The drive to make datacenter buildings and other corporate facilities more advanced and energy-efficient may be driving down costs, but it is increasing the risk of those buildings being remotely invaded or vandalized through automation systems that lack all but basic security.
Successful building-automation attacks don’t happen often, but both the systems and the attacks are becoming more common, according to Navigant Research, whose April survey predicted the market for building automation would grow from $11.3 billion in 2013 to $22.4 billion in 2020.
Developers creating systems to manage both homes and commercial buildings often fall far short of normal IT security standards, especially when it comes to remotely accessible control of automation systems, according to consultants Daniel Crowley and David Bryan, of security software- and services vendor Trustwave.
The two will present their findings about the lack of security in home-automation systems at a session at the Black Hat security conference titled “Home Invasion v2.0—Attacking Network-Controlled Hardware.”
“Connecting things to a network opens up a whole range of vectors of attack, and when you are talking door locks, garage doors, and alarm controls it gets scary,” Crowley wrote in a statement announcing the session. Security for the increasing number of home-automation systems is “pretty poor,” he added.
It is fairly easy to get control of a smartphone being used as a remote controller for home-based systems, for example. It is also possible to use specialized searches to identify networked home-automation devices and attack them remotely, as well as identify the street address associated with that IP and go attack it in person.
“If someone can access your home network, but doesn’t have a key to your home, they can still unlock your door and get in,” Crowley wrote.
Home automation systems are far less common and sophisticated than the kind of building-automation systems that control heating, air conditioning, lighting and security in commercial buildings, of course. But commercial building automation isn’t much more secure than the domestic variety, according to researchers investigating the hack of an Google office building in Australia in May.
The building’s management system was run by Niagara AX from Tridium in Richmond, Virginia—a Windows-based system on which the Tridium client software runs within a Java virual machine. The system is installed in 235,000 buildings worldwide.
In a blog posted on their employers’ site, CyLance security researchers Billy Rios and Terry McCorckle described how they’d been able to penetrate security on the Tridium system using a login page called “GoogleWharf7.” They found the login page in a database of 21,000 buildings managed by Tridium systems, which they identified using the Shodan search engine—which searches the Internet for connected devices rather than documents or web sites.
Shodan, which CNN.com called “the scariest search engine on the Internet,” indexes about 500 million connected devices and services every month—even in businesses as sensitive and security conscious as the control system of a nuclear power plant. The two seized control by attacking a flaw in the remote-access, pre-authentication system in the Tridium system, combined with a privilege-escalation bug that gave them control of the system and most of the building.
Building-control vendors are trying to secure their systems with deals such as the one between building-automation firm Lynxspring and secure remote-access developer Netop, for a product called SecureLYNX that is due to be released this year.
Building owners certainly need to be aware of the risks, according to Navigant analyst Lee Hamilton, but it’s even more important that building-automation vendors get up to speed on security before a big risk becomes a series of big disasters.
“Think about the individual systems controlled by a BAS/BMS [building automation/building management system],” Hamilton wrote: “Fire and life safety, security, elevators, etc. It’s not a far leap to consider worst-case scenarios where fire suppressant systems are de-activated or unwarranted persons are allowed into sensitive areas of secure buildings. Chaos could be induced if control of the BAS/BMS landed in the wrong hands.”