Why Hackers Love Smart Buildings
Kanebridge News
Share Button

Why Hackers Love Smart Buildings

When all of a building’s systems are online, the cybersecurity risks become much greater.

By Suman Bhattacharyya
Fri, Sep 10, 2021 11:31amGrey Clock 4 min

Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks.

In recent years, building managers increasingly have relied on internet connections and computer networks to manage pretty much any part of a building you can think of—including elevators and escalators; ventilation, heating and air conditioning systems; office machines like printers and conference-room audiovisual equipment; security and fire-safety systems; and appliances like refrigerators and coffee makers.

These smart technologies can make buildings more efficient and monitor maintenance and repair needs, allowing building operators to address problems proactively, rather than fixing malfunctions as they occur. During the pandemic, they have made it easier to monitor airflow and people’s movements within buildings.

Smart buildings “satisfy a lot of things that we’re trying to do in real estate,” says Jason Lund, a managing director at commercial real-estate services company Jones Lang LaSalle. He says, among other things, it allows building managers to create more-sustainable and greener buildings, deal with Covid risks more effectively, and maximize space more efficiently.

“All of those things being managed technologically is a good thing,” Mr. Lund says. “The backside of it is that all of them become hackable.”

The problem isn’t just that hackers can gain access to any one building-management system. The real danger is if they are able to gain access to a single system—say, lighting—and then find their way from there into many or all of the building’s other systems, whether those systems are linked to a common network or not.

“They can control lights, they can control air flow, they can control the elevators—anything that you can think that a building does can be exposed,” says Fred Gordy, director of cybersecurity at Intelligent Buildings, a smart-building consulting and advisory firm. “We had a particular case where it was a hospital group” whose systems were attacked for a ransom, he says, “and they were unable to do anything with the systems, so they had to cancel surgeries [and] send people away.”

Mr. Gordy says the number of ransomware attacks on the firm’s clients grew 600% in 2020. In 2019, he says, “our customers that were attacked represented 100 million square feet in commercial real estate. In 2020, our customers that were attacked represented 1.8 billion square feet of commercial real estate.”

What’s more, hackers who infiltrate building-management systems might also be able to work their way into a company’s corporate communications and databases, where they can loot the company’s proprietary information or hold it for ransom.

Getting in and around

So how does all this happen? One way hackers commonly gain initial access is to steal the login credentials—or obtain the stolen credentials from a third party—that a vendor uses to upload invoices to the building manager’s billing system, says Mr. Lund.

Once they’ve gained access to a billing system, or gotten into the building manager’s computer system through any other internet-connected point, hackers have many ways of broadening their access. One of the most common is to use whatever information they have found to create convincing phishing emails that prompt employees or other vendors to reveal login and password information for other systems.

One way to cut down on that risk is to link all the various building services to a single network that can be monitored and controlled by cybersecurity experts, says Adam Stark, senior technology consultant for smart buildings and smart workplaces at JLL.. But that network—and everything on it—remains vulnerable if it isn’t sufficiently protected.

Hackers can move around a network like this by taking advantage of weak safeguards in place for the various systems and devices connected to the network, says Ron Cirillo, vice president of cybersecurity and service excellence at Oxford Properties Group.

“There’s a lot of very lazy work that went into designing authentication methods and identity-management methods” at many buildings, he says, citing weak passwords as one example, particularly for what might be considered relatively unimportant devices whose vulnerability to hackers might be overlooked.

“It has been my experience that operators do not tend to think of these smart devices—your coffee maker, for example—in the same way that they would think of a server or desktop computer,” Mr. Cirillo says. “As such, they will often neglect to change a factory default password, or if they do change it, they will often assign poor passwords and/or assign all devices the same password to keep it simple.”

Systems that are clearly essential also often aren’t well protected, he says, and so are easy prey for a hacker who has broken into a network. For instance, a hacker using the guest Wi-Fi in a shopping mall could find a building-management system on the same network, and “if that building-management system is using a factory default password, you could Google the password and you could sit in a mall food court and take over the air conditioning or the lighting,” he says.

Setting up barriers

Cybersecurity experts cite what they call network segmentation as crucial to keeping hackers from running amok once they’ve gained access to a computer network. Segmentation simply means building barriers into a network so that someone who has access to one system can’t easily gain access to other systems on the network.

“We logically segment every system, so in other words that if you are the air-conditioning vendor you can log into the air conditioner using our privileged access-management system, but you’re not able to route to, say, the lighting system, or the overall building-management system,” says Mr. Cirillo.

“The challenge is that putting that kind of network segmentation in place requires hiring skilled network engineers, and it requires time and effort,” he says.

Requiring multifactor authentication for anyone to access any part of the network is another basic step that goes a long way toward thwarting attacks and keeping them from spreading, the experts say.

But, of course, even with the most conscientious controls in place, no system is invulnerable. A breach is always possible “because the human-being side of it is one of the hardest to monitor,” says Mr. Lund, pointing to the risks from phishing emails, stolen user credentials and uncancelled login access for departed employees.



MOST POPULAR
11 ACRES ROAD, KELLYVILLE, NSW

This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Lifestyle
TikTok Refugees Find an Alternative—in China
By SHEN LU AND HANNAH MIAO 14/01/2025
Lifestyle
Skechers Went After the Customers Nike Didn’t. It Paid Off.
By INTI PACHECO 13/01/2025
Lifestyle
The Price of Everlasting Health and Vitality
By Chelsea Spresser 08/01/2025
TikTok Refugees Find an Alternative—in China

Chinese users of Xiaohongshu, or Little Red Book, welcome Americans fleeing a feared TikTok ban

By SHEN LU AND HANNAH MIAO
Tue, Jan 14, 2025 5 min

They call themselves TikTok refugees—and the app they are fleeing to is a lot more Chinese than the video-sharing app whose U.S. fate now hangs in the balance.

After Supreme Court justices Friday seemed inclined to let stand a law that would shut down TikTok in the U.S., the Chinese social-media platform Xiaohongshu , translated in English as Little Red Book, has received a flood of American TikTok users. They are looking for a sanctuary or a way to protest the potentially imminent TikTok ban—never mind that they don’t speak Chinese.

Charlotte Silverstein, a 32-year-old publicist in Los Angeles, downloaded Xiaohongshu on Sunday night after seeing videos on TikTok about migrating to the app, which Americans dubbed “RedNote.” She described the move as a “last act of defiance” in her frustration about the potential TikTok ban.

“Everyone has been super welcoming and sweet,” said Silverstein, who has made three posts so far. “I love the sense of community that I’m seeing already.”

By Monday, TikTok refugees had pushed Xiaohongshu to the top of the free-app chart on Apple ’s App Store.

“I’m really nervous to be on this app, but I also find it to be really exciting and thrilling that we’re all doing this,” one new Xiaohongshu user said in a video clip on Sunday. “I’m sad that TikTok might actually go, but if this is where we’re gonna be hanging out, welcome to my page!” Within a day, the video had more than 3,000 comments and 6,000 likes. And the user had amassed 24,000 followers.

Neither Xiaohongshu nor TikTok responded to requests for comment.

The flow of refugees, while serving as a symbolic dissent against TikTok’s possible shutdown, doesn’t mean Xiaohongshu can easily serve as a replacement for Americans. TikTok says it has 170 million users in the U.S., and it has drawn many creators who take advantage of the app’s features to advertise and sell their products.

Most of the content on Xiaohongshu is in Chinese and the app doesn’t have a simple way to auto-translate the posts into English.

At a time of a strained U.S.-China relationship, some new Chinese-American friendships are budding on an app that until now has had few international users.

“I like that two countries are coming together,” said Sarah Grathwohl, a 32-year-old marketing manager in Seattle, who made a Xiaohongshu account on Sunday night. “We’re bonding over this experience.”

Granthwohl doesn’t speak Chinese, so she has been using Google Translate for help. She said she isn’t concerned about data privacy and would rather try a new Chinese app than shift her screentime to Instagram Reels.

Another opportunity for bonding was a photo of English practice questions from a Chinese textbook, with the caption, “American please.” American Xiaohongshu users helped answer the questions in the comments, receiving a “thank u Honey,” from the person who posted the questions.

By Monday evening, there have been more than 72,000 posts with the hashtag #tiktokrefugee on Xiaohongshu, racking up some 34 million views.

In an English-language post titled “Welcome TikTok refugees,” posted by a Shanghai-based Xiaohongshu user, an American user responded in Chinese with a cat photo and the words, “Thank you for your warm welcome. Everyone is so cute. My cat says thanks, too.” The user added, “I hope this is the correct translation.”

Some Chinese users are also using the livestreaming function to invite TikTok migrants to chat. One chat room hosted by a Chinese English tutor had more than 179,900 visits with several Americans exchanging cultural views with Chinese users.

ByteDance-owned TikTok isn’t available in China but has a Chinese sister app, Douyin. American users can’t download Douyin, though; unlike Xiaohongshu, it is only accessible from Chinese app stores.

On Xiaohongshu, Chinese users have been sharing tutorials and tips in English for American users on how to use the app. Meanwhile, on TikTok, video clips have also multiplied over the past two days teaching users the correct pronunciation of Xiaohongshu—shau-hong-SHOO—and its culture.

Xiaohongshu may be new to most Americans, but in China, it is one of the most-used social-media apps. Backed by investors like Chinese tech giants Tencent Holdings and Alibaba Group , Xiaohongshu is perhaps best described as a Chinese mix of Instagram and Reddit and its users increasingly treat it as a search engine for practical information.

Despite its Little Red Book name, Xiaohongshu has little in common with the compilation of Mao Zedong ’s political writings and speeches. In fact, the app aspires to be a guidebook about anything but politics.

Conceived as a shopping guide for affluent urbanites in 2013, Xiaohongshu has morphed into a one-stop shop for lifestyle and shopping recommendations. Every day, its more than 300 million users, who skew toward educated young women, create, share and search for posts about anything from makeup tutorials to career-development lessons, game strategies or camping skills.

Over the years, Xiaohongshu users have developed a punchy writing style, with posts accompanied by images and videos for an Instagram feel.

Chinese social-media platforms are required to watch political content closely. Xiaohongshu’s focus on lifestyle content, eschewing anything that might seem political, makes it less of a regulatory target than a site like Weibo , which in 2021 was fined at least $2.2 million by China’s cyberspace watchdog for disseminating “illegal information.”

“I don’t expect to read news or discussion of serious issues on Xiaohongshu,” said Lin Ying, a 26-year-old game designer in Beijing.

The American frenzy over a Chinese app is the reverse of a migration in recent years by Chinese social-media users seeking refuge from censorship on Western platforms , such as X, formerly known as Twitter, or, more recently, BlueSky.

Just like TikTok users who turn to the app for fun, Xiaohongshu users also seek entertainment through livestreams and short video clips as well as photos and text-posts on the platform.

Xiaohongshu had roughly 1.3 million U.S. mobile users in December, according to market-intelligence firm Sensor Tower, which estimates that U.S. downloads of the app in the week ending Sunday almost tripled compared with the week before.

Sensor Tower data indicates that Xiaohongshu became the top-ranked social-networking and overall free app on Apple’s App Store and the 8th top-ranked social app on the Google Play Store on Monday, “a feat it has never achieved before,” said Abe Yousef, senior insights analyst at Sensor Tower.

Run by Shanghai-based Xingin Information Technology, Xiaohongshu makes money primarily from advertising, according to a Xiaohongshu spokeswoman. The company was valued at $17 billion after its latest round of private-equity investment in the summer, according to research firm PitchBook Data.

Not everyone is singing kumbaya. Some Chinese Xiaohongshu users are worried about the language barrier. And some American TikTok users are concerned about data safety on the Chinese app.

But many are hoping to build bridges between the two countries.

“Y’all might think Americans are hateful because of how our politicians are, but I promise you not all of us are like that,” one American woman said on a Sunday video she posted on Xiaohongshu with Chinese subtitles.

She went on to show how to make cheese quesadillas using a waffle maker.

The video collected more than 11,000 likes and 3,000 comments within 24 hours. “It’s so kind of you to use Chinese subtitles,” read one popular comment posted by a user from Sichuan province.

Another Guangdong-based user commented with a bilingual “friendly reminder”: “On Chinese social-media platforms please do not mention sensitive topics such as politics, religion and drugs!!!”

MOST POPULAR
11 ACRES ROAD, KELLYVILLE, NSW

This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Property
Australian House Prices Retreat for First Time in Nearly Two Years
By James Glynn 02/01/2025
Money
Tesla Stock Is Rising. Analyst Sees ‘Limited’ Focus on Fundamentals.
By Al Root 24/12/2024
Money
Alibaba to Sell Stake in Chinese Hypermarket Operator
By P.R. VENKAT 02/01/2025
0
    Your Cart
    Your cart is emptyReturn to Shop