Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google’s Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question.
This vulnerability in Tridium’s Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that “there are over 245,000 instances of the Niagara Framework deployed worldwide.” Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet.
In Tridium’s words, Niagara “is a software platform that integrates diverse systems and devices regardless of manufacturer or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.” In other words, the framework acts as a hub between disparate devices using seemingly incompatible communication protocols, controlling various aspects of office management. Cylance’s Billy Rios described Tridium Niagara via email as a general purpose ICS and building management devices.
In this case, Cylance researchers claimed to find that the vulnerable device had access to Google’s HVAC systems, alarms panel, and a variety of other building management features. A root exploit of this kind could potentially give attackers the ability to manipulate heating systems, turn off alarms, and maybe even unlock locked doors and perform other nefarious deeds, though this would ultimately depend upon the specific device configurations.
Rios told Threatpost that Google’s specific Tridium device was configured primarily to control HVAC systems on Google’s campus. However, organizations custom build their own interfaces to control a wide range of attached devices. Rios claimed that the same devices have been implemented by other companies to manage energy, lighting, fire, security, intrusion, elevator and access controls.
Cylance has been aware of this vulnerability for six months. As part of a larger project designed to uncover vulnerable, Internet-facing industrial control systems, Cylance researchers performed a scan looking for vulnerable Tridium Niagara devices. Their collective interests were thoroughly piqued when it turned out that Google had one such vulnerable device installed in their Wharf 7 offices in Sydney.
Upon further investigation, Cylance’s researcher determined that the embedded device was running a slightly outdated version of the platform software on the Unix-like QNX operating system. Using some of the information that the researchers already knew about the device, they built a custom exploit and managed to extract the device’s highly sensitive config.bog file, which reportedly contains usernames and passwords for all the devices users. Of course, once an attacker has an admin’s username and password combination, an attacker effectively can take control of that device at whim.
Cylance researchers poked around a bit and saw that the device had access to Google’s HVAC systems and a variety of other building management features. They could have, but ultimately did not, root the device for full system access.
Cylance reported the issue as part of Google’s Vulnerability Rewards Program, but the disclosure did not qualify for VRP reward money. Google has since pulled the system offline, according to the report.
*Image of Google offices, Sydney, Australia via Br3nda’s Flickr photostream, Creative Commons