Hackers illegally accessed the Internet-connected controls of a New Jersey-based company's internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney's Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a "Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area," according to the memo, which was issued in July. "All areas of the office were clearly labeled with employee names or area names."

An IT contractor for the unnamed business told FBI agents the "Niagara control box was directly connected to the Internet with no interposing firewall," according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.

The unauthorized access began in February, a few weeks after someone using the Twitter handle @ntisec posted comments indicating hackers were targeting SCADA—or supervisory control and data acquisition—systems. One tweet included a list of Internet addresses, including one that was assigned to the heating system belonging to the New Jersey business. The hack came five months before security researchers Billy Rios and Terry McCorkle blew the whistle on serious vulnerabilities in the Niagara system, which is marketed by Tridium, a company with US offices located in Richmond, Virginia.

Only getting worse

The revelation that Niagara vulnerabilities have been actively exploited in the wild is significant because the system is widely used to control critical equipment used around the world. Further, the number of Internet-facing Niagara systems appears to be growing. A search using the Shodan computer search engine late last year found about 16,000 systems, with more than 12,000 of those based in the US, according to Billy Rios, one of the security researchers who documented the vulnerabilities in the industrial control system. This year, the same search returned more than 20,000 systems, with about 16,000 of them in the US. While patches released earlier this year apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to show "tons" of systems running earlier versions, including 1.1, Rios said.

"These things keep popping up," he told Ars. "It's not going away. It's getting worse."

Perhaps the only other documented case of an industrial control system being breached in the US came in 2009, when a security guard abused his physical access to breach computers that controlled air-conditioning systems at a Texas hospital. The intrusion came to light after he posted a screenshots and other evidence showing he had control of the systems that cool operating rooms and other critical areas of the Texas facility, where temperatures regularly hit the triple digits. He has spent most of his time since in federal prison.

The FBI's "Situational Information Report" referred to the hacked company as US Business 1 and described it as a New Jersey air conditioning company. The report said the system the hackers intruded on controlled the company's internal heating, ventilation and air conditioning units.

"The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller," the memo stated. "US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall."

The memo continued: "US Business 1 had a controller for the system that was password protected, but was set up for remote/Internet access. By using the link posted by the hacktivist, the published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login. The backdoor required no password and allowed direct access to the control system."

The incident underscores the prevalence of industrial control systems that are connected to the Internet. Security consultants have long considered the practice to be unsafe. Sadly, they say, the convenience of IT employees get from being able to administer those systems from home or other remote locations often trumps security concerns. There are about 300,000 instances of the Niagara framework installed worldwide, according to Tridium's website.