We all know about the malware attacks on Iranian nuclear plants and Ukrainian power grids, but what if the next target was your ‘smart’ home, office, school or hospital? Researchers at enterprise security vendor ForeScout have warned that malware specifically targeting smart buildings is an inevitable next step given the rapidly expanding attack surface that building automation systems expose. The operational technology researchers at ForeScout should know: they created proof-of-concept malware that revealed smart building vulnerabilities every business should be concerned about.
Malware attacks on industrial control systems (ICS) of the type often used in critical national infrastructure have been well-reported over the years. Perhaps the most memorable being the Stuxnet worm, a state-sponsored attack that targeted programmable logic controllers in the Bushehr nuclear power plant in Iran with such devastating effect in 2010. Just a few months ago a group, thought to be linked to the BlackEnergy attackers who took down much of the Ukrainian power grid in 2015, were found to be targeting high-value ICS workstations running supervisory control and data acquisition (SCADA) software with malware called GreyEnergy.
Now building automation systems (BAS) could become the new ICS, at least as far as attack surfaces are concerned for criminal and nation state threat actors alike, according to those ForeScout researchers. The reasons for this conclusion are, sadly, very sound indeed. Unlike relatively ‘dumb’ building management systems of old that might control the heating and lights, these new smart ecosystems we are increasingly seeing go further by connecting the dots to provide autonomous control of much of the building concerned. Think of buildings that can disable lift access, switch on evacuation lighting and open the emergency exits when fire is detected for example. So far, so smart. However, the open and interconnected nature of these smart buildings, along with the internet of things (IoT) devices that are often being ‘cobbled onto’ legacy systems, see old operational technology (OT) being integrated with new IT.
That, it turns out, could be pretty dumb indeed. Cheap and quick to deploy sensors and controllers courtesy of the IoT revolution, with all the well-known security problems these bring to ‘smart’ deployments, are the new normal. The new normal, indeed, for all smart buildings be they hospitals, airports, government offices, schools or even your home.
The ForeScout researchers found multiple vulnerabilities across several devices and software used in smart buildings. All these have now been fixed with patches available, but none are being identified in order to prevent the information being used to exploit unpatched instances. Examples of the high severity vulnerabilities they discovered include an encryption function using a hardcoded secret to store user passwords and a buffer overflow that enabled a remote code execution takeover of the device. Lower sensitivity vulnerabilities included cross-site scripting (XSS), path traversal and file deletion along with authentication bypass flaws. These could lead to the accessing of sensitive data, password compromises, malware distribution and the ability to tunnel further into connected networks. It almost goes without saying, but I’m going to anyway, that device misconfiguration was also found by the researchers, enabling them to gain administrator privileges on the running operating system.
One of the report authors, Elisa Costante, is also a senior director for industrial and OT technology innovation at ForeScout. She told me that a likely target of a smart building attack might be data centers. “They depend on industrial-level heating, ventilation, and air conditioning (HVAC) systems which are often connected to a BAS system” Costante explains, continuing “if a hacker is able to identify a vulnerability that grants them access to the HVAC system, they would be able to raise the temperature setpoint in order to disable the air conditioning.” Which might not sound too bad but consider as these cooling systems fail so do the servers they are protecting. “The shutting down of safety systems could lead to long and costly bouts of downtime and loss of access to important data” Costante warns. Even more critically, these BAS attacks could “bring hospitals to a standstill by rendering medical devices unusable, disrupt traffic by disabling ventilation in tunnels or completely halt production within mines” Costante concludes.
So, the ForeScout research team uncovered multiple vulnerabilities across popular building automation devices which, although all now patched, showed just how dumb these smart buildings really are when it comes to matters of security. If these vulnerabilities have all been fixed, why the ongoing concern? Simply put, those patches haven’t been applied to many of the devices courtesy of poor, or non-existent, security update strategies in far too many building management companies. Indeed, performing searches that are available to anyone at Shodan and Censys the researchers found 21,621 instances of access control devices with 7,980 that were potentially vulnerable to the high severity vulnerabilities enabling arbitrary code execution and, ultimately, full control of the device. Alarmingly, many of these were apparently located in hospitals or schools. When it comes to the lower sensitivity vulnerabilities found in just two particular automation devices, still dangerous enough considering they could enable access to data, distribution of malware, file deletion and authentication bypass, some 76% of the device instances found were potentially vulnerable.
And then there’s this: just yesterday, Tenable Research revealed it had discovered several zero-day vulnerabilities in a premises access control system used by Fortune 500 companies. Among the many attack scenarios these vulnerabilities could facilitate was ‘unfettered access to the badge system database’ which in turn meant an ability to create fraudulent access badges and disable building locks. “Many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber-attack” says Renaud Deraison, co-founder and chief technology officer at Tenable, warning “in this case patches are not available” as, despite multiple attempts to contact the vendor, Tenable had no success. This isn’t altogether surprising as I reported recently, roadblocks in the IoT vulnerability reporting process are far too commonplace.