Malware Built to Hack Building Automation Systems
January 17 2019S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.
Security researcher Elisa Costante and her team at ForeScout last summer created the test malware, a modular design that includes a worm that spreads itself among BAS devices, using intelligence they gathered over the past three years while testing popular BAS systems such as protocol gateways and PLCs for HVACS and access control, for vulnerabilities. During that period, they uncovered ten security flaws, half of which were cross-site scripting (XSS) bugs in their associated Web application interfaces, as well as privilege escalation and buffer overflow vulnerabilities.
Costante shared the team’s research here at S4x19 this week.
While the affected BAS vendors – which ForeScout declined to reveal – since have patched the vulnerabilities, more than 11,000 of the affected devices today remain exposed on the public Internet to the buffer overflow flaw, mostly in schools and hospitals, due to poor patching processes or none at all, Costante says. Some had already quietly fixed the flaws in new versions of the devices.
“You still have a lot of [BAS] devices running on old firmware,” Costante said in an interview with Dark Reading. BAS devices and equipment don’t get updated or replaced regularly: some 60% of BAS products in place today are around 20 years old, she says.
Building systems are the oft-forgotten and increasingly network-connected piece of the security puzzle. They fall into a category of their own, and rarely are updated or vetted for security. BAS control systems manage and run physical operations of a building such as HVAC, elevators, physical access control, and video surveillance.
“A lot of times, building automation systems sit on the enterprise but IT has no access to them,” said Dale Peterson, CEO of Digital Bond and the head of the S4 ICS SCADA conference. “They’re not behind the firewall or [part of] ICS … and they’re not run by IT. It’s a little group doing their own thing.”
BAS SCADA systems often are older, and not typically considered part of the overall IT infrastructure, noted Eddie Habibi, CEO of ICS security vendor PAS. “Protecting them could be a lot easier” than an OT network, he said, but most BAS managers don’t even consider the cybersecurity of those systems. “It’s okay to do a ten-minute shutdown” for patching a BAS, he said. “You’re not running a refinery.”
Building Hacks
BAS hacking already is starting to become a thing: in a report published today on its BA system security findings and malware, ForeScout cited a 2016 ransomware attack on a hotel in Austria that targeted room locks, and a DDoS attack that hit heating systems in two apartment buildings in Finland. And among some of the juicier BAS targets are data centers, for example, where temperature fluctuations via a hacked HVAC could wreak havoc and ruin computers, ForeScout said.
Costante says her team’s goal was to create complex malware that couldn’t be traced by forensics. They decided to first target in the malware an Internet-facing IP camera, which then spread to a workstation that ultimately got them to their target, the PLC that controls the building automation process. “From the Windows workstation, we use the core part of the malware, the exploitation of the buffer overflow” vulnerability, she said.
The malware could be used to open a restricted phyisical access area to an attacker, such as a restricted area in an airport, she said.
ForeScout spent a total of $12,000 on the malware and equipment for the project, which Costante says demonstrates that BAS hacking doesn’t require heavily resourced nation-state backing, for example. And part of the goal of the research was to test what the vulnerability of BAS and possible attack scenarios.
“There was a lack of awareness on what you can do with buildings and how easy and exposed they are,” Costante said.
Meanwhile, some building management operations are starting to find cybersecurity religion. David Weinstein, vice president of threat research at Claroty, says his company is seeing major real estate firms inquiring about securing their properties’ building automation systems. “More CISOs are taking responsibility for OT and IoT,” he said, and that also brings BAS into the security equation.
Related Content:
- Hijacking a PLC Using its Own Network Features
- Triton/Trisis Attack Was More Widespread Than Publicly Known
- 7 Privacy Mistakes That Keep Security Pros on Their Toes
- 2019 Attacker Playbook
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio
Malware Built to Hack Building Automation Systems
January 17 2019S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.
Security researcher Elisa Costante and her team at ForeScout last summer created the test malware, a modular design that includes a worm that spreads itself among BAS devices, using intelligence they gathered over the past three years while testing popular BAS systems such as protocol gateways and PLCs for HVACS and access control, for vulnerabilities. During that period, they uncovered ten security flaws, half of which were cross-site scripting (XSS) bugs in their associated Web application interfaces, as well as privilege escalation and buffer overflow vulnerabilities.
Costante shared the team’s research here at S4x19 this week.
While the affected BAS vendors – which ForeScout declined to reveal – since have patched the vulnerabilities, more than 11,000 of the affected devices today remain exposed on the public Internet to the buffer overflow flaw, mostly in schools and hospitals, due to poor patching processes or none at all, Costante says. Some had already quietly fixed the flaws in new versions of the devices.
“You still have a lot of [BAS] devices running on old firmware,” Costante said in an interview with Dark Reading. BAS devices and equipment don’t get updated or replaced regularly: some 60% of BAS products in place today are around 20 years old, she says.
Building systems are the oft-forgotten and increasingly network-connected piece of the security puzzle. They fall into a category of their own, and rarely are updated or vetted for security. BAS control systems manage and run physical operations of a building such as HVAC, elevators, physical access control, and video surveillance.
“A lot of times, building automation systems sit on the enterprise but IT has no access to them,” said Dale Peterson, CEO of Digital Bond and the head of the S4 ICS SCADA conference. “They’re not behind the firewall or [part of] ICS … and they’re not run by IT. It’s a little group doing their own thing.”
BAS SCADA systems often are older, and not typically considered part of the overall IT infrastructure, noted Eddie Habibi, CEO of ICS security vendor PAS. “Protecting them could be a lot easier” than an OT network, he said, but most BAS managers don’t even consider the cybersecurity of those systems. “It’s okay to do a ten-minute shutdown” for patching a BAS, he said. “You’re not running a refinery.”
Building Hacks
BAS hacking already is starting to become a thing: in a report published today on its BA system security findings and malware, ForeScout cited a 2016 ransomware attack on a hotel in Austria that targeted room locks, and a DDoS attack that hit heating systems in two apartment buildings in Finland. And among some of the juicier BAS targets are data centers, for example, where temperature fluctuations via a hacked HVAC could wreak havoc and ruin computers, ForeScout said.
Costante says her team’s goal was to create complex malware that couldn’t be traced by forensics. They decided to first target in the malware an Internet-facing IP camera, which then spread to a workstation that ultimately got them to their target, the PLC that controls the building automation process. “From the Windows workstation, we use the core part of the malware, the exploitation of the buffer overflow” vulnerability, she said.
The malware could be used to open a restricted phyisical access area to an attacker, such as a restricted area in an airport, she said.
ForeScout spent a total of $12,000 on the malware and equipment for the project, which Costante says demonstrates that BAS hacking doesn’t require heavily resourced nation-state backing, for example. And part of the goal of the research was to test what the vulnerability of BAS and possible attack scenarios.
“There was a lack of awareness on what you can do with buildings and how easy and exposed they are,” Costante said.
Meanwhile, some building management operations are starting to find cybersecurity religion. David Weinstein, vice president of threat research at Claroty, says his company is seeing major real estate firms inquiring about securing their properties’ building automation systems. “More CISOs are taking responsibility for OT and IoT,” he said, and that also brings BAS into the security equation.
Related Content:
- Hijacking a PLC Using its Own Network Features
- Triton/Trisis Attack Was More Widespread Than Publicly Known
- 7 Privacy Mistakes That Keep Security Pros on Their Toes
- 2019 Attacker Playbook
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio
