Cylance Hacks Google Office Building Management System

Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."

Re:Why???

[Doug Otto]

Because that's it's main selling point.

The Niagara Framework® is a software platform that integrates diverse systems and devices regardless of manufacturer, or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.

Re:Irresponsible

[tlhIngan]

While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.

Then again, by compromising the devices, they could launch an attack behind the firewall. After all, there's a difference between read-only access (there was that company saying ADS-B was vulnerable then posting about internet-accessible AIS (marine Automatic Identification System) data saying they could find the location of any ship on the internet - including Navy and Coast Guard. Duh, that's what AIS is for! And it's not like it can't be turned off if operationally necessary), and full read-write access.

Read only access is a lot less scary (big whoop, it's 21 C in the office today, versus 20 yesterday, and the fan on duct #132 is acting up), than read-write (oh, it's a hot day in Sydney, I'm sure Google would love if it I could set this office to 15C and this one to 35C, turn the fan above the meeting room to max).

Sometimes you have to break in to figure out if you have full access or just limited access - because the limited access may be neat, but not useful at all (like AIS data - it's not terribly useful when it's hooked to an AIS receiver).

Also, some of these vulnerabilities may not be terribly important to Google - because Google properly firewalled it off. Or maybe it is because it's behind the firewall. You can bet a lot of other building automation systems may not have the internet savvy that Google has. Or maybe a misconfiguration in Google's network or someone's PC could serve as a launch point.