Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/6/2013
12:42 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Demo Building Control System Hack

Unpatched bugs could also ultimately expose the corporate network

KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- A popular building systems maintenance and management platform contains security bugs that could allow an outsider to remotely hijack the power and other building operation systems.

Security researchers Terry McCorkle and Billy Rios here yesterday demonstrated an attack on the Tridium Niagra Framework used by Boeing, Whirlpool, and many hospitals worldwide for integrating and managing building energy and other operations, such as lighting, HVAC, and fire and safety. The proof-of-concept exploit uses two as-yet unpatched security vulnerabilities in the Niagra software.

"This [Niagra platform] is used for things like access controls, running an elevator, alarm systems, power, and HVAC," McCorkle said. "It used to be that all systems in a building would be on a separate circuit or not connected to anything ... But where we are today, you now have embedded controllers and browsers ... to track things like how much power you use, when people are coming and going -- all of this can be tracked online."

And the attacker ultimately could gain a foothold in the organization's corporate network after accessing the building system: "You could 'own' the network -- more than [just] the ICS [industrial control system]," Rios said.

The attack allows an unauthorized and unauthenticated attacker to download the Tridium building control system's configuration file, getting him access to the station, where he exploits a privilege escalation bug to gain entry onto the actual Tridium platform. "Once we have access to the station, we own the entire device," Rios said.

Tridium originally had planned to issue an update to fix the flaws in mid-January, the researchers said, but the patch is not yet out. They said the vendor is planning to issue the update in the next few weeks, however.

Many of these systems are sitting on the Internet today. McCorkle and Rios found via a Shodan scan some 21,000 such devices, many of which they confirmed were Tridium Niagra Framework systems. One Niagra system was sitting on a network at a college medical testing lab. "Naturally, we aren't going to exploit any of those systems. We just say it would be possible. It would be easily exploitable if someone wanted to," McCorkle said. Some of these organizations may not even be aware their systems are Internet-facing and potentially accessible by hackers, he said.

The Tridium systems come with Ethernet ports and modems, and each controller can manage anywhere from 16 to 34 ICS devices. "They can run in a series and are designed to run a whole building," McCorkle said.

The researchers purchased the Tridium system on eBay -- not from Tridium -- but the box arrived with its original packaging slip from Tridium. "So it [had been] used somewhere in some building project. We don't know if it was stolen or what, but we have it now, and it's ours," Rio said. It also conveniently came with a default username ("Tridium") and password ("Niagra") for the admin account, he said.

Rios said the system can run atop a QNX real-time embedded operating system, Windows, or Linux, and the platform is written in Java. "Once you own the platform, owning a lot of other stuff is very straightforward," he said.

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

The researchers credit Tridium with splitting the architecture of the system for security purposes. "I think Tridium understands security just a little bit because the 'stations' on the platform [create] a security boundary," Rios said. The station is where the user interacts with the device -- it sits atop the platform. "Once the user has access to the station, you don't want him to access the platform ... Once you own the platform, you own everything, the whole stack. You're able to do anything you want to with it."

But owning the platform is just what the researchers were able to do. They were able to get a shell on the device and admin access to the system.

Still, Rios said the bigger concern is that he and McCorkle probably are not the only ones finding these types of bugs. "We don't think we're the only ones doing this. That's what [Tridium] need to worry about. There's a huge market for this kind of stuff," he said.

Meanwhile, patching ICS products is not so straightforward. SCADA systems owners face some serious decisions over where and when to patch -- if at all, and many do not due to concerns over disrupting their operations or processes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.