First the IBM team managed to find an exposed Wireless D-Link router that was installed to provide remote access to the building. Once at the router, the team used URL manipulation and path traversal to get access to local resources for the router. This enabled the team to find the router password.
Once on the network the system located a device using an NMAP scan and found an open administrator port. The credentials to login to the device matched the credentials for the compromised router. Once logged into the device the IBM team was able to download and reverse engineer a Java library file that had the credentials for the BAS server. From there they were able to break the weak encryption and get the main password for the BAS server. I am assuming they used a brute force attack and that the password was simply an MD5 or SHA-1 hash.
While the system in this story is built on a Java Framework this example of how to reverse engineer .Net libraries still lays out the basic approach.
What was learned, What could be done to prevent this, and Why do I think it was a Tridium System?
What was Learned from the Hack?
Well first off if you are going to remotely access your Building Automation System utilize a secure method. In an perfect world we'll would have Next Generation Intrusion Prevention Systems (NGIPS), all of our systems would be patched, and we would be using Military Grade VPN's with strict password policies. However, does the average building require this level of security? Well yes and no.
If your building is truly stand- alone (meaning it is not connected to a larger system) and the systems within your building are not critical (meaning your buildings don't contain anything that will cost you millions to replace) then in all honesty security is an after thought. You'd be better off spending your dollars on nice furnishings to draw in and retain tenants.
Enough of my segue. What was learned? We learned a couple of key points:
- There is a market for Cyber Security Consulting related to building systems
- Organizations still struggle with Patch management of non-traditional IT systems
- Hackers are realizing that most Building Systems are soft targets
- The first company to figure out how to market the security of their system will find themselves at a great advantage but will also have a target on their back
- The area of research focused on Building Systems vulnerabilities is still very new
What Could be Done to Prevent This?
So what could have been done to prevent this?
- Patch your IT systems: I doubt this D-Link router vulnerability was a zero-day exploit (zero day means the vulnerability has never been seen before)
- Use VPN's: Look there are free VPN's out there that are FREE. Having a poorly designed free VPN is better then having no VPN.
- Don't reuse passwords across systems: Just don't if you're really that lazy get a password manager.
- Patch your building automation systems: I'm pretty sure that IBM utilized CVE-2012-4701, which Tridium has patched by the way. And if patching and upgrades are to expensive for you. Use the contracting tier to your advantage. If you add five years of upgrades and patches included in the scope of the project then you can get multiple vendors bidding the project and one of them will probably give you the upgrades for free to win your business.
Why do I think it was a Tridium System?
Well this one is easy. There is only one platform that use the term Stations to describe supervisory controllers within their architecture and that is .... Tridium. Now, which brand of Tridium? We aren't sure... What version of Tridium most likely version 3.7 or earlier per the CVE write-up.
So if you own a Tridium system, it has become clear once again that you need to patch your system. This isn't a dig on Tridium, many systems have vulnerabilities. This just shows how important it is for IT to be involved in the selection, installation, and support of all systems across the enterprise.
How do you keep your systems secure? Join the discussion below!