In 2013, Google – one of the world’s pre-eminent tech companies – was hacked.
It wasn’t its search engine that was attacked or its advertising platform or even its social network, Google+. Instead, it was a building.
Two cybersecurity experts hacked into its Wharf 7 office in Sydney, Australia, through Google’s building management system (BMS).
One of them, Billy Rios, says: “Me and my colleague have a lot of experience in cybersecurity, but it is not something that people couldn’t learn.
“Once you understand how the systems work, it is very simple.”
He found the vulnerable systems on Shodan, a search engine that lists devices connected to the internet, and then ran it through his own software to identify who owned the building.
In the case of the Google hack, the researchers had no nefarious purpose, did no damage and informed Google about the vulnerabilities they found.
According to Mr Rios, who runs security company Whitescope, there are 50,000 buildings currently connected to the internet – including research facilities, churches and hospitals, and 2,000 of those are online with no password protection.
“That is 2,000 buildings where you can access systems that heat and cool the building and potentially gain access to the controls of the doors,” he says.
Martyn Thomas, a professor of IT at Gresham College in the UK, tells the BBC: “It is beyond doubt that attempts to attack building management systems are happening all the time.”
Making a building smart generally means connecting the systems that control heating, lighting and security to the internet and the wider corporate network.
There was a compelling reason for doing this, said Andrew Kelly, principal security consultant at defence company Qinetiq.
“Energy savings are the biggest factor in connecting building management systems to the corporate network,” he says.
“It gives those who run the building better control and offers between 20 to 50% in energy savings.”
But it also makes them less secure.
There are various scenarios where a hacked building could have dire consequences.
Imagine, for instance, a malicious attack at an old people’s home where, in the depth of winter, hackers gain control of the heating system and shut it down.
Or a hospital where hackers take over the lighting or electricity system.
Or thieves who walk into a building they want to rob simply by overriding the system that controls the security.
And if any of these feels like a Hollywood film script, think again.
In 2013, the US Department of Homeland Security revealed hackers had broken into a “state government facility” and made it “unusually warm”.
And, in 2014, security consultant Jesus Molina told US cybersecurity conference Black Hat he had been able to gain full control of lighting, temperature and the entertainment system of 200 rooms while staying at the St Regis hotel in the Chinese city of Shenzhen.
Some of the most high-profile attacks in recent years have taken advantage of the vulnerability of building management systems.
An attack on US retailer Target, in which millions of customers’ credit card information was stolen, was traced back to the heating and ventilation system.
And, at the beginning of the year, a Ukrainian power station was hacked. Although spear-phishing – where an employee is duped into bringing malware into the system by clicking on an email or link – was blamed as the means of entry, the result was physical – nearly 80,000 customers were left without power.
Mr Kelly tells the BBC: “We have seen plenty of ransomware attacks where computers are encrypted by hackers and only decrypted if the company pays money, and it is very easy to see a scenario of such an attack on a building management system, where a factory or hospital is disabled and hackers request payment.
“It is on the horizon, it is just a matter of time,”
Mr Kelly has recently conducted a survey of smart buildings, ranging in size from small businesses with just a handful of employees to those with thousands of staff.
It was the building management systems that jumped out as the most vulnerable.
“In all cases, pretty much without fail, these systems had been procured without thought to how to make them secure. I was absolutely shocked,” he tells the BBC.
“We saw systems installed with default passwords where it would be a trivial exercise for someone remotely to gain access.”
And he found many building management systems were plugged into the corporate network “without thought about who had access or the impact of someone accessing the data in this network”.
Just as a plumber wouldn’t worry about home security, so those installing building management systems may not think about security.
“Almost anyone can set up as a BMS installer – it is a bit like taking your car to a garage with mechanics with no qualifications,” Mr Kelly says.
He recommends these smart systems are kept entirely separate from corporate networks, because it is virtually impossible to ensure the code behind them is hacker-proof.
Prof Thomas says: “These BMS systems have hundreds of thousands of lines of code, and yet the average programmer makes 20 mistakes in every 1,000 lines of code, so there are lot of bugs there.”
For Mr Rios, the experiment at Google proved no company – even one of the most hi-tech in the world – is immune to the growing threat of insecure buildings.
In a report written about some of the vulnerabilities he found in buildings, he highlights one of the more unusual possible hacks.
He found Alabama’s Bryant Denny football stadium had an exposed system that could have allowed hackers not just to turn off the lights and heating in parts of the stadium but also interfere with the game clock, which, in turn, could have affected the “integrity of the game”.
“Imagine if a fan could impact the outcome of a professional or college sporting event while sitting comfortably on their home couch,” he says.