IBM's X-Force team hacks into smart building
IBM's X-Force ethical hacking team recently ran a penetration test against a group of office buildings using building automation systems that controlled sensors and thermostats.
In this particular case, a building management company operated more than 20 buildings across the United States, as well as a central server.
Without any social engineering, or online data gathering about employees, the team targeted one building.
"We did it old-school, just probing the firewall, finding a couple of flaws in the firmware," said Chris Poulin, research strategist for IBM's X-Force. "Once we had access to that, we had access to the management system of one building."
There, they found a remote execution flaw that allowed them to execute commands and get into a password file that helped them get into the building management system and a configuration file that pointed to the management company's central server, the final objective.
There, the X-Force team hit the only major obstacle -- even with the stolen login credentials and the configuration file pointing to the central server, they could not log in.
"It didn't not allow us to connect via the Internet from our address space," Poulin said. "There was white listing."
The building's location was not particularly far, however, so they simply drove over to the building and set up shop in the parking lot. Now they used the access they had already gained to the building's network.
"We connected to their wireless gateway and got an address that did allow us to connect to the central building management system," Poulin said.
That, in turn, gave them access to all the buildings that this company managed.
They could have done some serious damage, he said.
For example, the first building, in addition to housing offices, also had a data center.
"We had access to the environment controls for the data center," Poulin said. "We could have actually turned the heat up, turned off the air conditioning, potentially taking down all the servers. If you put on your evil hat, there are lots of ways to do bad things."
In the case of this particular set of buildings, IBM worked with the equipment vendors to address the security issues the team found, and with the building automation company to fix the configuration errors.
On a broader scale, however, the problem is actually getting worse.
For example, more and more companies are integrating their building automation systems with the rest of their IT infrastructure, Poulin said, opening up even more opportunities for attackers who are able to break into the building automation systems.
Meanwhile, according to Gartner, more than 206 million connected devices are already being used in commercial smart buildings, and this is expected to grow to 648 million devices by 2017.
Each of these devices creates the opportunity for configuration mistakes and unpatched vulnerabilities.
Companies need to start acting proactively. Whether they run their own buildings and outsource these systems to outside vendors, or rent managed office space, they need to pay attention whenever the contracts come up for renewal.
"Your leverage is the contract negotiation," Poulin said. "Ensure some of the big things, such as that the building automation system is not directly connected to the Internet. Virtual private network access should be fine -- at least then you're forcing them to have some kind of credentialed access. Or at the bare minimum enforce two-factor authentication."
The second issue is to ask for regular security audits or penetration tests.
"In the contract, you can build in a right to audit, or to look at the results of the pen test or security assessment," he said.
There should also be some built-in flexibility in case something unexpected happens, or a particular event occurs that can trigger a renegotiation.