Ethical hackers from IBM's X-Force pen tested a building automation system and encountered numerous security issues. For starters, they co-opted a vulnerable router.

Image: iStock/Navidim

According to Gartner, "connected things" in smart homes and smart buildings represent 45% of 1.1 billion IoT devices in 2015. For that many devices, it is disconcerting that security pundits are asking whether these "connected things" are secure. However, it's a good enough question that IBM's X-Force Security Research Group has decided to find out.

The group has been around under various guises since 1998. The IBM X-Force Research Group has grown from 10 ethical hackers to today's global team researching the latest threat trends in order to advise and deliver security content to IBM customers and the general public.

IBM X-Force Ethical Hacking Team Lead Paul Ionescu suggests that little attention is being paid to IoT devices employed in smart or automated buildings simply because IoT devices fall outside the scope of traditional IT.

The team's research paper Penetration testing a building automation system, agrees with Ionescu's conjecture, and then adds what might happen if automated systems in buildings are successfully breached:

"If compromised, such devices may have a more profound impact on our physical surroundings than, for example, the defacing of a web server. Even in an ordinary office building, hackers could gain control of the devices that regulate data center temperatures, causing cooling fans to shut down, and servers to overheat."

Besides impacting the physical environment, the paper hints that it is possible compromised IoT devices and their network connections could be used as backdoors to the computing infrastructure.

SEE: Penetration Testing and Scanning Policy

Pen test a working system

IBM X-Force team members first thought to test individual devices, but realized that affords an incomplete picture. It would be best to work with a company already operating Building Automation Systems (BAS) for clients.

"Our Ethical Hacking team conducted an assessment (penetration test) of a BAS that controlled sensors and thermostats in a commercial office," explains the paper.

The fact the BAS controls several buildings and does so through a remotely-located central server made it even more interesting. The schematic in Figure A represents the pen-tested BAS including the central server and two separate buildings (Station 1 and Station 2).

Figure A

Image: IBM

Each station/building (simulated in Figure B) connects to the central BAS server via the internet using a router. A building automation controller connects to the router and various sensors throughout the building, reporting status to the central BAS, and affecting changes requested by the central BAS.

Image: IBM

Results of the pen test

It did not take long for the IBM X-Force Ethical Hacking team to find a way into the building's network. Chris Poulin, research strategist, IBM X-Force Security, mentions co-opting a vulnerable router gave the team a foothold.

Image: IBM

Next the pen-test team tried the router's admin password, which was stored in clear text on the router, to gain access to the BAS -- and it worked. A combination of a security flaw in the router and sharing passwords between devices with different roles, gave the IBM team admin rights to the local BAS controller. Like dominoes, access to key components continued to fall into the team's hands, ultimately gaining access to the central BAS server and command of the building automated controller in multiple buildings located across the United States.

The team was a bit surprised at the number of security issues they encountered, including the aforementioned shared passwords, critical information stored as clear text, and vulnerable router and BAS software.

Poulin says the team stopped there because they had enough proof. The IBM X-Force team members then explained their findings to the company operating the BAS as well as the individual IoT device manufacturers. Poulin adds all concerned parties diligently patched the vulnerabilities.

Lessons learned

The IBM X-Force crew created a list of what BAS operators should check (though it's useful to all inter-connected businesses):

Ensure all device software is up-to-date.

If there is no business justification for remote access, disable remote administration of the BAS equipment.

Do not reuse, share, or store passwords in clear text.

Employ secure engineering and coding practices for authentication control, execution of shell commands, and password encryption.

Security Incident and Event Management (SIEM) systems can be used to scan network activity between the router, the BAS system, and embedded devices to identify suspicious activity.

Not an isolated incident

Unfortunately, this lax attitude is not an isolated occurrence. One of the questions in a January 2015 survey by Facilities Management News and Education asked, "Which of the following best describes the actions you are currently taking concerning cyber security of building automation systems?" The results:

Not currently taking any action: 35%

Gathering information about cyber security: 15%

Evaluating building automation system(s) for cybersecurity: 14%

Planning to improve cyber security for building automation systems: 7%

Currently implementing or have completed actions to improve cyber security for building automation systems: 29%

Regrettably, the people most excited by this survey are the bad guys.

Also see