Ethical hackers from IBM’s X-Force tested a smart buildings automation system and encountered numerous serious security issues. The researchers identified several security holes that provide hackers with a backdoor into corporate networks through the office’s climate control systems.
This recent discovery highlights the dangers of unsecure connected devices within the Internet of Things (IoT) and how they can lead to a data breach if not properly secured.
“We did it old-school, just probing the firewall, finding a couple of flaws in the firmware”, said Chris Poulin, research strategist for IBM’s X-Force. “Once we had access to that, we had access to the management system of one building”.
An increasing number of devices are being connecting to the Internet, not least those that control your building’s heating, lighting and air conditioning. According to Gartner, devices in smart homes and smart commercial buildings represented 45% of total active connected things in 2015.
IBM X-Force Ethical Hacking Team Lead Paul Ionescu suggests that little attention is being paid to IoT devices employed in smart or automated buildings simply because IoT devices fall outside the scope of traditional IT. A recent survey of building automation system (BAS) operators found that only 29% had taken action or were in the process of taking action to improve cyber security for their Internet connected systems.
Currently, most BAS work in a similar fashion. Each building has a BAS controller, responsible for managing each of the building’s “smart” features and for collecting and aggregating data from various sensors (humidity, temperature, light, etc.). This BAS controller connects to the Internet through local Wi-Fi spots and the building router, where, in some cases, it sends data to manufacturers or central company servers that gather information from different buildings across the country.
BAS Services from a whole range of sensors and devices from building energy controls to physical security products are gradually but inevitably morphing into a more comprehensive and fully automated Building Internet of Things (BIoT) solution, which we discuss at length in a Recent Report.
“We were surprised by the amount of very basic security errors that we found which allowed us to break into the system. Things like shared passwords and information stored in clear text within the devices made it significantly easier for us to eventually hack into the central command server, along with the vulnerabilities we identified in the router and BAS software”, Ionescu said.
While the potential cyber security threats affect all types of buildings, IoT is becoming much more pervasive in commercial and industrial facilities, which are more often targeted, and have more to lose, than residential properties. “What most people don’t know is that a very large proportion of those devices will be in commercial buildings,” Pook-Ping Yao, CEO of Vancouver’s Optigo Networks said, adding that will make the systems within those buildings even more vulnerable to security breaches.
A 2015 General Electric report estimated that worldwide spending on industrial IoT initiatives would reach US$500 billion by 2020 and growing as high as US$15 trillion by 2030. In Canada, GE acquired Vancouver-based Wurldtech Security in 2014 to boost industrial IoT security in such sectors as utilities, transportation, and oil and gas. “We have to be sure that as we’re building out this industrial Internet, we’re being equally smart about ensuring that – not at the enterprise level but also at the operating level – we are protecting the assets”, said GE Canada CEO Elyse Allan.
Yao said the IoT security market is opening up at commercial sites as clients upgrade to Smart Buildings or facilities that have integrated systems controlling everything from security to the temperature. “If someone was able to unlock your doors, turn off your lights or make the room very hot or very cold, would you move?” Yao asked.
During the X-Force test, the team hit only major obstacle. Despite the stolen login credentials and the configuration file pointing to the central server, they could not log in remotely. “It did not allow us to connect via the Internet from our address space”, Poulin said. However, the building was in close proximity, so they just drove over and set up in a nearby car parking, where they were able to gain access through the local wireless network.
“We connected to their wireless gateway and got an address that did allow us to connect to the central building management system”, Poulin said. That, in turn, gave them access to all the buildings that the company managed. “We could have done some serious damage”, he said.