A major cybersecurity vulnerability has happened again. A bug in the code of Cloudflare, a provider of content delivery networks, Internet security services, and distributed domain name services, appears to have leaked encrypted, private data from some of the company’s 4 million clients.
According to security researcher Tavis Ormandy, “private messages from well-known services, [personally identifiable information] from major sites that use Cloudflare, and even plain text application program interface requests from a popular password manager” were included in website code generated by Cloudflare’s ScrapeShield feature.
Intelligent and Vulnerable Buildings
There is no reason to believe the bug in Cloudflare will present a vulnerability to any intelligent building. Cloudflare is used for websites, not buildings. But this incident is a reminder of how easily data can leak onto the Internet, even with the best of intentions. An increasing amount of building data is being collected and stored using the Internet. Indeed, large datasets have the potential to improve energy and operational efficiencies. In Navigant Research’s Data Integration for Intelligent Buildings report, the market for the incorporation of data from commercial buildings to develop analytics platforms is forecast to grow by an order of magnitude over the next decade.
With more gateways necessary for data collection, more points are available for cyber attacks to occur. Attackers seeking entry into corporate networks look for the path of least resistance. This could be an unpatched or improperly configured gateway for a building management system. But—perhaps the more pervasive threat (as demonstrated by the Cloudflare vulnerability)—is that data stored anywhere could be leaked. The very reasons why building data promises better business operations can turn sinister in the wrong hands.
Retailers, for instance, can analyze occupancy data to create consumer heat maps to optimize store layout. But that same data could be used to estimate financial performance based on customer footfall; this non-public information could be used to boost a trader’s position on the retailer’s stock. Moreover, the same occupancy tracking could be used to facilitate theft, stalking, or even terrorism in a variety of commercial facilities, including offices, healthcare, or education buildings. Despite these potential risks and the inherent difficulty in keeping data secret, the improved energy and operational efficiencies created by better connected buildings promise to change commercial buildings for the better.