Connected Elevators and the IoT Doomsday Scenario

Some people are afraid of flying, or heights, or spiders, or small spaces, or other people—there’s a whole range of things. For me, it’s the elevator.

Oh sure, I use them—it would be seriously weird if I didn’t, wouldn’t it (though my calves would be killer)? But that doesn’t mean I like them. And it’s not the fear of heights, per se; those elevators that have glass sides allowing you to see out as you zoom to the top of whatever major landmark bother me no more or less than any other kind of lift. Ferris wheels and observation decks bother me not at all. No, it’s something about the elevator itself. I think it’s the idea that you’re helplessly dependent on technology, and stuck in this large tin can, which, should a cable fail, will plummet you to your certain death.

So, imagine my horror when an announcement came across my desk talking about how cybersecurity company Nixu is going to try to hack a connected elevator.

Connected elevators are a thing? A terrifying thing? I thought, while concurrently thinking, of course there are, you idiot; you’ve seen films and things where they’re stuck in the elevator and someone has to program the building override to get it moving again, etc. etc.”

Shudder. The idea of a hackable elevator, where someone can trap and move around its occupants on a whim, maybe while watching the whole thing via the security camera, is just horrifying.

It truly is something I’d rather block out and not think about, but there it was in black and white. So, I read further.

Nixu, as part of its IoT Wreckathon event, teamed up with KONE, a self-declared “global leader in the elevator and escalator industry.” KONE has apparently been adapting to digitalization for some time, using IoT platforms to bring “intelligent” services to elevators and escalators. It does this by collecting and analyzing sensor data in real time, to stay on top of equipment performance, reliability and safety.

Well that’s all right then. Performance and monitoring—not complete remote takeover.

“KONE takes all safety and security related matters very seriously,” said Johan Boije, CISO at KONE. “Participating in the Nixu Wreckathon is a fun and modern way of challenging the cybersecurity measures of our solutions. It also provides our developers with the opportunity to participate in the event to learn and explore hacker-like thinking.”

Yes—YES!! I enthused to myself. I like this. In fact, it’s the total opposite of concerning. Safety monitoring is aces in my book.

Then to make myself feel even better, I Googled “hackable elevators,” convinced that nothing alarming would come up, and the first result that appeared was this: A magazine article discussing the worst-case scenario for IoT hacking imaginable—the multi-pronged campaign that could take down New York City. The Doomsday Scenario.

It involves hacked cars and hospitals—and well, hacked everything. Within it is this passage:

“The vast majority of the 70,000 elevators in New York City are not connected to the internet, but building managers had begun taking elevator manufacturers up on their offers to install remote-control systems as a way to cut costs. And so, an hour after the SUVs started crashing, a resident who had recently moved into a new tower in Hudson Yards was riding up to her 22nd-floor apartment when her elevator suddenly jerked to a halt. Across town, a bank of elevators in a Downtown Brooklyn office building that had installed the same software stopped working, with several members of a new-media start-up onboard one car. It didn’t take long for them to begin sharing their lighthearted grievances on social media. One of them pointed out a remarkable coincidence on Facebook: His friend in a different building had gotten stuck in an elevator too.”

Gee, thanks New York Magazine.

Fear of the internet of things (“connectaphobia”?) is not really all that unusual—and why should it be, given that we now have hackable robots that can be programmed to attack fruit like Michael Myers went after Jamie Lee Curtis?

Hypotheticals like those that the doomsday article points out are actually pretty believable, given the lax security measures taken by vendors, and the sheer complexity involved in implementing safety-by-design for things like connected cars and, yes, elevators.

Hackathons, bug bounties and the like are a step in the right direction (good job, Nixu and KORE), and I’m hopeful that there will come a day when the idea of, say, your vacuum cleaner attacking you while you sleep, will seem laughable. But until then, I’ll stand by the old joke that “just because you’re paranoid doesn’t mean they’re not after you,” and remain nervous every time I get in the elevator. 

What’s Hot on Infosecurity Magazine?