Cisco Systems has warned of serious vulnerabilities in a device that connects a building's ventilation, lighting, security, and energy supply systems so they can be controlled by IT workers remotely. The networking giant on Wednesday urged users of the Cisco Network Building Mediator products to patch the vulnerabilities, which …
I can picture the scene ...
Pointy-haired Boss #1: Why don't we make the controls for our HVAC systems available over the Internet, then we can manage them remotely and save some money.
PHB #2: Great idea! After all, what could possibly go wrong ...
Need to read more at Cisco!
Sounds like the plot for a SciFi story...I wonder if anyone has already thought of it?!
You'd think with all the geeks at Cisco, one of them would have read/watched "This House Possesed" or that X-FIles episode where the computer goes nutty and locks up the buildings. Perhaps even that other semi-famous one by Arnold D Clarke is it?
Do you mean?
Arthur C Clarke?
Need to read more at Cisco
Brian Clemens? He had George the computer in an Avengers episode from the 1960's.
Could be worse..
..as anyone who has seen 'Demon seed' will tell you. You could have the computer which controls your house impregnating your wife with freaky gold baby!
Oh come on!!!
Can we have a "Some twats should never be allowed near critical systems"icon please.
I'm getting tired of reading about this sort of cock-up. Cisco should be ashamed of themselves for allowing these errors through.
Whoever was responsible for procuring the system is equally guilty, for not spec'ing it properly or for not placing strict requirements on the supplier to prove that it was OK.
My biggest concern is that systems are getting more and more invasive and taking on critical functions, but the development and proving of them seems to be declining in quality. Some serious harm is coming if this carries on.
: have you seen the possiblities? No? Rewatch "Live Free or Die Hard" , with Bruce Willis... "FireSale" springs to mind.
PHB Internet-izing Critical Infrastructure Not Limited to Cisco Equipment
Yeah, this is bad, but . . .
How many "originally-good" HVAC, power, steam, natural gas, fuel-oil, water, lighting, and video-cam systems, equipped with physically-separate-and-dedicated comm lines, have been compromised by PHBs ordering staff to "Hook this [Windows-based, monitoring/control workstation] computer to the Internet, so I can access it from anywhere." ?!!
This isn't meant as a defence but...
...I suspect this may be common practce for building management systems.
The ones I've seen are still largely DOS/Win9x-based with a few Win2K and Linux systems.
The ones that aren't connected to LAN's for remote access are connected to modems and if they have passwords harder than "bms", I'd be surprised.
Computer controlled building as a plot device....
Done ages ago as an episode in Series 2 of the "New Avengers", entitled "Complex".
God I love '60's & 70's Brit TV. Anyone remember "Department S"?
Every wanabee BOFH in the world
Will be drooling at this!
Grenade icon for obvious reasons.
"Open the pod bay doors, Hal."
"I'm sorry, Dave. I'm afraid I can't do that. "
"sudo Open the pod bay doors, Hal."
passwords harder than "bms"
Come on, it's Cisco, so expect "cisco/cisco"....
You got it wrong
The actual combination will be
which is what we were told to use in our CCNA courses.
Other series not yet mentioned
Could Be Worse !!
Well, we all know CISCO has bugs in there products before and after their release dates, Then one week later we see a patch. LOL!!
CISCO , You need to re think more about vlu's and bugs and less about the release date.
Critical Building Management=FAIL
The Reality Is
...that everybody buys IT based on feature list and nice GUIs. And then evrybody is horrified about securit issues which eventually get out.
There was a time I could shoot down HPUX 9 servers with an "illegaly sized" PING packet. So everybody has those issues.
Did any one of you demand a proper review of code and hardware designs before purchasing anything ? I bet the answer is "errrrm, NO".
Software bugs are like rats - annoying but not dangerous if proper pest control is applied. When did you whine about rats last time. Also, when did you throw meat into the wrong bin last time; making life for rats good ?
"The pool sprung a leak"
You know, that was one of the things I always laughed at the movie "hackers" for (well in a long list) "who in there right mind puts a fire suppression system networkable?"
personal fail on my part for underestimating the ingenutiy of the common idiot.
"who in there right mind puts a fire suppression system networkable?"
Who would entrust his or her life to a computer ? Nobody except the Dumb F*cks (sorry, "customers") that fly an Airbus A320 or a later Airbus model. Or a Boeing 787.
That's hundreds of thousands of people *every day*. And the Dumb F*cks don't know that these computers are somehow connected to the internet. Certainly protected by a ton of crypto which I hope is properly implemented and configured, but nevertheless these planes are already networked.
So if one managed to breach several VPNs they could theoretically crash probably thousands of large airliners in a matter of minutes. Casualties in the hundreds-of-thousands....
seriously? the cockpit info for A320s are internet accessable?
you missed the point. the computer isn't the problem, putting them on a public network is.
are you sure the avionics systems for an A320 is actually on the internet? If so, can you link me? I'd like to read that!
Remote Aircraft maintenance
It is totally obvious that airlines (and their service providers) want to monitor parameters of their aircraft more or less on a continous basis. So if any parameter of an aircraft moves out of the "good" interval, they want to have the spare parts, technicians and test/repair equipement already in place at the destination airport, ideally.
To facilitate that, data from all sorts of aircraft systems must be transmitted to the airline HQ (or service providers like MTU) while the plane is in the air on a continous basis.
I am not working for the aircraft/airline industry, so I do not know the details. It could be that such data transfers are strictly one-way, but I doubt this because it can be very useful for maintenance personell to change some critical parameters while an a/c is flying.
I have no doubt these systems are running over specially protected Virtual Private Networks (which can use the internet or other public telecom networks), but these VPNs also could contain flaws which could be a security issue. The crypto could be broken.
The A380 has an on-board network that includes the passender network and the avionics network. These two are NOT physically separate, but "separated" by a firewall.
A research project in 2005:
Airbus A380 avionics protected by "firewalls":
An Article on the Subject of Remote Maintenance:
Engine Manufacturer MTU offers "Engine condition monitoring (remote diagnostics)"
i would disagree that it would be useful to have the ground crew changeing paramiters while the aircraft is flying. anything changed via this method could just as easily be changed by someone in the cockpit, and someone tweaking things (even an engeer with good intentions) while flying without the piot's knowlage seems a tad troubling.
OTOH I can see how montioring would be useful for doing parts in JIT. I just dont see a reason to put it anyware near a public network. I do stand by the beliefe that these type of systems have no busness attached to public networks (atleast not ones that actually can exsert control)
I wonder if they are useing something like ModBus over TCP/IP, I know it is popular in industrial controls and power monitoring.
All Airbus models after the A320 are fully software controlled. Meaning that all pilot input is processed by a complex piece of software and only then relayed to the flaps, engines etc.
For example, the software has an anti-stall feature and a feature to protect the engines from too fast power increases. The latter is claimed to be partly responsible for an A320 crash when a pilot flew way to low and in the last seconds tried to get power really, really quickly.
"OEB 19/1: Engine Acceleration Deficiency at Low Altitude
This OEB noted that the engines may not respond to throttle input at low altitude."
So apart from the networking thing, we already entrust our lives on computers and software.
The 787 is pretty similar IIRC.
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL
- Submerged Navy submarine successfully launches drone from missile tubes
- Cache in the Attic El Reg's contraptions confessional no.2: Tablet PC, CRT screen and more
- Pix Astroboffins spot HOT, YOUNG GIANT where she doesn't belong
- Developer unleashes bowel-shaking KILLER APP for Google Glass