Winter Denial of Service attack knocks out heating in Finnish homes

Originally published at: http://boingboing.net/2016/11/08/winter-denial-of-service-attac.html

…

It was -5C that is 23F degrees here in Finland this weekend and temperature drops routinely to -25C (-4F) later in winter.

You’d think the smart play would be to make the system default to a standard indoor/outdoor temperature ratio.

Only an hour? Clearly not as bad as living in Ukraine or Moldova when Putin decides to tell Gazprom to shut things off for several days during a little spat in the middle of winter.

My sorta-internet connected system has a temp probe in the return duct that overrides whatever the control unit says if it is too hot or too cold (I forget the actual numbers, but I believe they are hard coded)

This seems like a simple solution

I’m sure nothing bad will come of the intertwining of the IoT with online griefer hate trolling SWATting type “hacker” assholes.

It was incompetent design and inadequate testing that caused the problem not the ddos attack. The attack merely revealed the bugs in a more than usually dramatic way.

I wouldn’t be surprised if the householders didn’t even notice if it was a matter of an hour given how well Finnish houses are probably insulated and draught proofed.

There are lots of benefits to building smarts into electricity using products (e.g. reduced grid reinforcement costs, lower greenhouse gas emissions, lower energy prices, larger proportion of supply from renewables to name but a few) but this sounds like a not particularly well thought out design.

Are there any moves anywhere to introduce legislation to require IoT developers to design their products with effective security and modes of failure that don’t jeopardise safety and ideally enable the device to continue operating?

This.
There are a number of mechanical systems that will not work well if they are repeatedly short-cycled. Your furnace and air conditioner are among them, although some have built-in protection against such problems. Designing the controller to reboot on loss of DNS is a sloppy engineering mistake, probably made by someone with more computer experience than HVAC experience (even so…)
And the “water” systems that failed sound like the hot water circulation for heating, not your potable water supply. Most potable water systems are still designed on the KISS principle.

Too many people write code assuming that all Internet services are always there.

Hey, someone has to dial the phone and put the handset on the acoustic coupler, and get off my lawn!

Yup houses here in Finland are very well built and insulated. They lose very little heat compared to standard houses elsewhere. Hour long disruption at -5C is a minor nuisance that you will notice, but not mind very much.

True danger here is water freezing in pipes, which in turn can lead to pipes bursting. At -5C this is unlikely but at -25C this will happen. Hour long disruption than turns into several days without heating, as someone needs to go locate the breakage, dig out old pipes and install new pipes in subzero temperatures.

Heinlein anticipated this back around 1960 in “The Moon Is A Harsh Mistress” where the (unexpectedly sentient and practical joke loving) main computer is used to harass the prison colony’s warden by cycling the temperature, air pressure and other things in his quarters and is finally used to reduce the habitat’s oxygen levels to the point of knocking the warden and his guards out.

Mannie (the protagonist), an engineer, makes the sage observation that it is foolish for all critical systems to run through one controller and not to have manual overrides locally.

John Brunner, in “Stand on Zanzibar” has a sub culture of urban anarchists who publish (and exploit) a pre-Internet interchange of ideas about how to sabotage the ever-increasingly complex systems of urban society.

This stuff will become a lot more common, and deadly in time. Case law and DRM nonsense will make it harder and harder to legally defend against attacks or even analyze products to find ways to protect them and insulate makers of from the ground up insecure products from any liability.

lol…the kid in me found this to be funny.

This was just two properties, so the technicians could go over and fix things up pretty quick. But imagine if it had been two thousand properties? Yeah, sounds fun, don’t it?

No wonder so many of your emmigrants went to the Upper Penninsula of Michigan and Minnesota; winter wherever you are in Finland is too warm.

Well I emimigrated to Finland but yeah something like that.

This topic was automatically closed after 5 days. New replies are no longer allowed.