Cylance Hacks Google Office Building Management System

← Back to Stories (view on slashdot.org)

Cylance Hacks Google Office Building Management System

Posted by Unknown on Wednesday May 8, 2013 @02:18AM from the ghost-in-the-machine dept.

Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."

46 comments

Min score:

Reason:

Sort:

Can they cause a gas explosion like in Skyfall? by ArsenneLupin · 2013-05-08 02:22 · Score: 1

(n/t)
1. Re:Can they cause a gas explosion like in Skyfall? by Anonymous Coward · 2013-05-08 03:32 · Score: 0
  
  and FUCK YOU too
Ooh, Google got scooped! by fuzzyfuzzyfungus · 2013-05-08 02:22 · Score: 0

Better short your stock now, kids, one of Google's competitors just 'indexed the internet of things' right in Google's office before Google did.
Tut, tut, Sergei, falling behind in the race to make the world's information accessible. I'm ashamed of you.
Why??? by Anonymous Coward · 2013-05-08 02:23 · Score: 2, Funny

Why is a build management tool doing exposed in the internet?
Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...
1. Re:Why??? by Gunkerty+Jeb · 2013-05-08 02:27 · Score: 2
  
  Can't WFH without remote access.
2. Re:Why??? by fuzzyfuzzyfungus · 2013-05-08 02:27 · Score: 4, Funny
  
  Why is a build management tool doing exposed in the internet?
  Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...
  No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.
3. Re:Why??? by Anonymous Coward · 2013-05-08 02:44 · Score: 0
  
  Someone messed up...
  Should be behind a firewall with a VPN.
4. Re:Why??? by Ioldanach · 2013-05-08 02:44 · Score: 2
  
  Why is a build management tool doing exposed in the internet?
  What's the point of building automation if you have to be in the building to use it?
5. Re:Why??? by DougOtto · 2013-05-08 02:49 · Score: 4, Interesting
  
  Because that's it's main selling point.
  The Niagara Framework® is a software platform that integrates diverse systems and devices regardless of manufacturer, or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.
  
  --
  Solving Unix problems since 1989...
6. Re:Why??? by schitso · 2013-05-08 02:53 · Score: 1
  
  "Over the Internet" doesn't have to mean "over an unencrypted direct HTTP connection to an Internet-facing device". It should have been behind a VPN if outside access was needed.
7. Re:Why??? by rvw · 2013-05-08 03:02 · Score: 1
  
  Why is a build management tool doing exposed in the internet?
  What's the point of building automation if you have to be in the building to use it?
  Automation of course!
8. Re:Why??? by SrLnclt · 2013-05-08 03:08 · Score: 1
  
  Exactly. Building operators are not on site 24/7. You get an automated email/text message when a boiler is in alarm or a chiller goes down. Pull up the controls system from any browser on your PC or phone, use your login/password and see what is going on. You may even be able to fix the issue remotely. No need to run across campus when you get a phone call or come in at 3AM if all a piece of equipment needs is the reset button.
9. Re:Why??? by Zero__Kelvin · 2013-05-08 03:28 · Score: 1
  
  You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
10. Re:Why??? by h4rr4r · 2013-05-08 03:30 · Score: 1
  
  No one said that.
  Building automation is not going to need a lot of bandwidth. A modem would work fine and not expose it to the internet at large. Make the password very long and change the number frequently.
11. Re:Why??? by h4rr4r · 2013-05-08 03:31 · Score: 2
  
  So VPN is not something you have ever heard of?
  Or modems?
  There is no need for these systems to be connected directly to the internet.
12. Re:Why??? by MickyTheIdiot · 2013-05-08 03:37 · Score: 3, Insightful
  
  Fat, Pinhead Manager comments on IT Security recommendation:
  "Why should we worry about THAT? We've never had those problems in the past. Besides, I don't quite understand what it is, so it must be a waste of money. No VPN!"
  Fat, Pinhead Manager post-break security incident:
  "Why didn't IT protect our vital infrastructure?"
  Selective memory and buck passing makes like in this century wonderful
13. Re:Why??? by Ioldanach · 2013-05-08 04:20 · Score: 1
  
  You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.
  If I can get to something through an internet based connection to a VPN, it is exposed to the internet. It has an added layer of security, yes, but it is still exposed.
14. Re:Why??? by Zero__Kelvin · 2013-05-08 05:06 · Score: 1
  
  No. It isn't. Please learn basic computer security and terms. It is ONLY exposed to the VPN. If you don't hack into their internal network (i.e. VPN) it doesn't show on a port scan nor can you get to it.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
15. Re:Why??? by Charliemopps · 2013-05-08 05:22 · Score: 1
  
  I've got an uncle that runs one of these systems and the control portion of it doesn't have external access. The point of it is, he knows the status of every fan, vent, boiler, furnace, air conditioner in the building. In the past he'd have to wait until someone complained it was too cold somewhere... walk around till he felt a cold spot... put flow meters over vents in the area... look at diagrams to find which systems feed that area... start testing motors and condensers...
  Now... and little red light goes on, he clicks on it and asks him if he'd like to order the part to replace what's broken. It arrives before the end of the day and he installs it. What used to take weeks now takes hours and the vendor gets a sweet exclusive deal on parts. If you've got a building that you want premium service in (in his case it's a casino) then this is the way to go.
16. Re:Why??? by Anonymous Coward · 2013-05-08 05:24 · Score: 0
  
  It may be a manager? It may be the guy who set it up? It may be the guy who just did not want to keep coming in at 2AM to reset a breaker... Not enough info. Bottom line *someone* screwed up and it needed a firewall and VPN. Fix it and move on.
17. Re:Why??? by ewieling · 2013-05-08 06:38 · Score: 1
  
  This stuff will continue to be exposed to the internet and not secured until the cost of securing it is less than the cost to leave it unsecured. Likely this will happen when there are widespread nasty attacks against exposed systems which cause significant real world problems.
  
  --
  I really shouldn't have used someone else's email address for this account.
18. Re:Why??? by Anonymous Coward · 2013-05-08 06:45 · Score: 0
  
  So I should unlock my front door to my house. It is useless.
  If you know of a way to crack SSH and most VPN's used you could make some good money with simple man in the middle attacks on much higher profile targets than what google has its thermostat set to.
19. Re:Why??? by HiThere · 2013-05-08 07:56 · Score: 1
  
  Already happened. I think it was in Illinois, and about a decade ago, perhaps a bit less. The only reason it was notices is that a virus got in and started messing with things.
  What seems to have happened is that the reactor wasn't on the internet, but it was on a LAN, and something else on the LAN got on the internet, and the virus knew how to make the traversal. Whoops!
  I presume that it was cleaned up quickly, but there I only noticed the one public news story, in the midst of lots of other things being attacked by that same virus. (Can't recally which one, as I'd already switched to Linux so I'd started to stop noticing such things. These days either I just don't notice them at all, or they've stopped happening. Now it's trojans, vulnerabilities, etc.)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
20. Re:Why??? by Anonymous Coward · 2013-05-08 10:14 · Score: 0
  
  That's why you CYA and get it in writing that he's turning down this vital upgrade to protect our infrastructure.
If an individual did this... by Anonymous Coward · 2013-05-08 02:38 · Score: 1

Since a security firm conducted this, they'll get off with thanks - or at worst a bit of bluster +/- a suit from Tridium which will go nowhere.
If you or I did this, however, and similarly published the results? All of the books would be thrown at us, CFAA, federal prosecutors, and probably that same suit from Tridium, except we couldn't deal with it.
A two-tier justice system is no justice system. We need equal treatment under the rule of law. Either corporations need to be similarly prosecuted, or the laws are out of date and only used to oppress the public. IMHO, we need some of both.
1. Re:If an individual did this... by fast+turtle · 2013-05-08 04:56 · Score: 1
  
  Right in the First fucking line of the Summary that you didn't comprehend
  
  "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia
  
  so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
2. Re:If an individual did this... by Anonymous Coward · 2013-05-08 06:16 · Score: 0
  
  Hmmm overreact much?
  AC
3. Re:If an individual did this... by Em+Adespoton · 2013-05-08 07:05 · Score: 1
  
  Right in the First fucking line of the Summary that you didn't comprehend
  
  "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia
  so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure
  One other thing to point out: the reason that a security firm doesn't get the book thrown at them but individuals do, is that security firms have policies and procedures in place for how they conduct themselves; they notify the appropriate people and perform due process. Most individuals who try a stunt like this aren't even aware of all the protocol and disclosure hoops they should be jumping through -- and so when they make a mistake (which is almost inevitable, doing something by yourself, unless you're already a trained security researcher who has spent time in the system -- at which point it's just highly likely), they end up with the industry and government coming down on them like a tonne of bricks.
  Any individual who creates a reputation for honesty and fully documents their investigation and discloses their intentions and action plan to the right people before they start will usually get a quiet kudos and never be noticed in public. Those trying to make headlines, will.
  Think of it like the girl who was doing a "science experiment" behind the cafeteria during out of school hours -- she did something against policy, and got smacked down for it. I'm sure there were many other students who did similar things through proper channels and had nothing but a mediocre science experiment to show for it.
  That said, in this case, the security researchers did a really bad job covering the bases, and are pretty much riding on their reputation alone to avoid the smackdown. Doing something illegal to make headlines to fix a problem should always be a last resort (accepting that you may face jailtime and fines for doing it and calculating that that's worth it), not a way to gain advertising.
Irresponsible by Anonymous Coward · 2013-05-08 02:42 · Score: 1

Here is the actual advisory for the vulnerabilities they exploited:
http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01
While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.
They are lucky (so far) that Google is being nice about this. Had this system been controlling something more sensitive than HVAC, they could have easily wound up in jail.
1. Re:Irresponsible by tlhIngan · 2013-05-08 03:21 · Score: 5, Interesting
  
  While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.
  Then again, by compromising the devices, they could launch an attack behind the firewall. After all, there's a difference between read-only access (there was that company saying ADS-B was vulnerable then posting about internet-accessible AIS (marine Automatic Identification System) data saying they could find the location of any ship on the internet - including Navy and Coast Guard. Duh, that's what AIS is for! And it's not like it can't be turned off if operationally necessary), and full read-write access.
  Read only access is a lot less scary (big whoop, it's 21 C in the office today, versus 20 yesterday, and the fan on duct #132 is acting up), than read-write (oh, it's a hot day in Sydney, I'm sure Google would love if it I could set this office to 15C and this one to 35C, turn the fan above the meeting room to max).
  Sometimes you have to break in to figure out if you have full access or just limited access - because the limited access may be neat, but not useful at all (like AIS data - it's not terribly useful when it's hooked to an AIS receiver).
  Also, some of these vulnerabilities may not be terribly important to Google - because Google properly firewalled it off. Or maybe it is because it's behind the firewall. You can bet a lot of other building automation systems may not have the internet savvy that Google has. Or maybe a misconfiguration in Google's network or someone's PC could serve as a launch point.
Serious by empties · 2013-05-08 02:42 · Score: 5, Funny

You might think stopping elevators or turning off server-room cooling would be the most dangerous hacks, but the real nightmare: Every coffee is decaf!
1. Re:Serious by 93+Escort+Wagon · 2013-05-08 02:46 · Score: 3, Informative
  
  No way - not even 4chan could be that cruel.
  
  --
  #DeleteChrome
2. Re:Serious by Jesus_666 · 2013-05-08 06:31 · Score: 1
  
  Sounds like a typical Shadowrun plot.
  
  Step 1: The decker enters the building network and switches all coffee makers to decaf.
  Step 2: Everyone in the building falls asleep. The security deckers are the first to go.
  Step 3: The team enters unimpeded. No alarms are tripped and the run is going smoothly.
  Step 4: The street sam decides that now would be a good time to settle an old score using an unsilenced SMG loaded with EX-explosive ammo. In front of a street-level window facing a busy street.
  Step 5: One fight with Lone Star later the GM laments that the C.L.U.E. Foundation has shut its doors.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
3. Re: Serious by Sigg3.net · 2013-05-12 01:05 · Score: 1
  
  IANAL, but I think that falls under manslaughter.
  
  --
  Defining Statistics and Social Research
No by telchine · 2013-05-08 02:58 · Score: 2

(n/t)
1. Re:No by ColdWetDog · 2013-05-08 03:19 · Score: 4, Funny
  
  But I'll bet they've got a bunch of idiots standing around enormous, complex displays muttering nonsensical 'hacker' terms.
  At least that part of the movie was real, right?
  
  --
  Faster! Faster! Faster would be better!
BOFH IRL by Anonymous Coward · 2013-05-08 03:04 · Score: 0

Sounds something just like out of the BOFH stories.
Whew. by moeinvt · 2013-05-08 03:09 · Score: 1

For a second, I thought it started out with
"Industrial mind control researchers" :-O
It's a people problem by dubbayu_d_40 · 2013-05-08 03:23 · Score: 5, Informative

They can only get the configuration file if they already have access. The contractor left the passwords at the default.
who's problem is this? by CAIMLAS · 2013-05-08 03:26 · Score: 1

Within institution's, who's problem is this to fix?
Obviously, this is the developer's (and PM's) fault. They're horrible at their jobs and write lazy, insecure software.
But this is probably going to fall on the shoulders of Google's in-house IT department to get resolved (likely by pushing at Niagara's support channel). Meanwhile, the IT department is also answerable to and for everyone else's snafus in-house in most organizations.
Developers - as individuals and departments - really need to pull their shit together and take more responsibility for their products. This is pretty disheartening and, on a daily basis, frustrating as fuck.

--
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
1. Re:who's problem is this? by dubbayu_d_40 · 2013-05-08 03:43 · Score: 1
  
  The patch for this issue was released Aug 2012. The issue being, the contractor left the passwords at the default.
  https://www.tridium.com/galleries/security/2012-08-03-Tridium%20Security%20Update.pdf
Article picture of Wharf 7 by Sponge+Bath · 2013-05-08 03:43 · Score: 1

That picture shows how much Google employees enjoy intimate closeness. Your are two feet from your coworker with no divider so you can enjoy all the sounds, sights and smells that make every work day a party.
Custom exploit by Anonymous Coward · 2013-05-08 04:02 · Score: 0

tridium-ip-address/ord?file:^config.bog
3rd party systems / out side management by Joe_Dragon · 2013-05-08 04:17 · Score: 1

3rd party systems / out side management. How much does Google do with that side of stuff?
There is a better word by YurB · 2013-05-08 04:31 · Score: 1

Wouldn't it be less ambiguous to say they cracked the system instead of hacked it? When will we show our respect to the guys who call themselves hackers for creating free operating system kernels?
Galactic Emperor Executive Order #1 by ThatsNotPudding · 2013-05-08 05:21 · Score: 1

No infrastructure or military systems whatsoever on the pulic Internet, period.

Punishment: Vivisection.