A handful of worrisome vulnerabilities in Honeywell building automation system software disclosed last week are case in point of how far the industry continues to lag in securing SCADA and industrial control systems.
Honeywell published in September new firmware that patches vulnerabilities privately disclosed by researcher Maxim Rupp in its XL Web II controllers. The flaws could give an attacker the ability to access relatively unprotected credentials and use those to manipulate, for example, environmental controls inside a building. While these aren’t critical infrastructure systems such as wastewater, energy or manufacturing, building automation system hacks can be expensive to remedy, and in a worst-case scenario, afford an attacker the ability to pivot to a corporate network.
Experts told Threatpost that building automation systems can be used to remotely manage heating, air conditioning, water, lighting and door security, and help reduce building operations costs. They’re also popping up as more and more buildings go green; such systems, for example, are crucial to Leadership in Energy and Environmental Design (LEED) certification from the United States Green Building Council.
“The main risk from this is a super simple method of accessing building system HMIs, whether for mischief or maybe even ransom. Controllers like this provide an easy interface to operating the entire building system, no additional programming knowledge or protocol expertise required,” said Michael Toecker of Context Information Security. “This operating interface has limitations. Unless very poorly designed, a user can’t damage equipment from the HMI, but they can make the building inhospitable, inefficient, and expensive to fix.”
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an advisory last Thursday warning of five vulnerabilities in the Honeywell XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Four of the five are authentication-related flaws, the most serious of which involved passwords either stored in clear text or reachable by accessing a particular URL. A user with low privileges could also open and change parameters via a URL, ICS-CERT said. Honeywell also patched a session fixation vulnerability allowing an attacker to establish new users sessions without invalidating prior sessions, giving them access to authenticated sessions. It also patched a path traversal bug that allowed attackers to carry out directory traversal attacks via a URL.
All of the vulnerabilities may be attacked remotely, though no public attacks are known.
“Building automation systems are much more likely to be on the corporate network, we see them there more often than not, as compared to a DCS in a factory, water treatment ICS, pipeline SCADA, etc,” said Dale Peterson of Digital Bond. “So a vulnerability like this is much more susceptible to be integrated into toolkits that automate attacks on the corporate network.”
Hardcoded credentials and easily guessable or accessible passwords, meanwhile, are a lingering woe in industrial systems and connected devices overall. The consequences of poor basic security such as the continued use of default passwords played out in the Dyn attack of last fall. With SCADA systems such as the Honeywell gear, attackers could theoretically jump from a building automation system to a corporate network, or simply fiddle with configurations causing systems to run improperly or fail outright.
“There are two scenarios I can think of for causing harm: one would be running AC in the winter, damaging the AC compressor. This is hard actually, since most compressors have a totally separate temperature sensor and will refuse to run if it’s too cold outside. The other would be raising temperature in specific areas, such as unmanned server rooms (servers hate it when it’s hot),” said K. Reid Wightman founder of RevICS Security. “Hopefully this will be noticed, but if it’s some remote data center it might be hard or expensive to send someone out to fix it.”