Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cylance Hacks Google Office Building Management System

Unknown Lamer posted about a year ago | from the ghost-in-the-machine dept.

Security 46

Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."

cancel ×

46 comments

Sorry! There are no comments related to the filter you selected.

Can they cause a gas explosion like in Skyfall? (1)

ArsenneLupin (766289) | about a year ago | (#43664799)

(n/t)

No (2)

telchine (719345) | about a year ago | (#43665115)

(n/t)

Re:No (4, Funny)

ColdWetDog (752185) | about a year ago | (#43665307)

But I'll bet they've got a bunch of idiots standing around enormous, complex displays muttering nonsensical 'hacker' terms.

At least that part of the movie was real, right?

Re:Can they cause a gas explosion like in Skyfall? (0)

Anonymous Coward | about a year ago | (#43665439)

and FUCK YOU too

Ooh, Google got scooped! (0)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43664805)

Better short your stock now, kids, one of Google's competitors just 'indexed the internet of things' right in Google's office before Google did.

Tut, tut, Sergei, falling behind in the race to make the world's information accessible. I'm ashamed of you.

Why??? (2, Funny)

Anonymous Coward | about a year ago | (#43664813)

Why is a build management tool doing exposed in the internet?

Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

Re:Why??? (2)

Gunkerty Jeb (1950964) | about a year ago | (#43664845)

Can't WFH without remote access.

Re:Why??? (4, Funny)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43664851)

Why is a build management tool doing exposed in the internet?

Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...

No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.

Re:Why??? (0)

Anonymous Coward | about a year ago | (#43664987)

Someone messed up...

Should be behind a firewall with a VPN.

Re:Why??? (3, Insightful)

MickyTheIdiot (1032226) | about a year ago | (#43665471)

Fat, Pinhead Manager comments on IT Security recommendation:
"Why should we worry about THAT? We've never had those problems in the past. Besides, I don't quite understand what it is, so it must be a waste of money. No VPN!"

Fat, Pinhead Manager post-break security incident:
"Why didn't IT protect our vital infrastructure?"

Selective memory and buck passing makes like in this century wonderful

Re:Why??? (0)

Anonymous Coward | about a year ago | (#43666581)

It may be a manager? It may be the guy who set it up? It may be the guy who just did not want to keep coming in at 2AM to reset a breaker... Not enough info. Bottom line *someone* screwed up and it needed a firewall and VPN. Fix it and move on.

Re:Why??? (0)

Anonymous Coward | about a year ago | (#43669651)

That's why you CYA and get it in writing that he's turning down this vital upgrade to protect our infrastructure.

Re:Why??? (2)

Ioldanach (88584) | about a year ago | (#43664991)

Why is a build management tool doing exposed in the internet?

What's the point of building automation if you have to be in the building to use it?

Re:Why??? (1)

rvw (755107) | about a year ago | (#43665145)

Why is a build management tool doing exposed in the internet?

What's the point of building automation if you have to be in the building to use it?

Automation of course!

Re:Why??? (1)

SrLnclt (870345) | about a year ago | (#43665203)

Exactly. Building operators are not on site 24/7. You get an automated email/text message when a boiler is in alarm or a chiller goes down. Pull up the controls system from any browser on your PC or phone, use your login/password and see what is going on. You may even be able to fix the issue remotely. No need to run across campus when you get a phone call or come in at 3AM if all a piece of equipment needs is the reset button.

Re:Why??? (2)

h4rr4r (612664) | about a year ago | (#43665427)

So VPN is not something you have ever heard of?
Or modems?

There is no need for these systems to be connected directly to the internet.

Re:Why??? (1)

Zero__Kelvin (151819) | about a year ago | (#43665399)

You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.

Re:Why??? (1)

Ioldanach (88584) | about a year ago | (#43665845)

You seem to be under the mistaken impression that you can't use it if it isn't exposed to the internet. Look into VPNs and how they work. It should provide you with a serious Homer Simpsonesque DOH moment.

If I can get to something through an internet based connection to a VPN, it is exposed to the internet. It has an added layer of security, yes, but it is still exposed.

Re:Why??? (1)

Zero__Kelvin (151819) | about a year ago | (#43666369)

No. It isn't. Please learn basic computer security and terms. It is ONLY exposed to the VPN. If you don't hack into their internal network (i.e. VPN) it doesn't show on a port scan nor can you get to it.

Re:Why??? (0)

Anonymous Coward | about a year ago | (#43667425)

So I should unlock my front door to my house. It is useless.

If you know of a way to crack SSH and most VPN's used you could make some good money with simple man in the middle attacks on much higher profile targets than what google has its thermostat set to.

Re:Why??? (1)

h4rr4r (612664) | about a year ago | (#43665419)

No one said that.
Building automation is not going to need a lot of bandwidth. A modem would work fine and not expose it to the internet at large. Make the password very long and change the number frequently.

Re:Why??? (1)

Charliemopps (1157495) | about a year ago | (#43666551)

I've got an uncle that runs one of these systems and the control portion of it doesn't have external access. The point of it is, he knows the status of every fan, vent, boiler, furnace, air conditioner in the building. In the past he'd have to wait until someone complained it was too cold somewhere... walk around till he felt a cold spot... put flow meters over vents in the area... look at diagrams to find which systems feed that area... start testing motors and condensers...

Now... and little red light goes on, he clicks on it and asks him if he'd like to order the part to replace what's broken. It arrives before the end of the day and he installs it. What used to take weeks now takes hours and the vendor gets a sweet exclusive deal on parts. If you've got a building that you want premium service in (in his case it's a casino) then this is the way to go.

Re:Why??? (4, Interesting)

Doug Otto (2821601) | about a year ago | (#43665037)

Because that's it's main selling point.

The Niagara Framework® is a software platform that integrates diverse systems and devices regardless of manufacturer, or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.

Re:Why??? (1)

schitso (2541028) | about a year ago | (#43665069)

"Over the Internet" doesn't have to mean "over an unencrypted direct HTTP connection to an Internet-facing device". It should have been behind a VPN if outside access was needed.

Re:Why??? (1)

ewieling (90662) | about a year ago | (#43667349)

This stuff will continue to be exposed to the internet and not secured until the cost of securing it is less than the cost to leave it unsecured. Likely this will happen when there are widespread nasty attacks against exposed systems which cause significant real world problems.

Re:Why??? (1)

HiThere (15173) | about a year ago | (#43668173)

Already happened. I think it was in Illinois, and about a decade ago, perhaps a bit less. The only reason it was notices is that a virus got in and started messing with things.

What seems to have happened is that the reactor wasn't on the internet, but it was on a LAN, and something else on the LAN got on the internet, and the virus knew how to make the traversal. Whoops!

I presume that it was cleaned up quickly, but there I only noticed the one public news story, in the midst of lots of other things being attacked by that same virus. (Can't recally which one, as I'd already switched to Linux so I'd started to stop noticing such things. These days either I just don't notice them at all, or they've stopped happening. Now it's trojans, vulnerabilities, etc.)

If an individual did this... (1)

Anonymous Coward | about a year ago | (#43664931)

Since a security firm conducted this, they'll get off with thanks - or at worst a bit of bluster +/- a suit from Tridium which will go nowhere.

If you or I did this, however, and similarly published the results? All of the books would be thrown at us, CFAA, federal prosecutors, and probably that same suit from Tridium, except we couldn't deal with it.

A two-tier justice system is no justice system. We need equal treatment under the rule of law. Either corporations need to be similarly prosecuted, or the laws are out of date and only used to oppress the public. IMHO, we need some of both.

Re:If an individual did this... (1)

fast turtle (1118037) | about a year ago | (#43666225)

Right in the First fucking line of the Summary that you didn't comprehend

"Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia

so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure

Re:If an individual did this... (0)

Anonymous Coward | about a year ago | (#43667135)

Hmmm overreact much?

AC

Re:If an individual did this... (1)

Em Adespoton (792954) | about a year ago | (#43667613)

Right in the First fucking line of the Summary that you didn't comprehend

"Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia

so the god damn CFTA doesn't apply so take a deep breath and count backwards from 1Google until you fall down, blue in the face from not breathing before you post after such a reading comprehension failure

One other thing to point out: the reason that a security firm doesn't get the book thrown at them but individuals do, is that security firms have policies and procedures in place for how they conduct themselves; they notify the appropriate people and perform due process. Most individuals who try a stunt like this aren't even aware of all the protocol and disclosure hoops they should be jumping through -- and so when they make a mistake (which is almost inevitable, doing something by yourself, unless you're already a trained security researcher who has spent time in the system -- at which point it's just highly likely), they end up with the industry and government coming down on them like a tonne of bricks.

Any individual who creates a reputation for honesty and fully documents their investigation and discloses their intentions and action plan to the right people before they start will usually get a quiet kudos and never be noticed in public. Those trying to make headlines, will.

Think of it like the girl who was doing a "science experiment" behind the cafeteria during out of school hours -- she did something against policy, and got smacked down for it. I'm sure there were many other students who did similar things through proper channels and had nothing but a mediocre science experiment to show for it.

That said, in this case, the security researchers did a really bad job covering the bases, and are pretty much riding on their reputation alone to avoid the smackdown. Doing something illegal to make headlines to fix a problem should always be a last resort (accepting that you may face jailtime and fines for doing it and calculating that that's worth it), not a way to gain advertising.

Irresponsible (1)

Anonymous Coward | about a year ago | (#43664959)

Here is the actual advisory for the vulnerabilities they exploited:

http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01

While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.

They are lucky (so far) that Google is being nice about this. Had this system been controlling something more sensitive than HVAC, they could have easily wound up in jail.

Re:Irresponsible (5, Interesting)

tlhIngan (30335) | about a year ago | (#43665331)

While I agree that the discovery and reporting of these vulns is important, they kinda crossed the line with the break in. They didn't need to compromise the system to know it was vulnerable (in order to report it). It's obvious that Google's reward program is intended to find vulns in Google products. It does not however, give a free license for hackers to break into anything Google owns, especially third party building control systems.

Then again, by compromising the devices, they could launch an attack behind the firewall. After all, there's a difference between read-only access (there was that company saying ADS-B was vulnerable then posting about internet-accessible AIS (marine Automatic Identification System) data saying they could find the location of any ship on the internet - including Navy and Coast Guard. Duh, that's what AIS is for! And it's not like it can't be turned off if operationally necessary), and full read-write access.

Read only access is a lot less scary (big whoop, it's 21 C in the office today, versus 20 yesterday, and the fan on duct #132 is acting up), than read-write (oh, it's a hot day in Sydney, I'm sure Google would love if it I could set this office to 15C and this one to 35C, turn the fan above the meeting room to max).

Sometimes you have to break in to figure out if you have full access or just limited access - because the limited access may be neat, but not useful at all (like AIS data - it's not terribly useful when it's hooked to an AIS receiver).

Also, some of these vulnerabilities may not be terribly important to Google - because Google properly firewalled it off. Or maybe it is because it's behind the firewall. You can bet a lot of other building automation systems may not have the internet savvy that Google has. Or maybe a misconfiguration in Google's network or someone's PC could serve as a launch point.

Serious (5, Funny)

empties (2827183) | about a year ago | (#43664961)

You might think stopping elevators or turning off server-room cooling would be the most dangerous hacks, but the real nightmare: Every coffee is decaf!

Re:Serious (3, Informative)

93 Escort Wagon (326346) | about a year ago | (#43665011)

No way - not even 4chan could be that cruel.

Re:Serious (1)

Jesus_666 (702802) | about a year ago | (#43667289)

Sounds like a typical Shadowrun plot.

Step 1: The decker enters the building network and switches all coffee makers to decaf.
Step 2: Everyone in the building falls asleep. The security deckers are the first to go.
Step 3: The team enters unimpeded. No alarms are tripped and the run is going smoothly.
Step 4: The street sam decides that now would be a good time to settle an old score using an unsilenced SMG loaded with EX-explosive ammo. In front of a street-level window facing a busy street.
Step 5: One fight with Lone Star later the GM laments that the C.L.U.E. Foundation has shut its doors.

Re: Serious (1)

Sigg3.net (886486) | about a year ago | (#43701573)

IANAL, but I think that falls under manslaughter.

BOFH IRL (0)

Anonymous Coward | about a year ago | (#43665169)

Sounds something just like out of the BOFH [theregister.co.uk] stories.

Whew. (1)

moeinvt (851793) | about a year ago | (#43665221)

For a second, I thought it started out with

"Industrial mind control researchers" :-O

It's a people problem (5, Informative)

dubbayu_d_40 (622643) | about a year ago | (#43665339)

They can only get the configuration file if they already have access. The contractor left the passwords at the default.

who's problem is this? (1)

CAIMLAS (41445) | about a year ago | (#43665383)

Within institution's, who's problem is this to fix?

Obviously, this is the developer's (and PM's) fault. They're horrible at their jobs and write lazy, insecure software.

But this is probably going to fall on the shoulders of Google's in-house IT department to get resolved (likely by pushing at Niagara's support channel). Meanwhile, the IT department is also answerable to and for everyone else's snafus in-house in most organizations.

Developers - as individuals and departments - really need to pull their shit together and take more responsibility for their products. This is pretty disheartening and, on a daily basis, frustrating as fuck.

Article picture of Wharf 7 (1)

Sponge Bath (413667) | about a year ago | (#43665517)

That picture shows how much Google employees enjoy intimate closeness. Your are two feet from your coworker with no divider so you can enjoy all the sounds, sights and smells that make every work day a party.

Custom exploit (0)

Anonymous Coward | about a year ago | (#43665693)

tridium-ip-address/ord?file:^config.bog

3rd party systems / out side management (1)

Joe_Dragon (2206452) | about a year ago | (#43665829)

3rd party systems / out side management. How much does Google do with that side of stuff?

Galactic Emperor Executive Order #1 (1)

ThatsNotPudding (1045640) | about a year ago | (#43666535)

No infrastructure or military systems whatsoever on the pulic Internet, period.

Punishment: Vivisection.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?