by The Philosopher
It is a rare technology indeed that continues to be accessed by dial-up modem in addition to DSL and other venues, drops one to a command prompt immediately upon connection, and yet carries a great deal of significance in the aspect of life administered thereby. Such systems do exist, although they are usually discovered by the oldest and most primitive, in the opinion of some, of processes-the few systems with so little security and so much importance are thus often overlooked and underrated in a hacker culture increasingly geared towards discovery of the cutting-edge.
It is simply astonishing what wardialing is still capable of revealing, for instance - a technique that has unfortunately lost most of its popularity in the underground, surviving now primarily as a pastime for casual phreaks, who more often than not do it by hand in search of nothing so glamorous or useful as modem carriers to computer systems, a practice usually called 'hand scanning' or simply 'scanning.'
Heat computers and monitoring/building automation systems of all types comprise one of the few remaining classifications of machines that may still be accessible via phone lines, and one of the still scarcer categories of those that do not immediately require a password. As might be expected, these attributes, when exploited clandestinely, provide the potential for some extremely outlandish hijinx, some of the only things possible remotely that even begin to compare with the pranks portrayed in the film Hackers (with regard to physical manipulation of buildings remotely).
From these computers the temperature of water in the boiler, cutoff temperatures at which the OAS will cease to heat the building, burner attributes and more may be controlled-these systems are designed to manipulate and monitor the entire scope of processes involved in space heating. Brief, minimal explanations of boiler operation and water heating are necessitated by the subject matter of this paper and will be provided in due course.
Still, interested readers are urged to research boiler operation and water heating more extensively. In this article the extent of this author's knowledge regarding said systems shall be detailed only with respect to specific models of OAS heat computers; however, the similarities of their operation would suggest that other brands and versions function in a similar fashion so as to ensure the usefulness of the information within this article in the instance that one should encounter one other than those specified here.
As was mentioned previously, the OAS Heat Computer (version 6310, in the following captures) is an attractive target for exploration as it is accessible remotely over a modem (and, in the case of later models, DSL over static IP) connection, provides a plethora of information regarding the boilers under its control to anyone who calls without supplying security credentials (although a password is necessary for programming) and renders possible through remote technology tasks that formerly required access to a thermostat or boiler room.
Said modem connection to the OAS requires 1200 baud and a 7E1 terminal emulation (7 data bits, even parity, one stop bit). Upon connection a banner similar to the following will be displayed:
CONNECT 1200 OAS Heat Computer 124-5 & 328-12 WEST 12 12:49A Tue Jun 24, 2008 MODE:
This will identify the time and date at the location of the unit and the address, concluding with a MODE: prompt. Note that this is a street address in the format "124 West 12th St." (this unit has moved since this was set during the installation period, though, and the address is obviously fictitious, changed to preserve the identity of this particular system) - this is the format for New York City, at least. Units in other locations may display it differently.
MODE: prompts the user to enter a command. Typing a question mark will result in the following helpful explanation providing a list of commands and keys that will be used during the session:
MODE: ? COMMANDS: R = CURRENT REPORT S = SET POINTS P = PROGRAMMING (ALSO P1,P2,P3,P4) T1,T2,T3 = HOURLY TEMPERATURE RECORDS E = EVENTS H = DAILY HISTORY (HA,HB = THE TWO PARTS SEPARATELY) W1,W2,W3 = WATER RECORDS D1,D2,D3 = T1,T2,T3 + E + H + W1,W2,W3 XD1,XD2,XD3 = MORE HOURLY RECORDS L = LOGON MESSAGE (ADDRESS AND DATE) V = VERSION (MODEL NUMBER, DATE AND NOTES) SPECIAL KEYS: <?> = HELP <CTRL-C>, <ESC> = ABORT CURRENT MODE <CTRL-S> = PAUSE TRANSMISSION <CTRL-Q> = RESUME TRANSMISSION <BACKSPACE> = DELETE LINE
The descriptions of commands are fairly cryptic, as the OAS assumes that one is familiar with its administration. I shall elaborate: R, Current Report, will print a report of the temperatures of water in various sections of the boiler as well as their status, as seen below (note that commands must be entered in all caps):
MODE: R __TIME_245A_245B_245C_245D_285A_285B_285C_285D____9___10__OUT__AQS__DHW_CHW_STK 12:49A 77 80 82 78 80 74 82 83 <5* <5*| 68 194 117 >>> 136 OFF(B) AUT(K) WINTER _BURNER__HEAT___BYP___MAL___BAT__HI__LO_ 0:03 0:00 0:00 0:00 0:00 71 68 0 __H-A__H-W__L-W__H-S_____WTR_ 198 128 113 656 0
TIME is self-explanatory-the time of access.
245A through 285D signify the eight thermistor sensor inputs of the computer, (thermistor = thermal resistor - a resistor that varies in electrical resistance with temperature. Thermistors were invented by Samuel Ruben in 1930, although they were not developed for practical commercial use until the latter half of the 1950s by Bell Telephone Laboratories. This information is included in case one wonders as to how temperature data is converted into electrical signals decipherable by the computer) with the values underneath them denoting the temperature at each corresponding location.
OAS claims that these may span three locations - perhaps the 245 and 285 are located in two separate places. _9 and _10 are two additional sensors that report apartment or outside temperatures.
A <5* is indicative of an electrical break/open connection or indeed a temperature below 5°F. Obviously the former is true in the case of this building, since it was accessed in June, and other reported temperature values are not within even remote proximity to 5° or less.
OUT is the sensor input for outside air; 68 is the temperature outside at the time of access.
AQS stands for aquastat, similarly - this value represents the temperature of the water in the boiler.
DHW and CHW are acronyms for domestic hot water and coil hot water, respectively, representing the temperature of hot water when "called" domestically and in the coil. To make this distinction, the term, "domestic hot water" or DHW refers to potable water used for functions other than space heating; i.e., water of sufficient quality for human consumption (regardless of actual usage) that is not used to heat a building. ("Potable" water is tap water - water deemed suitable for drinking.)
Examples include tap water used for showering/bathing, drinking, cooking, cleaning, etc. The latter value, CHW, is necessary to monitor since debris may collect on the outer coil and absorb heat, thereby lowering the temperature of the water as it travels through the boiler, thus wasting fuel as more is required to achieve the requested temperature.
The significance of the arrows seen underneath CHW is that of a "probable electrical open" as according to the electronic manual for the OAS Heat Computer 1000 (the likes of which is packaged with software that will be discussed in the latter half of this article.) Usually, though, a numerical temperature value will be displayed here.
Following CHW, STK represents the temperature of the stack (also commonly referred to as a chimney) of the boiler.
Notice that the burner is in "winter" mode, an unusual condition for a system accessed in June. Summer and winter modes differ in that the heat computer will cease to actively provide heat when it is set to the former option, although domestic hot water will be provided still, and winter mode is that at which the computer will provide heat and function ordinarily. Altering the mode from winter to summer and vice versa is one of the programmable set points of the system, as will be seen anon.
OFF(B) reports the status of the burner as off, and AUT(K) the status of the key switch in automatic position. This key switch serves as a venue to control the most fundamental functions of the heat computer manually and locally - if in the "ON" position, it activates the burner in a manual bypass; that is, in the absence of a heat call.
"Heat call" is simply the term for a request, either automatic/digital (the temperature may drop below the programmed threshold, necessitating heat) or manual, for heat. Calls may also occur for domestic hot water. If in the "OFF" position, the burner will be switched off and remain unresponsive to heat calls. In automatic position, the burner will activate/deactivate appropriately depending upon the presence of system heat calls. Also on this line may be commonly printed an indication of a domestic hot water call; it could be alternately seen as:
OFF(B) AUT(K) WINTER DHWTR
Furthermore, all of the dial-out alarm conditions described below may appear on this line of the report, in addition to OVRD (programmed override) and BAT, which indicates that the system is currently operating on battery backup.
Hydronic systems may exhibit ON(C) or OFF(C), which report the status of the circulator pump as on or off. The differentiation between hydronic and steam boilers will be made throughout the current report analysis as the OAS Heat Computer handles each respective type of system slightly differently. Hydronic boilers heat fluid, usually water, to a specific temperature and heat a space through the circulation of that hot water or fluid. The circulation pump serves the specific function of returning water to the boiler once its heat has been largely dissipated.
The next line reports the burner run time, heat time, bypass, malfunction, and high/low outside temperatures for the past 14 days. As can be concluded from a brief analysis, the burner has been running for three minutes at the time of access, and no malfunctions or bypasses have occurred.
It appears as if the current outside temperature is the lowest in two weeks. High aquastat temperature (H-A), high/low domestic hot water temperature (H-W, L-W), highest stack temperature and boiler water consumption are daily reports as opposed to the current ones seen above. HEAT, or heat time, displays the burner run time during heat calls (an instance of heat being turned off or on is referred to as a heat call, as noted above. The redundancy here is simply to facilitate expediency in quick reference of this particular section of the report analysis.).
Underneath BYP, system bypass, is placed the burner run time during a period in which the burner is active yet no heat or DHW calls are present. Bypasses will trigger the bypass alarm (see below), and may occur when the key switch has been manually set to the "ON" position, or if the burner has been physically controlled from the burner panel located on the heat computer system itself.
In order to understand the significance of the time value, if one is present under MAL, one must understand the method by which the heat computer defines and manages 'malfunctions.' In order to properly operate the burner as corresponds to heat calls, the OAS Heat Computer temporarily records through its circuitry the burner status. The "flame failure" circuit is that which will be interrupted if flame is not turned on when called for. The malfunction alarm is connected to this circuit and "listens" for flame failure. If a delay in excess of 45 minutes is reported between a call for heat or DHW and the activation of the burner, when the key switch is in automatic position, a "timed malfunction" occurs, the likes of which is printed here and logged as an event in the records viewable by the E command.
Timed and hardware malfunctions differentiate in that the latter is a failure of flame even when the burner has attempted to produce it, as opposed to timed malfunctions which are failures of the burner to activate at all; logging of this is an instant process. BAT reports the amount of time that the heat computer has been operating on battery backup.
To enhance reader understanding of boiler operation, two ASCII diagrams are included.
Two main classifications of steam boilers exist-shell and coil type.
Differences in structure are evident in the diagrams, and marginal explanations are written in:
Safety Vent | | ( ) Steam travels in this v | | <--Stack/Chimney direction through this valve<===_ || | | Dome-->| | || | | ___________________|_|___||___|__|_______ ( | | || ) ( ________________|_|___||______ ) Water Line --> =========(--(______________________________) ) ( (______________________________) ) ........ ( (______________________________)<------)--------"Aquastat" temp. . .____( (______________________________) ) would refer to . Burner . | (___*** Shell Type Boiler ) the temp. of . .__|_(___***___________________________________) water in these .......... ^ pipes. | ASCII approximation of flames
Burner ____ | <|____| | | | . . . v. . . | | . _v__ . Steam line--> | | . || |____| . Steam travels | | Safety Vent-.-->|| |____| . through this | | ...||..|....|....... valve into a \ \__________________|| |____| || separator. \ || ______|v|v|_______ || \__________________||(_____ |v|v|<---------------ASCII approximation of flames || ______|v|v|_______ || 'Coil' lining the inner shell-->(______|v|v|_______)|| 'Coil hot water' refers to the || ______|v|v|_______ || temperature of the water in ||(_____ |v|v|_______)|| this coil. || ______|v|v|_______ || ( ) ||(______|v|v|_______)|| | | || ______|v|v|_______ || | | ||(______|v|v|_______)|| | | <--Stack/Chimney || ______|v|v|_______ || | | ||(______|v|v|_______)|| / / || ______|v|v|_______ ||---/ / ||(______|v|v|_______)|----- || ______|v|v|_______ || ||(______|v|v|_______)|| || ______|v|v|_______ || ||(______|v|v|_______)|| || || || Coil Type Boiler || || || || ||
True to the OAS advertisement pitch of "Be A Control Freak", several attributes (henceforth referred to as "set points") of the heat computer may be remotely programmed-this is the venue through which the title of this article may be literally applied.
Set points are as follows:
MODE: S TIME SET POINTS DIAL OUT DAY 5:30A ALARMS___MAL_AQS_DHW_BYP_APT_ADC__A7__A8_ EVENING 6:00P ENABLED: N N N N N N N N NIGHT 10:00P AQS 120 A7. TEMPERATURE SET POINTS DHW 90 A8. INSIDE DAY 69 1. 1917XXXXXXX EVENING 69 2. 1800XXXXXXX NIGHT 65 3. 191XXXXXXXX ATH 0 4. OUTSIDE *. XXXXXXXXXXX DAY 55 NIGHT 40 SUMMER/WINTER W AQUASTAT DAY 190 NIGHT 190 DIF 10
Time set points define for the system "DAY", "EVENING", and "NIGHT" by minimum hour. Thus, the period of time from 5:30 a.m. to 6:00 p.m. would be considered "DAY," from 6:00 p.m. to 10:00 p.m. is "EVENING," and so forth.
The importance of establishing and defining these categories lies in the fact that the OAS determines cutoff temperatures by the time of day; this individual system will cease to heat the building actively if the inside temperature during the period of time defined as the day reaches 69°, the temperature set point for this particular system.
If the heat computer is administering an apartment building, heat will be provided if a majority of outside cutoff temperatures are logically opposite the inside as the system is incapable of heating the area outside of a building-therefore, 55° and 40°, as seen here, are the temperatures at which, when sensed by thermistors, the boiler will initiate procedures to actively heat the building.
The precise purpose and effect of summer/winter mode is unknown and absent from the technical specifications of other versions including the 3500. A reasonable assumption, however, is that summer operation involves the toleration of lower maximum aquastat and cutoff temperatures without activating an alarm by default, since the outside temperatures are obviously expected to be higher.
Under AQUASTAT are the temperature settings with a permitted differential of ten. Dial-out and alarm conditions follow-the computer will generate an alarm message in the instance of a burner malfunction, an aquastat temperature below the specified minimum (120°, here) excessively low domestic hot water temperature, system bypass, disconnected area sensor, and/or an analog-to-digital converter error.
A7 and A8 are additional generic alarms that may be connected to external devices. Alarms MAL through BYP will dial out after five minutes of the persisting condition, APT after ten, and ADC after forty. This is only logical as analog-to-digital converter and apartment sensor errors are far more likely to be resolved automatically with system resets and other automatic measures, and it is not absolutely vital that the building manager be made aware of them immediately, as they concern the machine and not the actual heat or hot water in the building, directly.
Despite what may be believed to the contrary, the terse list of phone numbers is NOT a directory of dial-ups to other units, (the number following the asterisk is the dial-up for the unit to which the user is connected) nor is it a log of the last four numbers to dial-in.
Instead, the OAS will dial the numbers listed and leave an automated message, emergency page, (if a beeper/pager number is specified) or electronic message (if sent to a modem), with the alarm time and status. Often these numbers will seem rather random and unrelated when called. Remember that the purpose of this feature is to notify those in charge of the building, who are most likely responsible for remote programming of the system as well, of alarm conditions; it would do little good to have the computer call the main number(s) of the building itself to report problems. These numbers, then, could merely be those of people or other places that the owner of the computer has contact with and access to, possibly including personal numbers. In fact, the author of this article knew that the number of this particular unit was registered to a certain establishment, here called "Jones Financial." Upon calling one of the numbers listed, an answering machine picked up with the greeting, "You've reached the Joneses." Case in point.
Programming the System
The next option in the menu of commands is perhaps the most exciting, as it increases the potential to learn about the system by way of practical application. Pressing P at the prompt will result in the following sub-prompt for a password:
If an invalid password is entered twice, the OAS will output the directive, "redial" to the screen, spew a line of garbage text, and disconnect the user:
PASSWORD: INVALID REDIAL 4_QKvhbhC\v5(ij%Tudy%!#`&X WJd,U'MOu@,D+LS NO CARRIER
Defaults for this are unknown, although it is likely that they exist and are given to customers at the brief seminars that are recommended for all new OAS owners to attend. If one is truly determined to know the password, I would recommend that the interested hacker also visit the seminar. No features that log invalid password attempts are documented. Passwords do not echo to terminal. The programming option is used to set every consequential element of the system from time set points to hardware handling. Passwords are ten characters in maximum length, an attribute revealed by the audible bell (Control-G character) heard when an eleventh character is entered - this bell will also sound at the MODE: prompt when input in excess of the expected is entered. When a correct password is entered a main menu of four options will appear.
The four main options are as follows:
1. CLOCK, DATE 2. SET POINTS 3. MISCELLANEOUS 4. DIALOUT
Selection of any one of these will open a sub-menu of options followed by a question mark.
For example, the following options may be displayed in the miscellaneous sub-menu 3:
OVERIDE/NORMAL? SENSORS? SENSOR LABELS? METERS? METER LABELS? STEAM/HYDRONIC? BURNER SIGNAL? VERSION NOTES? PASSWORD?
In order to program any of the options in any sub-menu, input the desired value followed by a Carriage Return <CR>. If a <CR> is pressed without an alteration in value the next option in the submenu will be displayed - to navigate through the sub-menus without programming, simply press "Enter" at the option prompts. As is the case with the main MODE: menu, typing a question mark will display all of the potential values for a programmable option, "Esc" is used to exit from programming mode altogether (upon which a password need not be supplied to reenter during the session), and "Backspace" cancels an entire line of input. If an invalid value is entered, "INVALID ?=HELP" will be printed.
Sub-menus 1, 2, and 4 are straightforward-programming of the clock, date, set points as seen in the S mode, and dial-out numbers/alarm conditions is accomplished here.
The MISCELLANEOUS sub-menu, however, requires some explanation.
The first option, OVERIDE/NORMAL, will set the system in a heat call for one hour if the override value is entered - it may be interrupted at any time during the cycle and turned off, returning the system to "normal" operation.
At SENSORS?" one may manipulate privileges of the apartment temperature sensors (priority) and turn the outside temperature and aquastat sensors on and off. Sensor and meter labels refer to the headings that denote the thermistors and water meter in the current report R.
METERS? provides the options to turn the water meters on and off, combine the pulse inputs to a single, double-headed meter, specify a scale factor for the flow rate, and to turn the water records on and off.
STEAM/HYDRONIC? is only useful on the single model of heat computers that may be used for steam or hydronic systems, controlling reporting options.
BURNER SIGNAL? does not control the burner control signal, which activates the burner - it only permits the user to switch the monitoring of burner on and malfunction signals on or off.
One may write "version notes" in with the second-to-last option; these will be seen with the V command and typically pertain to any idiosyncrasies of the boiler to which the computer is attached.
The final option in this submenu enables the user to change the programming password, an action not advisable as the legitimate operator of the unit will undoubtedly notice the presence of an intruder upon discovering that the password last used is no longer valid; still, little recourse exists for this. Interestingly, it seems as if the password storage capability for certain models is more extensive than a single programming password, as some oil companies have been known to possess passwords in addition to building managers.
Controlling the Heat
For reasons of sheer practicality and to remain true to the title, here is a quick step-by-step tutorial regarding the actual setting of heat.
At the MODE: menu, press P to enter programming mode and enter the password.
Select sub-menu 2, set points, and navigate to the option to set the maximum temperatures under "DAY", "EVENING", and "NIGHT". Note the current definitions of all three times of day and select the appropriate point.
To increase the heat, increase the maximum temperature permitted value as described above; to decrease heat, decrease this value. Alternately, one could input a manual override at the miscellaneous sub-menu to actuate a one hour heat call.
A few of the following modes are mere alternate manifestations or continuations of the data displayed in the report and are explained satisfactorily by the help command.
T1, T2, and T3 are indeed nothing more than hourly temperature records in the following format, edited here for brevity:
MODE: T1 __TIME_245A_245B_245C_245D_285A_285B_285C_285D____9___10__OUT__AQS__DHW_CHW_STK 12:00M 77 83 82 81 80 74 82 83 <5* <5*| 68 189 116 >>> 120 11:00P 76 82 82 80 81 76 82 83 <5* <5*| 69 181 116 >>> 120 10:00P 75 82 82 80 81 76 82 83 <5* <5*| 68 194 119 >>> 272 9:00P 75 82 82 78 81 76 81 83 <5* <5*| 68 189 117 >>> 128 8:00P 76 79 82 78 82 76 81 83 <5* <5*| 70 181 116 >>> 120 7:00P 76 82 82 81 81 76 82 83 <5* <5*| 71 198 119 >>> 152 6:00P 77 81 81 80 81 75 81 83 <5* <5*| 69 184 117 >>> 120 5:00P 77 81 81 80 81 73 81 82 <5* <5*| 70 191 117 >>> 128 4:00P 77 80 81 80 81 73 81 81 <5* <5*| 70 197 119 >>> 144 3:00P 77 80 81 79 80 74 80 81 <5* <5*| 70 188 116 >>> 116 2:00P 77 80 80 78 80 74 80 81 <5* <5*| 66 194 119 >>> 128 1:00P 76 79 80 78 79 74 80 80 <5* <5*| 63 186 118 >>> 124 12:00N 76 79 80 78 79 75 80 80 <5* <5*| 66 180 119 >>> 120
The only moderately important distinctions here are the facts that 12:00M and 12:00N represent midnight and noon in that order, obviously, and that these tables conclude with 11:00 p.m.
T2 and T3 are identical, differing only in the 24-hour days that they contain data for - T3 contains three-day-old information, etc.
Similarly, H will provide the daily history of the data in the next lines of the report. This should appear familiar:
MODE: H _DATE_BURNER__HEAT___BYP___MAL___BAT__HI__LO_ Jun 23 0:45 0:00 0:00 0:00 0:00 73 62 Jun 22 0:46 0:00 0:00 0:00 0:00 73 61 Jun 21 0:42 0:00 0:00 0:00 0:00 80 60 Jun 20 0:46 0:00 0:00 0:00 0:00 79 61 Jun 19 0:49 0:00 0:00 0:00 0:00 78 57 Jun 18 0:50 0:00 0:00 0:00 0:00 69 56 Jun 17 0:48 0:00 0:00 0:00 0:00 76 63 Jun 16 0:49 0:00 0:00 0:00 0:00 78 61 Jun 15 0:45 0:00 0:00 0:00 0:00 75 65 Jun 14 0:38 0:00 0:00 0:00 0:00 >90 69 Jun 13 0:46 0:00 0:00 0:00 0:00 89 74 Jun 12 0:46 0:00 0:00 0:00 0:00 >90 76 Jun 11 0:48 0:00 0:00 0:00 0:00 >90 75 Jun 10 0:51 0:00 0:00 0:00 0:00 >90 73 _DATE___H-A__H-W__L-W__H-S_____WTR_ Jun 23 198 127 106 664 0 Jun 22 200 125 109 668 4 Jun 21 200 125 107 668 0 etc...
This unit displayed this for every date up to June 10. XD1-3, or "more hourly records" were not seen on this system at all and are probably boiler-specific, perhaps containing records such as the supply and return temperature that are only required on hydronic systems. Since some of the systems that one may hack might control hydronic boilers, it is important to retain a knowledge of their workings, information universal to all types of heat computers that manage such boilers.
Recall the operation of hydronic boilers, specifically the process of water circulation. Quite simply, supply temperature refers to the temperature of water as it exits the boiler to circulate around the space that it is heating, and return temperature to that of the water as it returns to the boiler. Water records were also absent from this log, strongly suggesting that this is a steam system.
Events, accessed by the command, E are entirely separate from the initial report, although some events may be recorded there without the time of their occurrence:
MODE: E 8:27P OFF 12:16P ON DHW 11:56P ON DHW 2:51P OFF 8:21P ON DHW 11:47A OFF 11:00P OFF 2:47P ON DHW 7:50P OFF 11:42A ON DHW 10:55P ON DHW 1:52P OFF 7:46P ON DHW 11:10A OFF 10:05P OFF 1:47P ON DHW 7:04P OFF 11:05A ON DHW 10:00P ON DHW 1:00P OFF 6:59P ON DHW 9:15A OFF 9:20P OFF 12:55P ON DHW 6:05P OFF 9:15A HEAT OFF 9:16P ON DHW 12:04P OFF 6:01P ON DHW 8:20A ON 8:09P OFF 12:00N ON DHW 5:35P OFF 8:19A HEAT CALL 8:04P ON DHW 11:17A OFF 5:30P ON DHW 7:06A OFF 7:22P OFF 11:12A ON DHW 4:49P OFF 7:06A HEAT OFF 7:16P ON DHW 9:56A OFF 4:44P ON DHW 5:31A ON 6:38P OFF 9:56A HEAT OFF 4:00P OFF 5:30A HEAT CALL 6:33P ON DHW 9:00A ON 3:56P ON DHW 4:34A OFF 5:59P OFF 8:59A HEAT CALL 2:54P OFF 4:29A ON DHW 5:54P ON DHW 7:50A OFF 2:49P ON DHW 3:04A OFF 5:03P OFF 7:50A HEAT OFF 2:15P OFF 2:59A ON DHW 4:58P ON DHW 5:31A ON 2:10P ON DHW 1:15A OFF 4:18P OFF 5:30A HEAT CALL 1:29P OFF 1:10A ON DHW 4:13P ON DHW 5:07A OFF 1:24P ON DHW 12:00M OFF 3:23P OFF 5:03A ON DHW 12:21P OFF 12:00M ----- 3:18P ON DHW 3:39A OFF
This is a record of every burner on/off cycle for the past 84 events. Only ordinary heat and domestic hot water calls are seen above, but flame failures, overrides, bypasses and power failures may also be logged here depending upon the version.
As is evident by the redundancy present in several of the options, the entire system is designed to facilitate great discretion in what one views during a particular session. The only practical reason for offering all of the records as individual segments is that of specificity in monitoring.
If one wishes to view a complete list of all of the records for a particular day in the past three days at the entry of a single command, D1, D2, and D3 are available.
To conclude descriptions of all commands, L will redisplay the message first seen in the banner immediately upon connection to the system and V for Version will print a message similar to the following, with the version, date installed/configured, type of system and number of sensors:
MODE: V V 6310 - 10 NOV 1995 On/Off System 8 SENSOR UNITAT
This confirms the previous suggestion to the effect that this is a steam system, as steam systems are also known as ON/OFF or HI/LO fire boilers.
Footprinting the System - A Review/Additional Tips on Obtaining the Password
Several ways exist through which information pertaining to the system may be acquired, information potentially useful in the attainment of the password and in programming of the settings. Commands such as "Version", "Water Records" and "More Hourly Records" should reveal with ease the general specifications of the OAS. This information, coupled with the CNAM data of the dial-up (backspoofing, anyone?), address, and dial-out phone numbers, will likely prove extremely useful in either social engineering to obtain the programming password or guessing it in order to further one's exploration of the heat computer.
One aspiring to program the OAS could also potentially attempt the age-old callback ruse, phoning the legitimate operator at a number listed under "Set Points" (Mode S) and leaving a message with a voicemail number with a greeting identifying it as belonging to "Optimum Applied Systems, Incorporated," accompanied by a statement to the effect that, "Your heat computer has reached its ___ year point, and as such we need to perform diagnostic tests on the system as a part of your warranty..." and so forth.
Do note, however, that the dial-up or IP might be particularly difficult to obtain as the actual operator of the system would logically be the only individual in possession of such information, thus rendering impersonation of him or her absolutely useless. Creative ways to get the dial-up may be devised, though, although the best method as of yet seems to be a simple matter of wardialing the exchange controlled by the company that owns the OAS (in the case of large corporations with inclusive PBXes) or dialing around the phone numbers of the building in which it is likely to be located (with small businesses). Wardialing metropolitan prefixes is also bound to turn up heat computers, possibly of the OAS brand. Although the version 6310 does not support this, other versions may permit simultaneous logins and command execution in a single 'session,' enabling one to "eavesdrop" and/or interfere with the session of the legitimate user.
The programming password is not echoed to terminal or screen; however, it is, remember, unnecessary to enter the programming menu once it has been entered at the initial prompt. Also, while it may contain special characters, it is doubtful that it will be greatly protected; the ten-character password is likely to be vulnerable to a dictionary attack of words containing ten characters or less, especially since no evidence or mention is made or available anywhere of logging failed attempts.
As a side note, the author of this article has heard of a few rumors of use of the OAS and similar heat computers by landlords to deny tenants heat in an quasi-extortive context or misuse resulting in active heating of a building in the summer or when the temperature outside is otherwise high. Wherever advanced technology exists, there will be people who are either ignorant or abusive of it, unfortunately. Although such incidents are certainly rare, OAS skills would be infinitely useful in the face of their occurrence, proving once again that knowledge regarding any type of technology that controls one's life is always of use to nearly anyone with any motives. Remember, if you can't stand the heat, get out of the kitchen and into the OAS!
The Software - An Addition
All of the above is merely the beginning.
While connecting to the OAS heat computer via a terminal client and manually entering all of the commands might be satisfactory for some, OAS also offers software to automate and enhance the process of heat computer maintenance (whether it is authorized or not). This is an incredibly useful enhancement to the pursuit of hacking OAS Heat Computers, as it reveals a few aspects otherwise hidden, and it has several useful utilities intended clearly for administration. This software, available on the OAS website for all to download, at www.oas-inc.com, is called "Master95" and is supposed to be somewhat of a kludge just to install, as OAS doesn't seem particularly disposed toward the idea of amateur experimenters logging into heat computers and running commands.
Master95 may only be used for the access/administration of heat computers and other OAS systems over a (true) modem connection; unfortunately, it does not appear to support Internet connections, although interestingly if the reader will forgive the sudden launch into linear, redundant expository style and the informal shift into the second person, the following will explain the installation process.
It comes in a strange archive format unknown to the WinRAR archive software, called an "SFX CAB Archive" as an .EXE file, "STUB.EXE".
If you attempt to run it as you would any other Windows .EXE file, by double-clicking on the icon, you will receive a window prompting you for a case-sensitive password of enormous maximum length. We do not desire that, now do we? Ignore that for the moment and open the archive in the archive management software of your choice-the author personally recommends WinRAR.
A list of 16 files should appear, beginning with "DATA1.CAB" and ending with "_INST32I.EX_". Extract and copy all of these files to the desktop or other location where the entire installation process will take place. (The desktop is recommended for the sake of convenience.)
Run SETUP.EXE (It should be the eighth file in the list. Does that text in the background of the window with the copyright and version appear at all familiar?) and proceed through all of the prompts - agree to the license, etc. Instruct the software to place an icon for Master95 onto the desktop when prompted to do so. Upon reaching the end of the InstallShield Wizard (the application that guides you through the setup process) click "Finish" and run the software by double-clicking on the desktop icon.
The full version of Master95 Master Dial Program Version 1.96 is now installed.
Behind that password prompt lies the self-extractor for Master95, easily bypassed by opening the archive.
The OAS website also declares that the software, while downloadable, must be registered over the phone before use, (presumably with the purpose of the confirmation of one's status as a customer) lending credence to the notion that OAS does not intend for the public to have unhindered access to Master95 and that the password protection is a feeble form of security.
If so, this is simply another instance of security through obscurity, assuming that one will not attempt to open it with archive software, an absurd assumption as it clearly identifies itself as an archive under "properties," with passwords absent.
Another possible purpose of the password prompt is to protect "InstallShield" from being run, although it is regardless when Master95 is configured at installation. In any case, all of these files in the archive may be freely copied, and the software should operate without any difficulty if all of them are located in the same directory.
Although at first glance the Master95 software appears to merely be an alternate way to access heat computers and administer them using a GUI and menu system, it does reveal a few interesting things. Of foremost interest to the reader may be the commands help file, which presents in a succinct format all the descriptions of the current report, event log, etc., although it completely lacks explanation useful to an outsider (unauthorized user; i.e., hacker) such as explanations of ultimate application to heat and descriptions of boiler operation, as it assumes that the software user will be trained in such matters.
Observing the window, one will notice that, under the "direct dial" option when the option "building list" is selected, other OAS products controllable over modem are listed - a mildly interesting little bit of information. Perhaps it would be lucrative to watch wardial logs for anything mentioning a "tank computer" or a "fire eye."
The following banner demonstrates the general format and appearance of tank computers, which are used to monitor liquid inside of tanks, such as oil:
OAS Tank Gauge 145 ATLANTIC STREET 4:30P Sat Dec 17, 1993 TANK CAPACITY: 5000 GALLONS
These connect at 8,N,1 as the heat computer output does not display properly when a heat computer is dialed and either option is selected.
Tank computers are a subject for another article.
Upon establishing a connection to a heat computer through the software (calling cards may even be used for long distance dial-ups) one may enter commands manually in the blue terminal window in which all output is viewed, or using the drop-down menu system, if one prefers a GUI.
Notice the command "Real Time Display", under "Commands" sent by the keyboard shortcut "Alt+R". Selection of this during a session will pull up a "Command Select" box, with four commands listed that accomplish this - R, RA, RB, and XR.
RA and RB will not work on this particular model/type of heat computer at all, and may produce erratic results on other models.
XR, however, displays the report and alters it in real-time. This is a hidden command on the Heat Computer 6310, not documented in the list provided with a ?.
While in most cases the two reports may be identical, a slight discrepancy may be seen between them, a display of the constantly fluctuating temperature of the area surrounding thermistors.
Master95 also serves as an effective organizational tool for heat computer management, incorporating into its array of utilities a building list in which heat computers (and the other types of systems) may be sorted based upon address, an assigned ID, and dial-up.
Editing the properties of a particular building in this list entails the assignment of an ID, setting the type of unit (Heat, Oil Tank, Heat 7000, or Fire Eye), the baud at which it connects, and the "port switch."
Building lists may also be imported from older, DOS versions of Master software with the file option, "Import Old List". "Tools" for building lists include daily and single collection, summer/winter programming, and clock programming.
The latter two are simply an automation of the programming set points process for the summer/winter option and time. The password box only accepts ten characters, revealing the aforementioned fact that passwords are ten characters long.
Daily/single collection is a slightly more complex automation, in which the user may program the software to dial selected buildings in the list at a specified time and day, execute commands, and store the output in a file with the extension .SUM, for "collection summary." To configure these parameters, select "Setup Parameters" under the "Tools" menu.
Web Interface and Internet Connectivity
As is noted in the introduction, certain newer models of OAS Heat Computers, notably the 3700, include the access option of a web interface which provides for convenient access to and remote management of heat computers with Internet connectivity. One may login through the following websites in order to connect to and administer a heat computer unit online:
A MySQL database is used to this end - TCP port 3306 is open on hcdbs.oadincorp.com, a port used by the MySQL database server.
Conclusion - Thoughts on Security
While in some regards OAS can hardly be blamed for certain aspects of the nature of heat computers that render them so incredibly predisposed to control by outsiders - attributes such as the remote accessibility over phone lines, un-passworded execution of seemingly harmless commands, and so forth, leaving such systems that control heat to an entire building lying about on the PSTN, and recently, the Internet, is frankly unwise.
OAS is extremely zealous in advertising, providing details as to the technical specifications of models sold in numerous public releases. The problem as here present insofar as security is primarily that a very limited amount of seemingly innocuous information can lead to extremely specific information useful in penetrating and taking complete control of specific units; for instance, the attainment of the dial-up to a heat computer can lead to the address of the unit and possible numbers at which the owners/operators may be contacted.
One could even carry this social-engineering scheme so far as to call up the building owner/manager with an actual problem visible in the report, a difficulty only repairable by remote programming, and proceed to correct it upon learning the password! A simple understanding of human nature suggests that people will be much more susceptible to social-engineering, that is, much more willing to give out the programming password, when faced with a potential disaster such as complete cutoff of heat in the dead of winter, or even something minor such as a small water leak or a dirty coil.
And, while I most certainly do not condone exaggeration of the problem, all of this is definitely something to ponder as these systems begin to make their way onto the Internet. While manufacturers of some things have realized the folly of unnecessary remote access, heat, and building automation systems are likely to become even more accessible in the future, for evident reasons of expediency.
From an explorer's standpoint, heat computers of all types provide a relatively safe venue through which a fairly extensive assortment of technologies may be studied - boilers are nearly as complex and interesting as phone systems or any one of the other self-contained networks of mechanical and electronic parts that comprise the modern world.
Still, the thought that an individual in a remote location could with relative ease (here it is important to remember that while OAS Heat Computers may be uncommon, other heat computers and building maintenance systems exist in abundance, especially in large cities) direct the equipment that administers heat and water to a large building is slightly disturbing.
If, by any stroke of fortune, the curious hacker reading this article should happen to find an OAS Heat Computer, I advise him or her to align subsequent actions with the Hacker Ethic, to refrain from actuating the causation of any permanent or immediately serious problems with the system either unintentionally (as preposterous as that may sound) or intentionally, as a matter of course.
A grayscale photograph of an OAS Heat Computer unit is available at the time of this writing on www.homeenergy.org/archive/hem.dis.anl.gov/eehem/picts/97054101.gif, and other pictures of the front panel are available on www.oas-inc.com.
Shoutouts to rev, whitehorse, ThoughtPhreaker, Substance, DCFlux, bomberman2525, radio_phreak, everyone in #telephony, BinRev and the DDP, the broad class of people who ever wrote anything that has contributed to my technological knowledge base, underground or otherwise, the anonymous person who posted the logs that initially brought heat computers to my attention, and OAS for manufacturing such interesting, useful, and vulnerable products. If I have forgotten or omitted anyone else, please forgive me with the assurance that your contributions and the general benefits of our interactions do not go unnoticed and underemphasized. I may be contacted on IRC on 2600net in #2600, #telephreak, and #telephony, on the Telephreak BBS at telnet://bbs.telephreak.org, or at my email address: email@example.com with any questions or input.
If anyone should happen to possess a superior command of such systems as were discussed in this article, I would like to hear from you; to this end I encourage contact via one of the above channels to further knowledge upon this topic. Although it was extensively researched, I authored this paper strictly from the perspective of an outside explorer experimenting with the system - a good deal of information presented here was garnered from experimentation and observation, and as such is not all-inclusive by any means, although conjecture and speculation is labeled as such. Redundancy here (presentation of details present in the help file of the Master95 software and so forth) exists in order to provide readers with a reference that may be used both as a quick guide to heat computers without the help file or the official manuals, as well as an explanation of, in the true spirit of hacking, potential unintended uses for the various options therein. Additional details are available in the help file of Master95 and elsewhere that are not mentioned here - obtain the software!