Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:42 PM
Connect Directly

Researchers Demo Building Control System Hack

Unpatched bugs could also ultimately expose the corporate network

KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- A popular building systems maintenance and management platform contains security bugs that could allow an outsider to remotely hijack the power and other building operation systems.

Security researchers Terry McCorkle and Billy Rios here yesterday demonstrated an attack on the Tridium Niagra Framework used by Boeing, Whirlpool, and many hospitals worldwide for integrating and managing building energy and other operations, such as lighting, HVAC, and fire and safety. The proof-of-concept exploit uses two as-yet unpatched security vulnerabilities in the Niagra software.

"This [Niagra platform] is used for things like access controls, running an elevator, alarm systems, power, and HVAC," McCorkle said. "It used to be that all systems in a building would be on a separate circuit or not connected to anything ... But where we are today, you now have embedded controllers and browsers ... to track things like how much power you use, when people are coming and going -- all of this can be tracked online."

And the attacker ultimately could gain a foothold in the organization's corporate network after accessing the building system: "You could 'own' the network -- more than [just] the ICS [industrial control system]," Rios said.

The attack allows an unauthorized and unauthenticated attacker to download the Tridium building control system's configuration file, getting him access to the station, where he exploits a privilege escalation bug to gain entry onto the actual Tridium platform. "Once we have access to the station, we own the entire device," Rios said.

Tridium originally had planned to issue an update to fix the flaws in mid-January, the researchers said, but the patch is not yet out. They said the vendor is planning to issue the update in the next few weeks, however.

Many of these systems are sitting on the Internet today. McCorkle and Rios found via a Shodan scan some 21,000 such devices, many of which they confirmed were Tridium Niagra Framework systems. One Niagra system was sitting on a network at a college medical testing lab. "Naturally, we aren't going to exploit any of those systems. We just say it would be possible. It would be easily exploitable if someone wanted to," McCorkle said. Some of these organizations may not even be aware their systems are Internet-facing and potentially accessible by hackers, he said.

The Tridium systems come with Ethernet ports and modems, and each controller can manage anywhere from 16 to 34 ICS devices. "They can run in a series and are designed to run a whole building," McCorkle said.

The researchers purchased the Tridium system on eBay -- not from Tridium -- but the box arrived with its original packaging slip from Tridium. "So it [had been] used somewhere in some building project. We don't know if it was stolen or what, but we have it now, and it's ours," Rio said. It also conveniently came with a default username ("Tridium") and password ("Niagra") for the admin account, he said.

Rios said the system can run atop a QNX real-time embedded operating system, Windows, or Linux, and the platform is written in Java. "Once you own the platform, owning a lot of other stuff is very straightforward," he said.

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

The researchers credit Tridium with splitting the architecture of the system for security purposes. "I think Tridium understands security just a little bit because the 'stations' on the platform [create] a security boundary," Rios said. The station is where the user interacts with the device -- it sits atop the platform. "Once the user has access to the station, you don't want him to access the platform ... Once you own the platform, you own everything, the whole stack. You're able to do anything you want to with it."

But owning the platform is just what the researchers were able to do. They were able to get a shell on the device and admin access to the system.

Still, Rios said the bigger concern is that he and McCorkle probably are not the only ones finding these types of bugs. "We don't think we're the only ones doing this. That's what [Tridium] need to worry about. There's a huge market for this kind of stuff," he said.

Meanwhile, patching ICS products is not so straightforward. SCADA systems owners face some serious decisions over where and when to patch -- if at all, and many do not due to concerns over disrupting their operations or processes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: Buffer Overflow. The impact is: buffer overflow in strcpy. The component is: tempo. The fixed version is: after commit b1559f4c9ce2b304d8d27ffdc7128b6795ca82e5.
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash (DoS). The component is: onset. The fixed version is: after commit e4e0861cffbc8d3a53dcd18f9ae85797690d67c7.