Honeywell’s Tridium Niagara Framework is built on IP and meant to provide web-based management for building assets – a boon for efficiency, but also a chance for security nightmares. And indeed, Cylance researchers Billy Rios and Terry McCorkle have found a weakness in Tridium that allows an attacker to remotely access the system and therefore any of the facilities that it controls.
Speaking at the Kaspersky Security Analyst Summit, the two explained that a zero-day vulnerability allows access to Tridium’s config.bog file, which holds usernames and passwords to login to building control systems. From there an attacker could login to the administrator panel and commence wreaking havoc, with the ability to stop and start elevators, open doors in between floors, crank up the heat, shut down the lights, spy through CCTV cameras, turn off those cameras and unlock access to buildings for thieves, and much more. “These boxes are designed to control 16 to 34 devices and they can be run in series so they’re designed to run a whole building,” McCorkle said, as reported by Wired.
The platform is written in Java, “which is really, really good from an exploitation standpoint,” Rios said. “Once we can own the platform, a lot of the other stuff is very very straightforward [to attack].”
In some cases, once the hackers dispensed with a company’s physical environment, they can go deeper to hack the building's office computers.
McCorkle added that the two built a backdoor module based on the vulnerability, which would be used by hackers to come and go in the systems as they please, but have no plans to release it to the public.
The worse news is that Tridium’s Niagara Framework is widely deployed throughout enterprises, the military and in government – there are literally millions of facilities in thousands of buildings under its market-leading control. And to boot, Tridium is not just for building control applications – it also has applications for industrial automation, medical equipment, physical security, energy information systems, telecommunications, smart homes, machine-to-machine (M2M) and smart services.
After one quick search, Rios and McCorkle said that they found about 21,000 Tridium systems visible over the internet. The installations varied: a medical testing lab at a college, a government office complex in Chicago, the FBI, the Drug Enforcement Agency, the US Marshals Service, the IRS and the Passport Office, a British Army training facility, Boeing’s manufacturing facilities in Renton, Wash., the Changi airport in Singapore, the Four Points Sheraton hotel in Sydney, and so on.
Cylance has been warning of potential security dangers with the online industrial control configuration for some time, but Tridium executives told the Washington Postlast fall that attacks seemed unlikely, because they “generally assumed that control systems were buffered somewhat by their obscurity.”
A Honeywell spokesperson told TechEye that the company is working to address the problems as quickly as possible and will alert customers of the risks.