How to Ethically Hack a Building

Websites are just one part of our problem with Internet security… Do a Google search for almost anything followed by the word “hack” and you’ll find tutorials on hacking TVs, refrigerators, Roombas, baby monitors, drones, toys, cellphones, nuclear power plants, commercial real estate (CRE) and other critical infrastructure. All of the above are increasingly connected, communicating and possibly being hacked, online.

Hack Building Automation System (BAS)-min

2016 experienced a 40% increase in cyber crime related data breaches, and there were over 600 million ransomware attacks1 (2-3 million successful) and 3 billion data records compromised2. Attacks are not conducted by people, mostly, but are automated by robots (aka “bots”) and programmed to attack anything with an IP address attached to the Internet. Bot attacks increased by 50%, to over 1.5 billion in 2016 3.

Most of us are simply not capable of working and living our lives, while keeping up with changes in technology AND staying vigilant as to all the threats. Nearly half of all companies worldwide report that they don’t have the digital skills they need, commercial real estate (CRE) included4. Companies are struggling to fill key security and digital intelligence positions… 200,000 cyber security positions are currently unfilled by companies worldwide5.

Internet Connectivity in CRE… The New Norm

Commercial real estate is increasingly “smart”. Making a building “smart” means connecting it to the Internet, either with a building automation system (BAS) or other software and hardware to remotely manage building systems for security, temperature, life safety systems, water controls, lighting, etc.

However, researchers have found that BAS systems are vulnerable to attack, either by technological problems, security flaws or human error. BAS devices run on different desktop and mobile operating systems, such as Microsoft Windows or Android, which are often out of date and susceptible to vulnerabilities. Sometimes these systems are connected to the cloud where sensitive corporate data is also managed.

Monitoring and regularly testing every possible entry point a hacker could exploit is difficult, if not impossible, for most building engineers. The number of possible weak links in a building is high and JLL reports that the following building systems are possibly vulnerable to penetration:

  • Lighting controls (interior and exterior/signage)
  • Surveillance and observation (cameras and recorders)
  • Water heaters (boilers) and HVAC (mechanical systems)
  • PDU/CDU (smart power strip)
  • Security access (card/fob/proximity readers, biometric readers, electrical locks, controllers, smart lock boxes, keyless entry)
  • Security/intrusion alarms (alarms, alarm panels, switches, DMP alarm receivers)
  • CO/CO2/refrigerant monitors
  • Communications (intercom, elevator)
  • Elevator (controllers, workstations, isolated servers)
  • Irrigation (ex. sump pump)
  • Power (monitoring, metering, UPS)
  • BMS Network Connected Systems
  • Modems, Routers, LANs, etc.

As property managers find themselves wearing the hat of both the building engineer, and technology risk manager, CRE investors need to get up to date, fast, in order to manage their information technology exposures because overwhelmed property management teams will be open to potential cyber attacks.

Adding insult to injury, when the insurance claims come, they may find that they do not have insurance, or are not properly covered for their losses. This is because many property and casualty policies require physical damage before they will pay for a covered loss, and cyber policies may not cover damage to physical assets.

In such situations, the potential impact on the CRE company can be both financial AND reputational.

Protect CRE With Ethical Hacking

1) Get Shodan: Go to and create a free account… Shodan is a search engine for Internet connected devices and is used by over 50% of the Fortune 500 and most universities to discover which of their devices are connected to the Internet, where they are located and who is using them.

Shodan helps you keep track of all the computers on your network that are directly accessible from the Internet and lets you understand your digital footprint.With Shodan, you can look up buildings by address.

Shodan also generates reports by leveraging the servers it has located around the world that crawl the Internet 24/7 to provide you with the latest Internet intelligence (such as “Who buys Smart TVs?”, “Which countries are building the most wind farms?”, “What companies are affected by Heartbleed?”, etc…

2) Get Metasploit: Download the free version of Metasploit. Metasploit is penetration testing software that helps you act like an attacker.

Because attackers are always developing new exploits and attack methods, Metasploit penetration testing software helps you use their own weapons against hackers, utilizing an ever-growing database of exploits.

There are free and premium versions of Metasploit, versions for everything from large enterprises to student communities, and using the software you can safely simulate real-world attacks on your network to train your security team to spot and stop the real thing. Below is a good 20 minute video on the software and how Metasploit works to identify vulnerabilities.


  1. According to SonicWall
  2. According to NBC News
  3. According to ThreatMetrix
  4. PwC’s recent 2017 Global Digital IQ Survey found that only 52% of companies rated their employee digital IQ as strong.
  5. According to Cyberseek

Insurance Checklist for Solar Contractors 3D cover iPad

Free Download

Contractor's Energy Savings Insurance Project Checklist

Solar Panel Installer Insurance

solar panel installer insurance

Passive House Guard

Passive House Guard Insurance