The security of building management systems has improved over the last few years but many of them aren't set up properly to avoid being hacked, according to security researchers.
In a blog post, Ken Munro, partner at Pen Test Partners, said that in tests carried out by his company, a large number of such systems were found to be installed on the public internet, unprotected, with complete authentication bypass in some cases.
“We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations,” he said. “We also found some that had already been compromised to a point by malware. Further compromise would be trivial.”
Munro said that most of these issues have been caused by HVAC & BMS installers, rather than the vendor. “The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though,” he said.
He pointed to a few examples where security had improved over the years, but problems persisted.
In a 2006 IQ3 Excite building management controller, Munro found plaintext authentication and authentication bypass for embedded web server. There was also a problem with reflected XSS on various parameters.
He added that in the 2013 model of the building controller, the firmware version was more recent and most of the significant flaws had been fixed. “Authentication bypass was still possible in default configuration,” he said.
Munro claimed that in the latest 2017 model, the IQ412 Excite, the XSS from 2006 has now been fixed but he thought there was still a convoluted XSS present.
“There's also plenty of opportunity for CSRF. Auth bypass was still present,” said Munro.
A quick search on Shodan for these devices managed to pull up over a thousand such devices present on the internet. Among the organisations using potentially vulnerable systems were a London restaurant, a development site at a former brewery, a fire station, and an infants school in Chelmsford.
Munro said that building management systems are often installed by electricians and HVAC engineers who simply don't understand security.
“BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible,” he said.
Simon Gawne, director of Advanced Integration Centre of Excellence at Johnson Controls, told SC Media UK that a key selling point for many products today is that they are easy and fast to install, saving the end user valuable time and expense.
“However, if the trade-off is a lack of authentication or encryption, system vulnerabilities creep in,” he said. ““Keep confidential information out of the hands of those to whom it does not belong. For example, when looking to implement a camera, consider whether it requires authentication to view the video. Access control systems are of vital importance to physical products. The biggest mistake would be allowing changes to the database which could allow an attacker to gain physical access to the building.”
He added that building managers must always take into account the risk from internal threats as well.
“It's important to make sure any products you select can be set up with controls that separate responsibilities for individual users. Finally, remember to ask about third-party assessments. Does your supplier undergo independent assessments of its products? More importantly - and an often-forgotten question - does it then take the proper steps to resolve the issues found?”
Mark James, security specialist at ESET, told SC Media UK that the biggest risk has to be from outside the “protected” network.
“Potentially critical internal systems should be just that, internal - no means should exist to bridge the gap. If you want to stay safe, anything that is public facing should be either on a segregated network or protected using multiple-layers to ensure that compromise is extremely difficult,” he said.
“If these controllers do become compromised, the damage could be extreme. Even seemingly simple operations like setting off fire alarms or altering heating systems could be used for subterfuge to cover the tracks in a much bigger operation."
For free entry to see Ken Munro demonstrate how easy it is to hack IOT devices at SC Congress 2018, register now here.