Security implications in HVAC equipment
Chris sent us: "My wife sent me a link, asking if it would be wise to use a new offering by our local electricity provider (TXU). They will give their customers a free iThermostat with web-enabled features in exchange for the ability to cycle, or turn off the customer's AC unit during peak demand periods. The web-enabled features are hosted by TXU [...]"
There are a number of rather important aspects in there already. As security conscious people (like most, if not all of our readers) we should really try to reach out to our surroundings and try to get the "would it be wise" reaction on the security impact of choices as an integral part of the decision process. It's a hard thing to achieve, not only in a corporate environment, but in a home setting too. It's basically a risk assessment you do, but in order to do it you need to know the risks involved.
The second part is the stressed out electricity generating infrastructure in the USA. If you have to choose between them turning off your electricity for the AC or for all of your home, - outside of the data center (where the AC is critical to avoid overheating of equipment) - the choice at home seems to be relatively easy provided enough others join in the choice to make a difference.
Back to the risks involved:
Confidentiality
The data on when you're at home, what schedule you put in the programming of your AC, when you're on vacation, ... has some impact should it fall in the hands of others. Just imagine what a burglar could do with knowing who's on vacation when, with when you're scheduled to be home or not, ...
Even without that, there's no mention I could find on who has intentional access to that information. Will they use it to send you more marketing stuff? Will they share it with 3rd parties who'll offer their services too?
How is it made sure only your device(s) can get to the settings?
Integrity
What happens if an unathorized setting heats your home in winter to the maximum the HVAC unit can go during your absence ? Or to the minimum it'll go. Who pays for the energy bill and incendental damage if you didn't authorize those settings?
The new unit does have a lockout on the keyboard, but the troubleshooting on the website makes it obvious how trivial it is to override the lockout.
Availability
What happens if the website or your Internet connection is unavailable? Do you loose HVAC? Will it stay in it's last setting? Will it know the rest of the scheduling and continue to execute that without you having the ability to make changes till the communication or service becomes available again?
Authentication
Well ... login and plain old password on that website says enough to our readers I guess.
Wireless
After seeing the installation instructions, there were some additional questions not answered on the wireless network component. After looking at the video a few times, they are using a Digi ConnectPort X2, which seems to be providing ZigBee/IEEE 802.15.4 for "PAN" connections.
So you'll have to read up on another wireless network type next to WiFi, Bluetooth, ... It is interesting to see that zigbee does mention ACLs, AES, ... but I've also seen it mentioned that the encryption is in fact optional ...
Zigbee FAQ, Gilles Thonet, IEEE, February 2006.
ZigBee Security Layer Technical Overview - ZigBee Alliance, Seoul, September 2006.
So this raises many more questions than their FAQ will answer.
A conclusion: well there's hardly any as the questions would need answers before the risk can be determined. And regardless of that, in the end the important part is the risk you're willing to accept in order to gain the benefits that go far beyond the security implications.
For all clarity: I'm sure there are many more providers that use this technology beyond TXU, it's just the one sent in by one of our readers. I'm not trying to single them out in any way other than using this as an educational example.
--
Swa Frantzen -- Section 66
Comments
CISSPDad
Jul 8th 2008
1 decade ago