Vulnerabilities / Threats
12:42 PM
Connect Directly

Researchers Demo Building Control System Hack

Unpatched bugs could also ultimately expose the corporate network

KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- A popular building systems maintenance and management platform contains security bugs that could allow an outsider to remotely hijack the power and other building operation systems.

Security researchers Terry McCorkle and Billy Rios here yesterday demonstrated an attack on the Tridium Niagra Framework used by Boeing, Whirlpool, and many hospitals worldwide for integrating and managing building energy and other operations, such as lighting, HVAC, and fire and safety. The proof-of-concept exploit uses two as-yet unpatched security vulnerabilities in the Niagra software.

"This [Niagra platform] is used for things like access controls, running an elevator, alarm systems, power, and HVAC," McCorkle said. "It used to be that all systems in a building would be on a separate circuit or not connected to anything ... But where we are today, you now have embedded controllers and browsers ... to track things like how much power you use, when people are coming and going -- all of this can be tracked online."

And the attacker ultimately could gain a foothold in the organization's corporate network after accessing the building system: "You could 'own' the network -- more than [just] the ICS [industrial control system]," Rios said.

The attack allows an unauthorized and unauthenticated attacker to download the Tridium building control system's configuration file, getting him access to the station, where he exploits a privilege escalation bug to gain entry onto the actual Tridium platform. "Once we have access to the station, we own the entire device," Rios said.

Tridium originally had planned to issue an update to fix the flaws in mid-January, the researchers said, but the patch is not yet out. They said the vendor is planning to issue the update in the next few weeks, however.

Many of these systems are sitting on the Internet today. McCorkle and Rios found via a Shodan scan some 21,000 such devices, many of which they confirmed were Tridium Niagra Framework systems. One Niagra system was sitting on a network at a college medical testing lab. "Naturally, we aren't going to exploit any of those systems. We just say it would be possible. It would be easily exploitable if someone wanted to," McCorkle said. Some of these organizations may not even be aware their systems are Internet-facing and potentially accessible by hackers, he said.

The Tridium systems come with Ethernet ports and modems, and each controller can manage anywhere from 16 to 34 ICS devices. "They can run in a series and are designed to run a whole building," McCorkle said.

The researchers purchased the Tridium system on eBay -- not from Tridium -- but the box arrived with its original packaging slip from Tridium. "So it [had been] used somewhere in some building project. We don't know if it was stolen or what, but we have it now, and it's ours," Rio said. It also conveniently came with a default username ("Tridium") and password ("Niagra") for the admin account, he said.

Rios said the system can run atop a QNX real-time embedded operating system, Windows, or Linux, and the platform is written in Java. "Once you own the platform, owning a lot of other stuff is very straightforward," he said.

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

The researchers credit Tridium with splitting the architecture of the system for security purposes. "I think Tridium understands security just a little bit because the 'stations' on the platform [create] a security boundary," Rios said. The station is where the user interacts with the device -- it sits atop the platform. "Once the user has access to the station, you don't want him to access the platform ... Once you own the platform, you own everything, the whole stack. You're able to do anything you want to with it."

But owning the platform is just what the researchers were able to do. They were able to get a shell on the device and admin access to the system.

Still, Rios said the bigger concern is that he and McCorkle probably are not the only ones finding these types of bugs. "We don't think we're the only ones doing this. That's what [Tridium] need to worry about. There's a huge market for this kind of stuff," he said.

Meanwhile, patching ICS products is not so straightforward. SCADA systems owners face some serious decisions over where and when to patch -- if at all, and many do not due to concerns over disrupting their operations or processes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.