happens when entrepreneurs find out they can run a service empire from an iPhone app.

    Oh well.

    Mr Rubber, let me introduce you to Mr Road.

  3. Semtex451
    Windows

    Lucky little sods

    When I were a lad we had to bring in a lump a' coal.

    1. Rich 11

      Re: Lucky little sods

      We used to set fire to a first-year, preferably one who hadn't yet lost all his baby fat.

      1. theOtherJT Silver badge

        Re: Lucky little sods

        First-year? LUXURY. We 'ad to donate a limb each!

        1. earl grey
          Facepalm

          Re: Lucky little sods

          And walk uphill both to and from school in the snow.

    2. Anonymous Coward
      Anonymous Coward

      Re: Lucky little sods

      >When I were a lad we had to bring in a lump a' coal.

      You were lucky, when I were a lad we had to get up at 2am and go dig the coal for the school boiler then walk 5 miles in the snow from pit to school with 200 hundred weight of coal on our backs, if we were late or even one ounce short of 200 weight then we'd be thrashed and buggered by the headmaster. I swear the headmaster fixed the scales and the school clock.

    3. Anonymous Coward
      Anonymous Coward

      Re: Lucky little sods

      My other half is a primary teacher and often complains that the heating has either been turned down or comes on too late (so the school isn't fully warmed-up by the time the kids arrive) to save money. I'm off to go and see if I can find her school's system...

  4. rmason

    You have to laugh:

    "BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible."

    First and foremost; fuck off, how about the manufacturers who *know* most of this stuff will be installed by a random contractor make it more secure.

    Secondly; Fuck off, any such company doing this would have to pass on the (significant) costs and would very quickly find themselves installing very, very few of these systems.

    1. I ain't Spartacus Gold badge

      Re: You have to laugh:

      Thirdly: Fuck off! Any manufacturer in the building services industry knows that the person who takes the delivery of your kit onto site, first signs the POD as Mickey Mouse, then opens the box and steals anything useful and finally throws away all instruction and installation manuals.

      I admit it's possible that they take the manuals to line their nests, rather than binning them? But I know that whenever I ask an installer or end-user if they've got our manual the answer is going to be no. Not quite sure why I still ask really - I must be an optimist...

      1. Anonymous Coward
        Anonymous Coward

        Re: You have to laugh:

        Why do they need to be on the web anyway? Its a school. 5 days a week, from 8 to 6 roughly. How hard can it be just to install a multi on/off 14 day programmable timer? What do you employ the caretaker for?

        1. AMBxx Silver badge
          Joke

          Re: You have to laugh:

          It's IoT of course. You're such a Luddite.

        2. rh587

          Re: You have to laugh:

          Why do they need to be on the web anyway? Its a school. 5 days a week, from 8 to 6 roughly. How hard can it be just to install a multi on/off 14 day programmable timer? What do you employ the caretaker for?

          So the COO at the Local Education Authority can have a completely pointless (but nonetheless very pretty) dashboard on a wall-mounted monitor somewhere in Council HQ.

        3. John Brown (no body) Silver badge

          Re: You have to laugh:

          "What do you employ the caretaker for?"

          In the case of smaller schools, they are employed for a few hours per day, at most, and possibly "caretake" 2 or 3 other schools too. Likewise, no on-site IT staff, just a peripatetic who turns up for a half-day per week.

    2. veti Silver badge
      Pirate

      Re: You have to laugh:

      That's because the article didn't mention the important Step 3 of that instruction, which is to "plant scare stories in the press, then lobby the DfE to mandate these steps for any school planning to buy a new BMS".

      What do you think you just read?

      Within a year or so, that or similar shit will be mandatory. And then the company that's ready to take those steps, and I guarantee that company exists (and quite possibly paid good money for this story to be generated), will be the only player in the market.

  5. Dan 55 Silver badge
    Meh

    "Searches on the Internet of Things each engine Shodan by PTP"

    I could do that if I got out my credit card and coughed up. It's like shooting fish in a barrel.

  6. JimmyPage Silver badge
    WTF?

    Yawn. Once again 2FA ????

    Even a basic Google Authenticator version ?

  7. Anonymous Coward
    Anonymous Coward

    Time and time again we have poor implementations of internet facing devices and systems. Someone needs to feel the heat for this.

    1. ecofeco Silver badge

      They certainly need their feet held to the fire.

  8. Anonymous Coward
    Anonymous Coward

    "Die Hard in a Building", the 80s original.

    Just in time for an American X-Mas!

    (Well, the hacking was only used in opening the safe as I remember)

    1. Anonymous Coward
      Anonymous Coward

      Re: Die Hard

      On the subject of which, time to listen to the "Ballad of Nakatomi Plaza"...

      https://www.youtube.com/watch?v=PxRIfZIbdkE

  9. L05ER

    meh...

    Back in my day, seniors pulled the fuses from all the AC units... That was a miserable end of grade exam in 95 degree heat.

    No tech needed.

  10. Doctor Syntax Silver badge

    Presumably all these installations are specified by a consulting engineer, architect or whoever.

    Is it not their responsibility to specify that they be installed securely and to inspect them before signing them off for final payment of the contract? The finger should be pointing there, not at manufacturers or installers. If they find manufacturers incompetent they stop specifying their products, if they find installers incompetent they remove them from future short lists.

  11. Duncan Macdonald

    Force disconnection from the internet

    If the manufacturers wanted to there is an easy way to stop these devices from being connected to the internet - have them check periodically if it is possible to connect to Google - if so then the installation has been connected incorrectly so disable the network connection. This would require the system to be administered from its front panel but would stop malicious attackers on the web.

    1. SloppyJesse

      Re: Force disconnection from the internet

      Just because a device can connect to an Internet server does not mean the Internet can connect to the device.

      But I take your point. At least some of the manufacturers do seem to be saying "hey, you can connect our system to an ip network to manage it. What? No, not _that_ ip network!"

  12. Captain DaFt

    Question for El Reg management:

    About what percentage of your readers (or PTP followers for that matter) are actually still in school?

    Or is there a way to calculate it from the number of schools that will still be closed after the snows due to frozen piping?

    It looks like Parliament's push to get more students interested in IT may soon have real world results! ☺

    1. EnviableOne

      Re: Question for El Reg management:

      Can't be the only one to notice this, but a high percentage of IT bods significant others are in Education or Healthcare (Teachers and Nurses)

  13. Anonymous Coward
    Anonymous Coward

    BACnet is a protocol, not a vendor

    Anonymous, for job security

  14. ecofeco Silver badge
    FAIL

    WTF people

    Just WTF.

    Why are ANY goddamn infrastructure control systems even connected to the WWW?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon