The Biggest Breaches are Penetrating Building Systems and IoT

Examining 3 major cybersecurity breaches that have found initial penetration through building systems and IoT.


Building systems and IoT/OT devices are becoming ubiquitous in nearly every business environment today. This presents huge advantages for organizations with building operations and industrial controls, empowering them to be more efficient, safer, and more profitable.


However, these same devices simultaneously present huge cybersecurity risks, that currently aren’t being addressed. Except by hackers, that is, who have exploited these devices to the point where the Harvard Business Review and Microsoft found that 60% of all successful breaches use building systems and IoT as their initial point of penetration.



  • You’ve probably seen the infamous Target data breach in headlines, because of how unusual its source was. In this case, it was caused by an HVAC contractor who didn’t take proper precautions and cybersecurity measures. HVAC technology is designed and manufactured for facilities, not for IT and cybersecurity monitoring and management.



  • Stuxnet is one of the biggest, most damaging breaches of all time, believed to be carried out by a collaboration between two world powers to attack Iran’s nuclear plants, causing record costs in physical damage. This hack attacked gas centrifuges in the nuclear plant without leaving a digital trace to alert their teams as the devices destroyed themselves over months.


Home Depot

  • The Home Depot breach was even larger than the Target breach, with associated costs surpassing $62 million. It was related to a similar exploit involving building systems in conjunction with their Point of Sale network, and has been devastating for the privacy of their customers as well as financially for their organization.


Another reason these devices are so commonly attacked is simply due to the amount of free software available online with a quick search. Here are a few that we found in just a few minutes:


  • LED-it-Go – exfiltrate data from air-gapped systems via an HDD’s activity LED
  • SPEAKE(a)R – use headphones to record audio and spy on nearby users
  • 9-1-1 DDoS – launch DDoS attacks that can cripple a US state’s 911 emergency systems
  • USBee – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data
  • AirHopper – use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
  • Fansmitter – steal data from air-gapped PCs using sounds emanated by a computer’s GPU fan
  • DiskFiltration – use controlled read/write HDD operations to steal data via sound waves
  • BitWhisper – exfiltrate data from non-networked computers using heat emanations
  • Unnamed attack – uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
  • xLED – use router or switch LEDs to exfiltrate data
  • Shattered Trust – using backdoored replacement parts to take over smartphones
  • aIR-Jumper – use security camera infrared capabilities to steal data from air-gapped networks


As long as the demand for these building systems and IoT devices is driven by facilities, they won’t be manufactured in a way conducive to IT and cybersecurity teams monitoring and managing the risk associated with them.


Read more about why these devices present such a massive risk and what you can do about it right now in our article: 4 reasons building systems/IoT devices are so vulnerable and what you can do to mitigate that risk to potentially avoid millions of dollars in breach costs.