Penetration Testinga Saia Unit : A Control System for Water, Ventilation, and Heating in Smart Buildings

Abstract: The concept of Smart Buildings and automated processes is a growing trend. Due to a rapidly growing market of buildings that relies on the Internet, improper security measures allow hackers to gain control over the whole system easily and cause devastating attacks. Plenty of effort is being put into testing and securing the devices within a smart building in order to contribute to a more sustainable society. This thesis has evaluated the security of a control system for water, ventilation, and heating in smart buildings by using ethical hacking, where the testing is based on a systematic and agile pentesting process. The penetration testing was conducted using the method Black- box testing, and the testing was based on a threat model that was created to identify vulnerabilities. The results from the penetration tests did not find any exploitable vulnerabilities. However, flaws in the system, such as data being transferred in clear text and unlimited login attempts, that need to be addressed to avoid further problems, were found. The conclusion from evaluating the control system affirms that the strength of the password has a significant role, but that system can still be exposed to other hacking techniques, such as ”Pass the hash”.