Building management system controllers connected to the Internet are a new source of vulnerability
Schools and offices are increasingly vulnerable because of the automated systems used to control vital systems in buildings.
Indeed, security research firm Pen Test Partners earlier this week warned that British schools’ heating systems are vulnerable to hackers.
But it is not just schools, as many buildings including offices and even Heathrow’s Terminal Five are vulnerable because of their use of smart building controllers.
Smart building controllers typically manage door access control, heating and ventilation systems, as well as air conditioning and other smart building tech.
According to Pen Test Partners, the infamous Target breach in the United States in 2013, the ingress point was believed to be their heating, ventilation, and air conditioning (HVAC) management company.
Pen Test Partners has long had concerns about these systems (as far back as 2006), especially as they are often connected to the wider Internet (against the manufacturer’s guidelines).
So it decided to do look for building management system controllers made by West Sussex-based Trend Control Systems via the internet of things (IoT) search tool Shodan.
And its results were very concerning, as whilst Pen Test found that the controller security has improved some, it did also discover (in just ten seconds) that large numbers (over 1,000) of these systems were “installed on the public internet, unprotected, with complete authentication bypass in some cases!”
“We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations,” it warned. “We also found some that had already been compromised to a point by malware. Further compromise would be trivial.”
However Pen Test said the problem was not all down to the vendor, but rather the sloppy installation of these devices by HVAC & BMS installers.
“The installers have exposed their clients through not following manufacturer security guidelines,” said Pen Test. “The manufacturer could still make improvements though.”
The researchers did say that they have raised their concerns with Trend Controls, but “got nowhere”. They called on Trend Controls to audit their installers to make sure they were installing their products correctly.
“This advice also assumes that the threat is only from an attacker on the public internet,” Pen Test continued. “These controllers are found in quiet areas of buildings, hopefully in locked plant rooms and electrical panels. Ideal for the social engineer. Also, compromise the guy who manages the building, pop his PC and you can potentially unlock doors to order.”
“It simply shouldn’t be possible to install these devices in customer buildings this insecurely. But an easy fix, pulling out the network cables, can address the threat.”
“It would be really easy for someone with basic computer skills to have switched off a school’s heating system – it’s a matter of clicks and some simple typing,” Pen Test’s founder Ken Munro told the BBC. “It’s a reflection of the current state of internet-of-things security.”
“Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can’t be set up this way.”
The company at the centre of the problem told the BBC that it does take security seriously.
“Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible,” spokesman Trent Perrotto was quoted as saying.
“This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access,.”
He added that the company would “assess and test the effectiveness” of its current practices.
There has long been concern that professional cyber criminals for hire could attack IoT systems and critical infrastructure, like power grids, from across the internet at the behest of terrorist groups and nation states.
Last year the security threat posed by IoT was starkly illustrated when researchers at security firm Sucuri uncovered an unusual botnet made up entirely of Internet-connected CCTV cameras.
That incident recalled a similar case in 2015 when a security firm found a botnet made up of 900 CCTV cameras was launching an attack on an unnamed cloud services provider.