[snip]
for controlling building systems -- HVAC, electrical, plumbing, .. are not. And few are TEMPEST-protected outside military and governmental facilities. .. In short, it is fairly easy to interdict and access building automation systems for implanting devices, injecting packets, tampering with OSes, siphoning networks, temporarily suspending security [/snip]
I immediately thought, not of active injection of code/devices, but passive reading of data as a surveillance mechanism. If HVAC was advanced enough, for example, then you could use HVAC sensor data to infer location of individuals within a large building by the changes in airflow required to maintain temperature or humidity. Same for electrical use if they use devices. Hell, if the system is shit-hot enough, you might even be able to detect electrical fluctuations due to capacitance induced by passing foot traffic. Given that the NSA apparently don't like deploying code when passive observation will suffice, might be a fruitful avenue of investigation if anyone here knows their HVAC/other-hardware control systems.. On 31/12/13 22:43, John Young wrote:
Brian Carroll rightly expands the discussion of pervasive targeting by ubiquitous technology.
In architecture, for example, the increasing use of automation for controlling building systems -- HVAC, electrical, plumbing, security among others -- poses considerable vulnerabilities beyond legacy analog controls. Many of the automated systems are administered remotely over telephone, cable and wireless networks. Others are controlled locally within structures. Some are secured with encryption but many are not. And few are TEMPEST-protected outside military and governmental facilities.
We have found that few architects and building engineers are knowledgeable about building automated systems nor the variety of means to secure and protect them. They are customarily designed, operated and maintained by specialty firms not traditional building designers.
Moreover we have found that building management and maintenance staff rely upon outside firms for advanced technology, thus subjecting their facilties to unsupervised interventions by outside personnel who may themselves be sub-contractors, and sub-subs for each component of automation.
In short, it is fairly easy to interdict and access building automation systems for implanting devices, injecting packets, tampering with OSes, siphoning networks, temporarily suspending security, all the things recently revealed in the 30c3 presentations.
Digital security and TSCM experts are familiar with many of these vulnerabilities but there is a common practice to specialize in services (often at client request) and neglect comprehensive coverage. For example, to inspect communications and security systems but not HVAC, plumbing, electrical and automation systems which often have far more inadvertent emitters and transceivers contained in extensive components throughout a structure.
NSA TAO and the joint CIA-NSA Special Collection Service are especially capable to expoit these gaps, and usually send teams composed of experts in each building system to determine a comprehensive attack on vulnerabilities, and shrewdly, planting multiple and various decoys to mislead counterspies.
A catalog of these full-scope operations would be quite informative and perhaps diminish the effectiveness of ruses and decoys, in particular the kind of solo operation valorized in movies, books and TV.