Forgot your password?
typodupeerror
Security

Cylance Hacks Google Office Building Management System 46

Posted by Unknown Lamer
from the ghost-in-the-machine dept.
Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."
This discussion has been archived. No new comments can be posted.

Cylance Hacks Google Office Building Management System

Comments Filter:
  • Better short your stock now, kids, one of Google's competitors just 'indexed the internet of things' right in Google's office before Google did.

    Tut, tut, Sergei, falling behind in the race to make the world's information accessible. I'm ashamed of you.

  • Why??? (Score:2, Funny)

    by Anonymous Coward

    Why is a build management tool doing exposed in the internet?

    Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

    • Can't WFH without remote access.
    • Re:Why??? (Score:5, Funny)

      by fuzzyfuzzyfungus (1223518) on Wednesday May 08, 2013 @10:27AM (#43664851) Journal

      Why is a build management tool doing exposed in the internet?

      Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

      No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.

    • by Ioldanach (88584)

      Why is a build management tool doing exposed in the internet?

      What's the point of building automation if you have to be in the building to use it?

      • by rvw (755107)

        Why is a build management tool doing exposed in the internet?

        What's the point of building automation if you have to be in the building to use it?

        Automation of course!

      • by SrLnclt (870345)
        Exactly. Building operators are not on site 24/7. You get an automated email/text message when a boiler is in alarm or a chiller goes down. Pull up the controls system from any browser on your PC or phone, use your login/password and see what is going on. You may even be able to fix the issue remotely. No need to run across campus when you get a phone call or come in at 3AM if all a piece of equipment needs is the reset button.
        • by h4rr4r (612664)

          So VPN is not something you have ever heard of?
          Or modems?

          There is no need for these systems to be connected directly to the internet.

      • You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.
        • by Ioldanach (88584)

          You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.

          If I can get to something through an internet based connection to a VPN, it is exposed to the internet. It has an added layer of security, yes, but it is still exposed.

          • No. It isn't. Please learn basic computer security and terms. It is ONLY exposed to the VPN. If you don't hack into their internal network (i.e. VPN) it doesn't show on a port scan nor can you get to it.
      • by h4rr4r (612664)

        No one said that.
        Building automation is not going to need a lot of bandwidth. A modem would work fine and not expose it to the internet at large. Make the password very long and change the number frequently.

      • I've got an uncle that runs one of these systems and the control portion of it doesn't have external access. The point of it is, he knows the status of every fan, vent, boiler, furnace, air conditioner in the building. In the past he'd have to wait until someone complained it was too cold somewhere... walk around till he felt a cold spot... put flow meters over vents in the area... look at diagrams to find which systems feed that area... start testing motors and condensers...

        Now... and little red light goes

    • Re:Why??? (Score:4, Interesting)

      by Doug Otto (2821601) on Wednesday May 08, 2013 @10:49AM (#43665037)

      Because that's it's main selling point.

      The Niagara Framework® is a software platform that integrates diverse systems and devices regardless of manufacturer, or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.

      • by schitso (2541028)
        "Over the Internet" doesn't have to mean "over an unencrypted direct HTTP connection to an Internet-facing device". It should have been behind a VPN if outside access was needed.
    • by ewieling (90662)
      This stuff will continue to be exposed to the internet and not secured until the cost of securing it is less than the cost to leave it unsecured. Likely this will happen when there are widespread nasty attacks against exposed systems which cause significant real world problems.
    • by HiThere (15173)

      Already happened. I think it was in Illinois, and about a decade ago, perhaps a bit less. The only reason it was notices is that a virus got in and started messing with things.

      What seems to have happened is that the reactor wasn't on the internet, but it was on a LAN, and something else on the LAN got on the internet, and the virus knew how to make the traversal. Whoops!

      I presume that it was cleaned up quickly, but there I only noticed the one public news story, in the midst of lots of other things being

  • by Anonymous Coward

    Since a security firm conducted this, they'll get off with thanks - or at worst a bit of bluster +/- a suit from Tridium which will go nowhere.

    If you or I did this, however, and similarly published the results? All of the books would be thrown at us, CFAA, federal prosecutors, and probably that same suit from Tridium, except we couldn't deal with it.

    A two-tier justice system is no justice system. We need equal treatment under the rule of law. Either corporations need to be similarly prosecuted, or the laws

    • Right in the First fucking line of the Summary that you didn't comprehend

      "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia

      so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure

      • Right in the First fucking line of the Summary that you didn't comprehend

        "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia

        so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure

        One other thing to point out: the reason that a security firm doesn't get the book thrown at them but individuals do, is that security firms have policies and procedures in place for how they conduct themselves; they notify the appropriate people and perform due process. Most individuals who try a stunt like this aren't even aware of all the protocol and disclosure hoops they should be jumping through -- and so when they make a mistake (which is almost inevitable, doing something by yourself, unless you're

  • by Anonymous Coward

    Here is the actual advisory for the vulnerabilities they exploited:

    http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01

    While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google ow

    • Re:Irresponsible (Score:5, Interesting)

      by tlhIngan (30335) <slashdot@wSLACKWAREorf.net minus distro> on Wednesday May 08, 2013 @11:21AM (#43665331)

      While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.

      Then again, by compromising the devices, they could launch an attack behind the firewall. After all, there's a difference between read-only access (there was that company saying ADS-B was vulnerable then posting about internet-accessible AIS (marine Automatic Identification System) data saying they could find the location of any ship on the internet - including Navy and Coast Guard. Duh, that's what AIS is for! And it's not like it can't be turned off if operationally necessary), and full read-write access.

      Read only access is a lot less scary (big whoop, it's 21 C in the office today, versus 20 yesterday, and the fan on duct #132 is acting up), than read-write (oh, it's a hot day in Sydney, I'm sure Google would love if it I could set this office to 15C and this one to 35C, turn the fan above the meeting room to max).

      Sometimes you have to break in to figure out if you have full access or just limited access - because the limited access may be neat, but not useful at all (like AIS data - it's not terribly useful when it's hooked to an AIS receiver).

      Also, some of these vulnerabilities may not be terribly important to Google - because Google properly firewalled it off. Or maybe it is because it's behind the firewall. You can bet a lot of other building automation systems may not have the internet savvy that Google has. Or maybe a misconfiguration in Google's network or someone's PC could serve as a launch point.

  • Serious (Score:5, Funny)

    by empties (2827183) on Wednesday May 08, 2013 @10:42AM (#43664961)
    You might think stopping elevators or turning off server-room cooling would be the most dangerous hacks, but the real nightmare: Every coffee is decaf!
    • Re:Serious (Score:4, Informative)

      by 93 Escort Wagon (326346) on Wednesday May 08, 2013 @10:46AM (#43665011)

      No way - not even 4chan could be that cruel.

    • by Jesus_666 (702802)
      Sounds like a typical Shadowrun plot.

      Step 1: The decker enters the building network and switches all coffee makers to decaf.
      Step 2: Everyone in the building falls asleep. The security deckers are the first to go.
      Step 3: The team enters unimpeded. No alarms are tripped and the run is going smoothly.
      Step 4: The street sam decides that now would be a good time to settle an old score using an unsilenced SMG loaded with EX-explosive ammo. In front of a street-level window facing a busy street.
      Step 5: One f
    • IANAL, but I think that falls under manslaughter.

  • by moeinvt (851793)

    For a second, I thought it started out with

    "Industrial mind control researchers" :-O

  • by dubbayu_d_40 (622643) on Wednesday May 08, 2013 @11:23AM (#43665339)

    They can only get the configuration file if they already have access. The contractor left the passwords at the default.

  • Within institution's, who's problem is this to fix?

    Obviously, this is the developer's (and PM's) fault. They're horrible at their jobs and write lazy, insecure software.

    But this is probably going to fall on the shoulders of Google's in-house IT department to get resolved (likely by pushing at Niagara's support channel). Meanwhile, the IT department is also answerable to and for everyone else's snafus in-house in most organizations.

    Developers - as individuals and departments - really need to pull their shit

  • That picture shows how much Google employees enjoy intimate closeness. Your are two feet from your coworker with no divider so you can enjoy all the sounds, sights and smells that make every work day a party.
  • 3rd party systems / out side management. How much does Google do with that side of stuff?

  • Wouldn't it be less ambiguous to say they cracked the system instead of hacked it? When will we show our respect to the guys who call themselves hackers [nytimes.com] for creating free operating system kernels [wikipedia.org]?
  • No infrastructure or military systems whatsoever on the pulic Internet, period.

    Punishment: Vivisection.

"Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba Bunny" [1957, Chuck Jones]

Working...