Researchers Demo Building Control System Hack

  /     /     /  
Publicated : 22/11/2024   Category : security


Researchers Demo Building Control System Hack


Unpatched bugs could also ultimately expose the corporate network



KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- A popular building systems maintenance and management platform contains security bugs that could allow an outsider to remotely hijack the power and other building operation systems.
Security researchers Terry McCorkle and Billy Rios here yesterday demonstrated an attack on the Tridium Niagra Framework used by Boeing, Whirlpool, and many hospitals worldwide for integrating and managing building energy and other operations, such as lighting, HVAC, and fire and safety. The proof-of-concept exploit uses two as-yet unpatched security vulnerabilities in the Niagra software.
This [Niagra platform] is used for things like access controls, running an elevator, alarm systems, power, and HVAC, McCorkle said. It used to be that all systems in a building would be on a separate circuit or not connected to anything ... But where we are today, you now have embedded controllers and browsers ... to track things like how much power you use, when people are coming and going -- all of this can be tracked online.
And the attacker ultimately could gain a foothold in the organizations corporate network after accessing the building system: You could own the network -- more than [just] the ICS [industrial control system], Rios said.
The attack allows an unauthorized and unauthenticated attacker to download the Tridium building control systems configuration file, getting him access to the station, where he exploits a privilege escalation bug to gain entry onto the actual Tridium platform. Once we have access to the station, we own the entire device, Rios said.
Tridium originally had planned to issue an update to fix the flaws in mid-January, the researchers said, but the patch is not yet out. They said the vendor is planning to issue the update in the next few weeks, however.
Many of these systems are sitting on the Internet today. McCorkle and Rios found via a Shodan scan some 21,000 such devices, many of which they confirmed were Tridium Niagra Framework systems. One Niagra system was sitting on a network at a college medical testing lab. Naturally, we arent going to exploit any of those systems. We just say it would be possible. It would be easily exploitable if someone wanted to, McCorkle said. Some of these organizations may not even be aware their systems are Internet-facing and potentially accessible by hackers, he said.
The Tridium systems come with Ethernet ports and modems, and each controller can manage anywhere from 16 to 34 ICS devices. They can run in a series and are designed to run a whole building, McCorkle said.
The researchers purchased the Tridium system on eBay -- not from Tridium -- but the box arrived with its original packaging slip from Tridium. So it [had been] used somewhere in some building project. We dont know if it was stolen or what, but we have it now, and its ours, Rio said. It also conveniently came with a default username (Tridium) and password (Niagra) for the admin account, he said.
Rios said the system can run atop a QNX real-time embedded operating system, Windows, or Linux, and the platform is written in Java. Once you own the platform, owning a lot of other stuff is very straightforward, he said.
[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See
The SCADA Patch Problem
.]
The researchers credit Tridium with splitting the architecture of the system for security purposes. I think Tridium understands security just a little bit because the stations on the platform [create] a security boundary, Rios said. The station is where the user interacts with the device -- it sits atop the platform. Once the user has access to the station, you dont want him to access the platform ... Once you own the platform, you own everything, the whole stack. Youre able to do anything you want to with it.
But owning the platform is just what the researchers were able to do. They were able to get a shell on the device and admin access to the system.
Still, Rios said the bigger concern is that he and McCorkle probably are not the only ones finding these types of bugs. We dont think were the only ones doing this. Thats what [Tridium] need to worry about. Theres a huge market for this kind of stuff, he said.
Meanwhile, patching ICS products is not so straightforward. SCADA systems owners face some serious decisions over where and when to patch -- if at all, and many do not due to concerns over disrupting their operations or processes.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Demo Building Control System Hack