Hackers exploited a backdoor in the heating and air-conditioning system of a New Jersey-based company, according to a memo released by the FBI. The attack, which targeted a vulnerability in older versions of the Niagara AX Framework, comes in the wake of warnings about the security of industrial control systems more broadly.
The Niagara control box was directly connected to the internet without a firewall, and the backdoor exploit allowed attackers direct access to a graphical user interface (GUI) that provided an office floor plan labeled with control settings and, in some cases, employee names, Ars Technica reported. The attack has elicited concern among software security experts because of the prevalence of the Niagara system across the world.
A widespread vulnerability
The Niagara AX Framework is used to remotely control a wide range of building automation processes for fire detection, security, air conditioning and more. A July Washington Post article highlighting security researchers Billy Rios’ and Terry McCorkle’s discovery of the backdoor vulnerability noted that Niagara controls are linked to at least 11 million devices and machines in 52 countries. The 4 million-line piece of software enables industrial and commercial facility managers, as well as homeowners, to track a range of systems. The Niagara Framework is used to manage 110,000 sensors in Singapore’s Changi Airport, facilities in 575 Wawa convenience stores across the U.S. and heating and lighting for a number of federal government offices.
A large number of Niagara-driven networks are connected directly to the internet, requiring only a username and password for access. According to Ars Technica, a search using the Shodan computer search engine turned up more than 20,000 systems – including 16,000 in the U.S. – that are accessible via the internet. Rios, the researcher profiled by the Washington Post, was able to find a flaw that gave attackers the ability to perform a directory traversal attack and download a configuration file containing user names, hashed passwords and other sensitive data.
“Once the passwords are decrypted, you can simply log in to the Niagara Framework as any user you desire,” Rios told the Post.
Ars Technica reported that, while manufacturer Tridium released a patch for the recent versions 3.5 and 3.6 of Niagara earlier this year, many of the systems found in the Shodan search are running earlier versions that remain unpatched. Users are advised to take security into account during the configuration process and institute measures such as using a virtual private network (VPN) rather than connecting systems directly to the internet, the Post noted. However, incidents such as the New Jersey attack may also provide incentive for developers to strengthen software security in the coding process through the use of tools such as source code analysis.
The New Jersey attack joins an incident at a Texas hospital as the second documented instance of a commercial control system breach in the wild, Ars Technica noted. It also arrives on the heels of several reports of increased supervisory control and data acquisition (SCADA) system vulnerabilities.
“These things keep popping up,” Rios told Ars Technica. “It’s not going away. It’s getting worse.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.