Researchers uncover new vulnerability in Niagara building control systems

Researchers uncover new vulnerability in Niagara building control systems

on Feb 12, 13 • by Chris Bubinas • with 1 Comment

Two security researchers have found a new vulnerability in a software tool used to control heating and air conditioning systems, building electric and lighting grids, security and surveillance systems, electronic doors and other critical functions in hospitals, offices, government buildings and other facilities...

Home » Software Security » Researchers uncover new vulnerability in Niagara building control systems

Two security researchers have found a new vulnerability in a software tool used to control heating and air conditioning systems, building electric and lighting grids, security and surveillance systems, electronic doors and other critical functions in hospitals, offices, government buildings and other facilities. Billy Rios and Terry McCorkle, researchers with CyLance who focus on the software security of the popular Tridium Niagara AX Framework and other industrial control systems, demonstrated a zero-day exploit during the recent Kaspersky Security Analyst Summit.

Rios and McCorkle have previously warned of security risks in Niagara, a control system linked to more than 11 million devices and machines in 52 countries and deployed in high-profile buildings such as Singapore’s Changi Airport and a federal government office in Chicago. In July 2012, The Washington Post reported on their discovery of a backdoor vulnerability in the software and warned that security issues might be inevitable in an increasingly connected control environment. In December, the FBI released a memo noting that a New Jersey company’s Niagara-controlled heating and air conditioning system had been hacked.

Tridium released a patch addressing the directory traversal exploit Rios and McCorkle had found last year, but the researchers’ latest discovery presents a new vector for attack. While they declined to release the full details of the exploit for security reasons, the latest attack targets a remote, pre-authenticated vulnerability that can be combined with a privilege escalation bug to get root on the system platform, Wired reported. An attacker can access Tridium’s SoftJACE system – the Windows system that runs the Java virtual machine responsible for handling the Tridium client – and all of the company’s embedded software.

“The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios said, according to Wired. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack].”

Protecting the Niagara AX system
For many Niagara AX deployments, such vulnerabilities present only a minor threat, as the systems are designed to be kept on virtual private networks (VPNs) and behind firewalls. However, Tridium’s own marketing materials tout the product’s capability to be managed remotely over the internet, and systems are configured to run this way by default, Engineering and Technology Magazine noted. Using the Shodan search engine, Rios and McCorkle found around 21,000 Tridium systems that were visible over the internet, and they have verified that many are actual Niagara units, Wired reported.

“If somebody wanted to, it’s easily exploitable,” McCorkle said, according to the publication.

Many customers do not realize their systems are exposed because the technology was set up by outside contractors and because building operators may not ever use the remote management options, Engineering and Technology Magazine noted. The publication added that building control software and equipment systems often stay in place for decades, frequently undergoing only sporadic patch updates. Tridium said it plans to release a patch for this current problem in the coming days, with updates for customers using older versions of the software scheduled to arrive soon as well.

“We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today,” spokesman Mark Hamel said. “The vast majority of Niagara AX systems are behind firewalls and VPNs – as we recommend – but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.”

Addressing the risk of vulnerabilities such as the ones that have cropped up in the Niagara AX control system requires a proactive approach to protect end users with sporadic patching habits. By implementing more secure development processes that make use of tools such as source code analysis, vendors can strengthen their product’s software security.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Related Posts

One Response to Researchers uncover new vulnerability in Niagara building control systems

  1. Fred Gordy says:

    A lot attention has been given to Niagara AX and the vulnerabilities but what seems to be overlooked time and again is that there are some very simple security measures that are not being used. The articles a few months ago that sighted an HVAC Niagara AX system that was hacked either didn’t mention the fact or skirted by the fact that the Niagara AX system was completely exposed to the Internet using a public IP. This is not a vendor issue. Plainly stated this is poor installation and bad security practices by a system integrator. This is not to say that vendors should be let off the hook but system integrators have to step up and do their part.

    I changed my career path and moved from IT to control system intergration in 2001. At that time control systems were just beginning to be connected to the web. In most cases the systems were setup either on the LAN of a company or a closed network that only had control system equipment on it with no remote access. The general onsensus was either nobody would want to hack a control system or because of the network protocols such as Modbus, Bacnet, or LON, nobody would be able to figure out how to “talk” to the system.

    Buildings came online and people saw the benefit of being able to access their buildings remotely. System integrators had to learn how to set up systems to be accessed via the web and in most cases the minimal amount if any was applied to the
    system. This is not an indictment of system integrators. We did what we had to do to meet customer expectations. What we didn’t do was take a hard look at where control systems could go and what steps to protect the systems were needed.

    Why are control systems under attack? As a system integrator I can see the attraction. I enjoy seeing buildings, data-centers, etc. come to life. This stuff does stuff. Meaning it is fun to some hackers to see what they can do. Turn off lights, turn something off that is on, turn something on that is off. Of course the other hacker type wants to do real damage. Shut down a power grid, stop water flow, kill systems, etc.

    At the very least any control system, not just Niagara AX, needs to be behind a firewall and if it needs to be accessed remotely use a credentialed, encrypted client. This is basic, common practice of any IT solution. You do not pull a server out of the box, rack it, and hang it out on the web. You follow security measures to keep it as safe as possible. Microsoft is not to blame if you do not take basic security measures.

    I have worked with Terry McCorkle evaluating our system. Terry and his team are very knowledgable and professional and calls it as he sees it which I appreciate. The “firestorm” of criticism that Niagara AX and other control systems have gotten are not the result of Terry McCorkle and Billy Rios studies/evaluations. It is being propagated by not focusing on the whole picture and focusing mainly on the vendor because this makes good copy. Responsibility falls on us, system integrators, as well.

    I am all for testing vendor software for vulnerabilities but what needs to happen is that when vulnerabilities are identified we, system integrators, need to do our part to “plug” up the holes. We need to work with the vendors and IT. We need to expand our skill set to include IT security practices.

    Fred Gordy
    Technology Evangelist
    fred.gordy@mckenneys.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scroll to top