Team of ‘ethical hackers’ shows controls easily compromised, risking HVAC shutdowns
Cybersecurity experts have revealed that poor BMS installation continues to leave the systems vulnerable to hacking. This, say the ’ethical hackers’ risks the scare scenario of an attacker taking control of systems to cause disruption, to trigger fire alarms, to open or shut doors and potentially get on to the IT network itself in vulnerable buildings such as government or military sites. Beyond the security risk, such hacking could simply shut off the heating in any number of buildings controlled by BMS.
The team from security consultancy Pen Test Partners warned BMS manufacturers that they must educate their installers and put them through stiffer accreditation and audit processes. The firm said: ”It simply shouldn’t be possible to install these devices in customer buildings this insecurely.”
Pen consultant Ken Munro hacked into a range of building controllers and found that few had been configured correctly, with many being openly detectable over the public internet, via the Internet of Things search website Shodan. In some cases this would allow an attacker to completely bypass the log-on mechanism to access the device, the firm said, while some of the controllers already contained malware.
Mr Munro found that while some of the hardware had been improved, large numbers were discoverable on the public internet, unprotected, with complete authentication bypasses in some cases.
He said: ”We found them in military bases, schools, government buildings, businesses and large retailers among many, making the organisations ripe for compromise.
He added that the fault was largely laid at the installers’ door: ”Most of these issues have been caused by HVAC & BMS installers, rather than the vendor. The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though.”
The manufacturer of the controller in the investigation, Trend Controls, offers security advice for installers, emphasising that the devices should be on isolated subnets and never exposed to the internet. However, the advice appears to be routinely overlooked by the installers, since Mr Munro’s initial search found a list of over 1000 controllers on the internet. In many cases the installers had used the name of the facility on the databases, making them easily identifiable.
In addition to the threat via the internet, the controllers are vulnerable to local hacking, since they are often isolated in plant rooms, the consultancy said:
Security can easily be breached by adding a guest user, where the installer hasn’t set this up, Mr Munro added.
Mr Munro issued a warning to building owners, based on the findings. He said: ”Building management systems are often installed by electricians and HVAC engineers who simply don’t understand security. Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. Whilst you’re there, ask about your door controllers and your IP alarm systems. BMS suppliers need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible.”
More details on the hacking findings can be found at Pen Test’s site.