The researchers are Billy Rios and Terry McCorkle from Cylance; and the hacked system is the Tridium Niagara Framework. “At Cylance,” Rios blogged yesterday, “we have an ongoing project to identify vulnerable Internet facing Industrial Control Systems (ICS) at scale... While looking through our scan results, we came across an interesting Tridium Niagara device on the Internet.” Tridium Niagara is a building management system, and the building in question is the Google Wharf 7 building in Sydney.
Rios and McCorkle have a history of finding and exposing Niagara flaws. Last year they criticised Tridium for a lack of responsiveness in fixing such flaws, and praised the US ICS CERT for forcing the issue. In this instance, embarrassingly for Google who automatically pushes patches for its Chrome browser, patches were available just not installed. “Although Tridium has released a patch for the system, Google’s control system was not patched, which allowed the researchers to obtain the administrative password for it (‘anyonesguess’) and access control panels,” reports Wired.
Using a custom exploit, the researchers searched the device and extracted the most sensitive file, the config.bog file – which among other things includes usernames and passwords for all users. They then used a separate custom tool to decode all of the passwords and, “With the device administrator password in hand… we can now take over the Google Tridium Device.”
To prove their point they show a printout taken from the device displaying Level 3, showing the floor plan and water pipe layout. The North Kitchen is fine – but the South Kitchen has an ongoing leak. “Of course, once we’re done perusing the building automation systems, we could always root the device (we did not do this… but we could have!)”
But the message is clear. Despite continued warnings about the vulnerabilities of industrial control systems – and even in this case the availability of patches – even tech companies remain vulnerable. “If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go.”