It’s no secret that hackers are always setting themselves new goals as they go about their business of espionage, sabotage and blackmail. Administrations, companies, critical infrastructure such as power plants, and private individuals too fall victim in their millions to cyber criminals every single day. Could lifts be the next victims of the hackers?
According to Ulf Theike, the threat is real. He is Chief Digital Officer in the Management Board of TÜV NORD Systems. Modern lifts are digitally monitored and controlled with the aid of sensors. These digital control systems are connected with the outside world via the Internet of Things or mobile phone networks. This allows maintenance or lift companies to check at any time that a lift is working properly or whether there may be a technical fault. They can control the lift remotely and even, to some extent, carry out maintenance work. If it stops working, the software can be rebooted via the Internet. And yet, the fact that all this is possible means that cyber criminals can also try to gain access to the system. “In such a case, the lift could be controlled from the outside, forced to stop between floors, and its speed manipulated. The emergency call function could be blocked. Every recorded and stored measurement could be changed,” Ulf Theike warns.
If cyber criminals really did gain access, it wouldn’t be just the lift at risk: “Attackers might under certain circumstances go on to access the building’s entire technical equipment,” Mr Theike says; after all, lift systems are becoming ever more fully connected to other components in the building. These include access controls, air conditioning and fire protection equipment. If a lift were to be hacked, this would clear the way for cyber criminals to interfere with the other components too. Ulf Theike’s demand is this: “IT security requirements must be taken into account in the inspection catalogue for lifts; we urgently need a legal basis for the inspection of critical systems such as digital lift controls.” The required statutory framework in the EU is provided by the Cyber Security Act for devices that are connected on the Internet of Things.
And yet, cyber criminals might set their sights on more than just building technology: even the emergency call system could become a target for hackers. Why would they want to do this? Because it would offer them a way to listen in on conversations, and emergency calls could also get rerouted. Or hackers could try to manipulate the emergency phone in such a way that it would then independently and constantly call premium-rate phone numbers. In this way, they could earn a lot of money very quickly.