Connected Elevators Expose Buildings to Cyberattacks via Unpatched IoT Systems

Modern elevators are increasingly connected to building management systems (BMS) and the internet for remote monitoring, predictive maintenance, and destination dispatch optimization. However, TUV NORD (a major European certification body) has found that many elevator systems are inadequately protected against cyber attacks. Common vulnerabilities include unencrypted communication between elevator controllers and monitoring servers, default credentials left unchanged on maintenance interfaces, unsecured remote access tools, and weak or nonexistent network segmentation between elevator operational technology (OT) and building IT networks. This matters because a compromised elevator system is not just a data breach — it is a physical safety hazard. An attacker who gains access to an elevator controller could potentially override door interlocks (causing doors to open between floors), disable safety systems, manipulate car positioning, or simply take all elevators in a building offline simultaneously. In a hospital, this could prevent patient transport during emergencies. In a high-rise office building, it could strand thousands of people. In a residential tower, it could trap elderly or disabled residents. The attack surface is expanding rapidly. Kaspersky researchers demonstrated an elevator exploit using a PLC (programmable logic controller) — the same type of industrial controller targeted by the Stuxnet worm. The elevator industry's own trade group, the National Elevator Industry Inc. (NEII), published cybersecurity best practices in July 2024, implicitly acknowledging that the industry's current security posture is inadequate. Check Point has released a dedicated 'Secure Smart Elevators' solution brief, indicating that security vendors see a market need — which means the problem is already being exploited or is imminently exploitable. This persists because elevator cybersecurity falls into a regulatory gap. Elevator safety codes (ASME A17.1) focus on mechanical and electrical safety, not cybersecurity. Building codes do not address IoT device security. And general cybersecurity regulations (where they exist) typically apply to IT systems, not OT systems like elevator controllers. No regulatory body currently requires cybersecurity testing or certification for elevator control systems before they are connected to the internet. Structurally, the problem is compounded by the long lifecycle of elevator equipment. An elevator controller installed in 2010 was not designed with cybersecurity in mind, yet it may now be connected to the internet for remote monitoring. These legacy systems often cannot be patched or updated to address newly discovered vulnerabilities, and replacing them means a full controls modernization ($100,000+ per car). Building owners face the choice between leaving vulnerable systems connected or disconnecting them and losing the remote monitoring capabilities they are paying for.