Could hackers conceivably target lifts for attack?

It’s no secret that hackers are always setting themselves new goals as they go about their business of espionage, sabotage and blackmail. Administrations, companies, critical infrastructure such as power plants, and private individuals too fall victim in their millions to cyber criminals every single day. Could lifts be the next victims of the hackers?

According to Ulf Theike, the threat is real. He is Chief Digital Officer in the Management Board of TÜV NORD Systems. Modern lifts are digitally monitored and controlled with the aid of sensors. These digital control systems are connected with the outside world via the Internet of Things or mobile phone networks. This allows maintenance or lift companies to check at any time that a lift is working properly or whether there may be a technical fault. They can control the lift remotely and even, to some extent, carry out maintenance work. If it stops working, the software can be rebooted via the Internet. And yet, the fact that all this is possible means that cyber criminals can also try to gain access to the system. “In such a case, the lift could be controlled from the outside, forced to stop between floors, and its speed manipulated. The emergency call function could be blocked. Every recorded and stored measurement could be changed,” Ulf Theike warns.

If cyber criminals really did gain access, it wouldn’t be just the lift at risk: “Attackers might under certain circumstances go on to access the building’s entire technical equipment,” Mr Theike says; after all, lift systems are becoming ever more fully connected to other components in the building. These include access controls, air conditioning and fire protection equipment. If a lift were to be hacked, this would clear the way for cyber criminals to interfere with the other components too. Ulf Theike’s demand is this: “IT security requirements must be taken into account in the inspection catalogue for lifts; we urgently need a legal basis for the inspection of critical systems such as digital lift controls.” The required statutory framework in the EU is provided by the Cyber Security Act for devices that are connected on the Internet of Things.

And yet, cyber criminals might set their sights on more than just building technology: even the emergency call system could become a target for hackers. Why would they want to do this? Because it would offer them a way to listen in on conversations, and emergency calls could also get rerouted. Or hackers could try to manipulate the emergency phone in such a way that it would then independently and constantly call premium-rate phone numbers. In this way, they could earn a lot of money very quickly.

“In some cases, we’re too relaxed about how we deal with the new technological possibilities,” Mr Theike says. “In many areas of life, it’s no longer just a matter of technical safety; data security is also now involved. There’s absolutely no doubt about the benefits of digitalisation — but we also urgently need to keep the other side of the coin in view and protect ourselves above all against the manipulation of our IT systems.” His advice is therefore this: either make sure that lift systems aren’t integrated into building technology in the first place or, better still, completely integrate the lift system into the operator’s security concept. “That’s how you will generate confidence in the security of lifts.”