Written by James Orme Fri 9 Aug 2019

Exploit could give a hacker complete control over company security systems and thermal systems used in data centres

Security researchers have discovered a zero-day vulnerability in a popular building control system that could allow cyber criminals to wreak havoc with operational technology found in factories, businesses and data centres.

The system is manufactured by Delta, a Taiwan-based provider of power and thermal management solutions widely-used in data centres. The company’s systems are also used in hospitals, including operation theatres.

The vulnerable system in question is the company’s enteliBUS Manager, or eBMGR, a device that provides a single pane of glass with which to control various corporate or industrial hardware, including data centre HVAC (heat, ventilation, and air conditioning) controllers, factory boiler alarms and sensors, and corporate security control and lighting.

As this kind of network-connected system provides a single point of failure for critical operational technology, they are usually guarded with extremely high-standards of software security.

From building control to damage control

The vulnerability was discovered by McAfee’s Advanced Threat Research Team. The team hooked up an eBMGR unit to a simulated network before flooding the device with random permutations of data until a vulnerability revealed itself — a speculative technique known as “fuzzing” commonly-used to automate the discovery of software bugs.

The researchers eventually uncovered what is known as a buffer overflow vulnerability in the device (a mismatch in the memory sizes used to handle incoming network data), rendering it vulnerable to a network attack that could give a hacker complete control over the unit’s operating system.

As the attack also utilises broadcast traffic, a hacker could conceivably use it to identify the location of any hardware connected to the unit.

As the lead author of the research Mark Bereza explained:

“The result is a twisted version of Marco Polo – the hacker needs only shout “Marco!” into the darkness and wait for the unsuspecting targets to shout “Polo!” in response.”

The researchers then stepped-up their attack to see if they could manipulate devices controlled by the unit. To do this they had to buy a conventional piece of operational hardware and connect it to the compromised unit.

The researchers decided on a HVAC controller and then performed a replay attack — executing a “normal” action through the operating system (e.g. flipping a switch), identifying the code that executes it, and replicating the same conditions manually.

This strategy granted the researchers control over ‘every category of device’ supported by the eBMGR, regardless of its vendor. They then developed a custom malware which allowed them to remotely issue commands to any device, from meeting room light switches to factory boilers.

Such an attack could also be performed remotely over the internet if the attacker knew the IP address of the device ahead of time, the researchers added.

As soon as McAfee discovered the vulnerability it reached out to Delta who promptly provided an effective beta patch. McAfee praised the company for its collaboration, which they said was ‘a step in the right direction’.

Nevertheless, the researchers said their hack wasn’t complicated to execute and issued a warning to all businesses who connect critical systems to networks, advising them to place all internet-connected devices behind a firewall, monitor traffic, segregate them from the rest of the network using VLANs, and stay on top of security updates.

Mo Cashman, principal engineer at McAfee, said industrial and manufacturing organisations need to take a ‘one enterprise’ approach to security and risk management:

“Many organisations still operate in silo. For instance, a CISO may be responsible for IT only, yet not charged with securing OT environments. This needs to change. Recent attacks demonstrate that threats to industrial control systems enter from multiple routes. As a result, increased collaboration and achieving one unified view across the digital workplace, cloud services, industrial controls and the supply chain are necessary considerations if an organisation is to maintain business resilience as it transitions to create a factory of the future.”