back to article Building automation systems are so bad IBM hacked one for free

An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. The IBM X-Force team of Paul Ionescu, Jonathan Fitz-Gerald, John Zuccato, and Warren Moynihan, along with Akamai engineer Brennan Brazeau, …

  1. waldo kitty
    Facepalm

    this is really sad... this is only one instance... imagine all the other hundreds and thousands of similarly equipped buildings... this is another example of security being tacked on at the end instead of being properly built in from the beginning...

    to quote a well known security analyst, "If you have not detected a compromise, It is not because it is not happening but because you are not looking in the right areas...." - Dr. Eric Cole ‏@drericcole

    1. MyffyW Silver badge

      Not suprised, unfortunately.

      Having built a career at least partly on Microsoft technologies I'm more cautious than most (I've had to be). It depresses me how many times in the past few years a project has only locked down the system with a prompt from myself. And I'm a lazy cow.

  2. Anonymous Coward
    Anonymous Coward

    Sadly unsurprising

    I started my career in building automation, and this is depressingly unsurprising news. We built stuff in the 1980s that would be hard-wired into buildings, expecting it to last as long as the buildings did, with no reason to expect that there would ever be a connection to the system from outside the physical wiring in the buildings.

    And apparently, the industry is still architecting systems under the same assumptions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sadly unsurprising

      And apparently, the industry is still architecting systems under the same assumptions.

      Whilst somebody owning your BEMS or similar and turning the thermostat down, or the aircon off is potentially embarrassing, I can't see it being a popular pastime for that purpose. A more pressing concern might be that if the BEMS is connected to the corporate IT network, can p0wnership of some crapola BEMS or IoT junk lead to real network penetration, and loss of data and IP?

      My guess is yes, but I wonder how many IT departments actually manage the BEMS - probably relatively few, with most of controlled by an IT-illiterate facilities management team.

      1. I ain't Spartacus Gold badge

        Re: Sadly unsurprising

        Ledswinger,

        It does depend on what's hooked up to a BMS though. We sell kit that only has a one-way connection. So we don't have to worry about security. We just output a few different kinds of fault flag, with a different connection for each. So the BMS can't screw up our kit's controls - which can only be done with physical access.

        Except we do have some variable speed stuff that takes information from the air-conditioning on how fast to spin the fans. So you might be able to do some damage by continuously teling it to change motor speeds.

        You can do lots of damage with direct control of pumps and valves. If I have control of a pump and a single outlet several floors up in a high rise building, then I can create a vacuum in the sytem, turn the pump back on and create massive water hammer - and spike the pressure up to way more than the pipes will stand. If you've got a pump operating at 10 litres/second at 5-10 bar, then that's an awful lot of water spraying around everywhere. And lots of pipe joints you're going to have to go and fix. You can also knacker electric motors by rapidly switching them on and off - if people have disabled their normal protection when giving control the BMS.

        Not to mention the gas system and boilers.

        I remember writing something ten years ago, when were looking at using wireless sensors/controls. Saying that it was too scary to do, and that wires were cheaper and less hassle. Giant water tanks and concrete basement plantrooms tend to bugger up your signals anyway - but the security problems are just as bad - particularly given that's an area we have no experience or expertise in. And neither does anyone else in the industry.

        1. spegru

          Re: Sadly unsurprising

          That has to be the most scary IoT security story I've heard so far

      2. Anonymous Coward
        Anonymous Coward

        Re: Sadly unsurprising

        Whilst somebody owning your BEMS or similar and turning the thermostat down, or the aircon off is potentially embarrassing, I can't see it being a popular pastime for that purpose.

        Maybe that would be just a nuisance (and lets face it, there's plenty of people who enjoy being a nuisance), but the BMS is often also running some surprising things, such as badged doors and access logging.

        And if it's running something more important than People Pods, like an industrial environment or the a/c to the server room, somebody could do some serious damage...

        1. I ain't Spartacus Gold badge

          Re: Sadly unsurprising

          And if it's running something more important than People Pods, like an industrial environment or the a/c to the server room, somebody could do some serious damage...

          I'd not thought of that. You could have a new security term ADoS. A DDoS is a distributed attack, an ADoS is an Aircon Denial of Service.

          It all depends on how integrated stuff gets. At the moment most kit has built-in protection. So servers will shut down on over-temperature, meaning your kit doesn't cook. Though I suppose that not all the kit will come back up again, so it's still bad. And you lose service.

          Electric motors last a long time when they run, but suffer stress on start-up. So you can kill a pump by turning it off and on repeatedly. But to combat this, many industrial electric motors have run-on timers, for example most water pumps will run for a minimum of 2 minutes.

          Heating systems contain electronic controls to stop the boiler if things go over temperature or pressure. But there's also a hardware backup, the emergency temperature and pressure relief valves. This limits what you can screw up even with control of a BMS.

          Many tall buildings have an anti-vacuum system on the pump - to avoid water hammer damage on restart. Some also have automatic anti-vacuum valves, doing the same job in hardware.

          If people come to rely on electronic sensors and controls, and then further come to rely on the BMS to operate these, then I forsee a problem.

          Fortunately the building services industry is too fucked up for that. Design is done in silos. No one talks to each other. Purchasing too - often the people who buy the equipment now will save 10% on physical kit, even though it costs them more in labour than that saving - because they're bonused on saving purchases and don't even talk to the site engineers.

          As manufacturers, we don't talk to the BMS people, who treat their whole field as a black box that only they understand (and charge large amounts to commission). So all they get is volt-free connections giving a fault/no-fault signal. Even with pumped systems on timers they don't often manually tell the pump to switch on, rather they open a valve, that causes water pressure to drop - activating the pump that way (on its normal controls).

          Incoherence and incompetence will save us! Hooray!

          ...Sorry, I was trying to be hopeful. Think I blew it at the end there...

          1. Tom 13
            Facepalm

            Re: Sadly unsurprising

            Purchasing too - often the people who buy the equipment now will save 10% on physical kit, even though it costs them more in labour than that saving - because they're bonused on saving purchases and don't even talk to the site engineers.

            That's a problem that's not specific to BMS. A friend of mine works for the Navy. About a year ago he sat on a committee that was reviewing plans for installing something on a sub. The build guys chose an easy to install solution for the device. Well, easy for them because they were working up from the frame. Once it was in place there was something placed over it. So if something went wrong with the part, they'd spend $100K removing the second device before they could get to the first. Oh, and yeah, the navy was expecting that first device was going to need maintenance about once every 3 years. Since my friend worked on the maintenance side of the house they raised serious objections and thankfully got an alternate installation specified. It cost an extra $100K on the build side, but you made that back first maintenance on the boat with a 30 year life expectancy.

    2. Stuart Castle

      Re: Sadly unsurprising

      And I would suspect any remote access facilities in use have just been bolted on to those systems with little or no concern for security...

  3. allthecoolshortnamesweretaken Silver badge

    Most building automation systems have poor security to begin with - doesn't help much when the guys installing them do not change the default passwords. (It usually takes some persuading to make them do it, and you'll have to watch them doing it. Otherwise they just replace '0000' with '1234' or something like that.)

    1. Boothy

      1) Enforce passwords rules out if the box, including an expiry period.

      2) Don't have any default passwords in the system. Forcing the installer to set a new password on first login.

      3) Next time the building/system manager/admin logs in, it's likely to be after the password expiry date, so force another password change.

      4) Implement a hardware only recovery option, in case the password is lost/forgotten, that requires someone to be physically on site. (i.e. a jumper inside the device).

      1. SImon Hobson Silver badge

        > Forcing the installer to set a new password on first login

        Except that only reduces the problem "a bit" - well a fair bit, but it doesn't eliminate it.

        As an example, I happen to thing that I could disarm the alarms of a large proportion of local premises - simply by knowing the engineer code (note the singular) that a local alarm company uses. How do I know the code ? Well at a previous job we had a fault that made the alarms keep triggering - they gave us "a code" over the phone that would shut it up until they could come and fix it.

        A simple bit of deduction says that they only have one code (or perhaps a very small number of codes). When I rang, he didn't need to think or look it up - therefore he knew the code in his head. Unless he's Rain Man (which he isn't) then he doesn't have a large list of numbers complete with who they are used for - so only one number (or a very short list). And there was none of this "if that doesn't work, they ..."

        Such things make life easy for the installer - but don't really do much for security !

  4. wyatt

    A quick Google shows a company which provides hosted services, with a Apache web server internet facing, with the default accounts still enabled. I'd be pissed if this was somewhere I purchased services from.

    Will companies ever stop doing this? I can't see it myself.

  5. Dr Who

    I would work for free if it was for a team called X-Force. It would be worth it just for the answer my seven year old son could give his mates at school when they ask him what his dad does.

  6. Destroy All Monsters Silver badge

    Hmmm

    That movie with Cindy Crawford where Evil Russians hack her hotel's automation system from the street using a laptop with unfoldable Dvorak keyboard for particularly fast hacking ... can't remember the name.

    1. waldo kitty
      Angel

      Re: Hmmm

      That movie with Cindy Crawford where Evil Russians hack her hotel's automation system from the street using a laptop with unfoldable Dvorak keyboard for particularly fast hacking ... can't remember the name.

      Fair Game (1995) http://www.imdb.com/title/tt0113010/

  7. HighTension

    The systems and the service companies...

    have little understanding of security. I've worked on a BMS (maintained by an external contractor) that had a "log in" pane in the gui with a list of users. If you clicked a username, you got a password prompt. But if you didn't bother clicking a username, you could still access the entire system at a full admin level! It would be possible to turn on all the boilers and thermostats to full blast if you so desired. I've even sure it would be possible to cause physical damage, eg by closing valves on the output of running water pumps.

    The contractor wanted to gain remote access by simply plonking a DSL router in front and port-forwarding RDP to the PC. RDP, unencrypted, to a local admin account where the password hint *was* the password. I instead insisted on a VPN (using a decent Draytek router which had the benefit of providing a VoIP phone in the plant room), changing the password and hints and removing the local admin.

    When the contractor changed I had to go through all of this again. This one wanted to put in an ISDN dialup line, which I was sure would be make the BMS ownable just by knowing the phone number. Grrr.

    1. Down not across Silver badge

      Re: The systems and the service companies...

      Not surprising. Just like anything relying on database expects to have 'sa' on the database (SQL Server). When you tell them "It ain't happening" and insist on them to come up with list of what permissions they actually need you get some mumbling and its clear nobody has any idea.

      So much of that stuff (on software side) is so badly cobbled together by utterly clueless people that it is wonder there aren't more disasters.

      That stuff needs to be severly firewalled both ways.

      1. HighTension

        Re: The systems and the service companies...

        Ah, but then the landlord will insist it belongs to them, and then alone, and why should the tenant have any say in it? After all, we just sit in the building and supply them with rent....

        As for cobbled software... after 3 suppliers' sales teams managed to bamboozle our HR department for a simple personnel management system (ie £10k for something that an NVQ student could have come up with in an hour or two), the powers that be finally let us write our own. Now I get paid the right amount on the right day and don't get phone calls asking why I'm not in 5 days into a holiday in the Med...

        Sigh...

  8. Chris Evans

    Another Dept.?

    I suspect in some(many?) companies the department in charge of the building control won't be the IT department!

    1. Tom 13

      Re: Another Dept.?

      IT's got enough headaches on their hands without adding facilities to the list.

      1. Fatman Silver badge
        Joke

        Re: Another Dept.?

        <quote>IT's got enough headaches on their hands without adding facilities to the list.</quote>

        BUT, you could make awhole bunch of PHB's shit in their pants if that department included the elevators. Like make the elevator stop at a non-existent 13th floor....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019