back to article Cisco bugs surrender control of building's critical systems

Cisco Systems has warned of serious vulnerabilities in a device that connects a building's ventilation, lighting, security, and energy supply systems so they can be controlled by IT workers remotely. The networking giant on Wednesday urged users of the Cisco Network Building Mediator products to patch the vulnerabilities, which …

COMMENTS

This topic is closed for new posts.
  1. Chris Miller
    FAIL

    I can picture the scene ...

    Pointy-haired Boss #1: Why don't we make the controls for our HVAC systems available over the Internet, then we can manage them remotely and save some money.

    PHB #2: Great idea! After all, what could possibly go wrong ...

  2. Will Godfrey Silver badge
    FAIL

    Eggs

    Basket

  3. Anonymous Coward
    Joke

    Need to read more at Cisco!

    Sounds like the plot for a SciFi story...I wonder if anyone has already thought of it?!

    You'd think with all the geeks at Cisco, one of them would have read/watched "This House Possesed" or that X-FIles episode where the computer goes nutty and locks up the buildings. Perhaps even that other semi-famous one by Arnold D Clarke is it?

    1. Llanfair

      Do you mean?

      Arthur C Clarke?

    2. Anonymous Coward
      FAIL

      Need to read more at Cisco

      Brian Clemens? He had George the computer in an Avengers episode from the 1960's.

    3. Random Noise

      Could be worse..

      ..as anyone who has seen 'Demon seed' will tell you. You could have the computer which controls your house impregnating your wife with freaky gold baby!

  4. Anonymous Coward
    Unhappy

    Oh come on!!!

    Can we have a "Some twats should never be allowed near critical systems"icon please.

    I'm getting tired of reading about this sort of cock-up. Cisco should be ashamed of themselves for allowing these errors through.

    Whoever was responsible for procuring the system is equally guilty, for not spec'ing it properly or for not placing strict requirements on the supplier to prove that it was OK.

    My biggest concern is that systems are getting more and more invasive and taking on critical functions, but the development and proving of them seems to be declining in quality. Some serious harm is coming if this carries on.

  5. Anonymous Coward
    FAIL

    Why?

    Just Why?

  6. Anonymous Coward
    Alert

    Fire-Sales?

    : have you seen the possiblities? No? Rewatch "Live Free or Die Hard" , with Bruce Willis... "FireSale" springs to mind.

  7. An_Old_Dog Silver badge
    FAIL

    PHB Internet-izing Critical Infrastructure Not Limited to Cisco Equipment

    Yeah, this is bad, but . . .

    How many "originally-good" HVAC, power, steam, natural gas, fuel-oil, water, lighting, and video-cam systems, equipped with physically-separate-and-dedicated comm lines, have been compromised by PHBs ordering staff to "Hook this [Windows-based, monitoring/control workstation] computer to the Internet, so I can access it from anywhere." ?!!

  8. Anonymous Coward
    Anonymous Coward

    This isn't meant as a defence but...

    ...I suspect this may be common practce for building management systems.

    The ones I've seen are still largely DOS/Win9x-based with a few Win2K and Linux systems.

    The ones that aren't connected to LAN's for remote access are connected to modems and if they have passwords harder than "bms", I'd be surprised.

  9. Nux Vomica

    Computer controlled building as a plot device....

    Done ages ago as an episode in Series 2 of the "New Avengers", entitled "Complex".

    God I love '60's & 70's Brit TV. Anyone remember "Department S"?

  10. Gavin Burnett
    Grenade

    Every wanabee BOFH in the world

    Will be drooling at this!

    Grenade icon for obvious reasons.

  11. Anonymous Coward
    Anonymous Coward

    Open...

    "Open the pod bay doors, Hal."

    "I'm sorry, Dave. I'm afraid I can't do that. "

    "sudo Open the pod bay doors, Hal."

  12. Neil Greatorex
    Boffin

    passwords harder than "bms"

    Come on, it's Cisco, so expect "cisco/cisco"....

    1. Daniel B.
      Boffin

      You got it wrong

      The actual combination will be

      cisco/class

      which is what we were told to use in our CCNA courses.

  13. pctechxp

    Other series not yet mentioned

    BUGS

  14. Anonymous Coward
    FAIL

    Could Be Worse !!

    Well, we all know CISCO has bugs in there products before and after their release dates, Then one week later we see a patch. LOL!!

    CISCO , You need to re think more about vlu's and bugs and less about the release date.

    Critical Building Management=FAIL

  15. Anonymous Coward
    Anonymous Coward

    The Reality Is

    ...that everybody buys IT based on feature list and nice GUIs. And then evrybody is horrified about securit issues which eventually get out.

    There was a time I could shoot down HPUX 9 servers with an "illegaly sized" PING packet. So everybody has those issues.

    Did any one of you demand a proper review of code and hardware designs before purchasing anything ? I bet the answer is "errrrm, NO".

    Software bugs are like rats - annoying but not dangerous if proper pest control is applied. When did you whine about rats last time. Also, when did you throw meat into the wrong bin last time; making life for rats good ?

  16. Oninoshiko
    FAIL

    Personal fail.

    "The pool sprung a leak"

    You know, that was one of the things I always laughed at the movie "hackers" for (well in a long list) "who in there right mind puts a fire suppression system networkable?"

    personal fail on my part for underestimating the ingenutiy of the common idiot.

  17. Anonymous Coward
    Stop

    WHO WHO

    "who in there right mind puts a fire suppression system networkable?"

    Who would entrust his or her life to a computer ? Nobody except the Dumb F*cks (sorry, "customers") that fly an Airbus A320 or a later Airbus model. Or a Boeing 787.

    That's hundreds of thousands of people *every day*. And the Dumb F*cks don't know that these computers are somehow connected to the internet. Certainly protected by a ton of crypto which I hope is properly implemented and configured, but nevertheless these planes are already networked.

    So if one managed to breach several VPNs they could theoretically crash probably thousands of large airliners in a matter of minutes. Casualties in the hundreds-of-thousands....

    1. Oninoshiko
      Boffin

      seriously? the cockpit info for A320s are internet accessable?

      you missed the point. the computer isn't the problem, putting them on a public network is.

      are you sure the avionics systems for an A320 is actually on the internet? If so, can you link me? I'd like to read that!

  18. Anonymous Coward
    Anonymous Coward

    Remote Aircraft maintenance

    It is totally obvious that airlines (and their service providers) want to monitor parameters of their aircraft more or less on a continous basis. So if any parameter of an aircraft moves out of the "good" interval, they want to have the spare parts, technicians and test/repair equipement already in place at the destination airport, ideally.

    To facilitate that, data from all sorts of aircraft systems must be transmitted to the airline HQ (or service providers like MTU) while the plane is in the air on a continous basis.

    I am not working for the aircraft/airline industry, so I do not know the details. It could be that such data transfers are strictly one-way, but I doubt this because it can be very useful for maintenance personell to change some critical parameters while an a/c is flying.

    I have no doubt these systems are running over specially protected Virtual Private Networks (which can use the internet or other public telecom networks), but these VPNs also could contain flaws which could be a security issue. The crypto could be broken.

    The A380 has an on-board network that includes the passender network and the avionics network. These two are NOT physically separate, but "separated" by a firewall.

    A research project in 2005:

    http://www.cs.york.ac.uk/dame/summary.htm

    Airbus A380 avionics protected by "firewalls":

    http://www.pprune.org/tech-log/185244-a380-computer-network-ima-article-ct.html

    An Article on the Subject of Remote Maintenance:

    http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V2H-4MD9G26-2&_user=10&_coverDate=05%2F31%2F2007&_rdoc=1&_fmt=high&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId=1351426251&_rerunOrigin=google&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=123874e79830d4356820ca1cdfb6e2dd

    Engine Manufacturer MTU offers "Engine condition monitoring (remote diagnostics)"

    http://www.aerospace-technology.com/contractors/maintenance/mtu/

    1. Oninoshiko

      re

      Interesting.

      i would disagree that it would be useful to have the ground crew changeing paramiters while the aircraft is flying. anything changed via this method could just as easily be changed by someone in the cockpit, and someone tweaking things (even an engeer with good intentions) while flying without the piot's knowlage seems a tad troubling.

      OTOH I can see how montioring would be useful for doing parts in JIT. I just dont see a reason to put it anyware near a public network. I do stand by the beliefe that these type of systems have no busness attached to public networks (atleast not ones that actually can exsert control)

      I wonder if they are useing something like ModBus over TCP/IP, I know it is popular in industrial controls and power monitoring.

  19. Anonymous Coward
    Stop

    A320

    All Airbus models after the A320 are fully software controlled. Meaning that all pilot input is processed by a complex piece of software and only then relayed to the flaps, engines etc.

    For example, the software has an anti-stall feature and a feature to protect the engines from too fast power increases. The latter is claimed to be partly responsible for an A320 crash when a pilot flew way to low and in the last seconds tried to get power really, really quickly.

    "OEB 19/1: Engine Acceleration Deficiency at Low Altitude

    This OEB noted that the engines may not respond to throttle input at low altitude."

    from

    http://en.wikipedia.org/wiki/Air_France_Flight_296

    So apart from the networking thing, we already entrust our lives on computers and software.

    The 787 is pretty similar IIRC.

This topic is closed for new posts.