Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cylance Hacks Google Office Building Management System

Posted by Unknown on from the ghost-in-the-machine dept.

Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."

13 of 46 comments (clear)

  1. Why??? by Anonymous Coward · · Score: 2, Funny

    Why is a build management tool doing exposed in the internet?

    Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

    1. Re:Why??? by Gunkerty+Jeb · · Score: 2

      Can't WFH without remote access.

    2. Re:Why??? by fuzzyfuzzyfungus · · Score: 4, Funny

      Why is a build management tool doing exposed in the internet?

      Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

      No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.

    3. Re:Why??? by Ioldanach · · Score: 2

      Why is a build management tool doing exposed in the internet?

      What's the point of building automation if you have to be in the building to use it?

    4. Re:Why??? by DougOtto · · Score: 4, Interesting

      Because that's it's main selling point.

      The Niagara Framework® is a software platform that integrates diverse systems and devices regardless of manufacturer, or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.

      --
      Solving Unix problems since 1989...
    5. Re:Why??? by h4rr4r · · Score: 2

      So VPN is not something you have ever heard of?
      Or modems?

      There is no need for these systems to be connected directly to the internet.

    6. Re:Why??? by MickyTheIdiot · · Score: 3, Insightful

      Fat, Pinhead Manager comments on IT Security recommendation:
      "Why should we worry about THAT? We've never had those problems in the past. Besides, I don't quite understand what it is, so it must be a waste of money. No VPN!"

      Fat, Pinhead Manager post-break security incident:
      "Why didn't IT protect our vital infrastructure?"

      Selective memory and buck passing makes like in this century wonderful

  2. Serious by empties · · Score: 5, Funny

    You might think stopping elevators or turning off server-room cooling would be the most dangerous hacks, but the real nightmare: Every coffee is decaf!

    1. Re:Serious by 93+Escort+Wagon · · Score: 3, Informative

      No way - not even 4chan could be that cruel.

      --
      #DeleteChrome
  3. No by telchine · · Score: 2

    (n/t)

    1. Re:No by ColdWetDog · · Score: 4, Funny

      But I'll bet they've got a bunch of idiots standing around enormous, complex displays muttering nonsensical 'hacker' terms.

      At least that part of the movie was real, right?

      --
      Faster! Faster! Faster would be better!
  4. Re:Irresponsible by tlhIngan · · Score: 5, Interesting

    While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.

    Then again, by compromising the devices, they could launch an attack behind the firewall. After all, there's a difference between read-only access (there was that company saying ADS-B was vulnerable then posting about internet-accessible AIS (marine Automatic Identification System) data saying they could find the location of any ship on the internet - including Navy and Coast Guard. Duh, that's what AIS is for! And it's not like it can't be turned off if operationally necessary), and full read-write access.

    Read only access is a lot less scary (big whoop, it's 21 C in the office today, versus 20 yesterday, and the fan on duct #132 is acting up), than read-write (oh, it's a hot day in Sydney, I'm sure Google would love if it I could set this office to 15C and this one to 35C, turn the fan above the meeting room to max).

    Sometimes you have to break in to figure out if you have full access or just limited access - because the limited access may be neat, but not useful at all (like AIS data - it's not terribly useful when it's hooked to an AIS receiver).

    Also, some of these vulnerabilities may not be terribly important to Google - because Google properly firewalled it off. Or maybe it is because it's behind the firewall. You can bet a lot of other building automation systems may not have the internet savvy that Google has. Or maybe a misconfiguration in Google's network or someone's PC could serve as a launch point.

  5. It's a people problem by dubbayu_d_40 · · Score: 5, Informative

    They can only get the configuration file if they already have access. The contractor left the passwords at the default.