More than 21,000 Internet-connected devices sold by Honeywell are vulnerable to a hack that allows attackers to remotely seize control of building heating systems, elevators, and other industrial equipment and in some cases, causes them to malfunction.

The hijacking vulnerability in Niagara AX-branded hardware and software sold by Honeywell's Tridium division was demonstrated at this week's Kaspersky Security Analyst Summit in San Juan, Puerto Rico. Billy Rios and Terry McCorkle, two security experts with a firm called Cylance, allowed an audience to watch as they executed a custom script that took about 25 seconds to take control of a default configuration of the industrial control software. When they were done they had unfettered control over the device, which is used to centralize control over alarm systems, garage doors, heating ventilation and cooling systems, and other equipment in large buildings.

Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or sabotaging large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present.

"We actually just used this against one of our premium clients a couple weeks ago," Rios said, referring to a penetration test he performed to test a customer's network for hacking vulnerabilities. "They were pretty shocked. They took their device off the Internet before the engagement was over."

The researchers said a recent query on the Shodan computer search engine found 21,541 Internet-connected Niagara devices, some operated by military installations, hospitals, and other mission-critical facilities. Tests the pair performed on a small sample of the machines confirmed they were accessible over the Internet. The nondescript boxes are often installed by third-party contractors in out-of-the-way closets, so on-site administrators and managers may not even know they're in use. In addition to opening up critical equipment to tampering, Tridium's products also expose corporate and government networks to intruders since the devices are often connected directly to local networks using one of two Ethernet ports built into the boxes.

ICS: less secure than iTunes

This week's hack was only the latest demonstration of the risks created by many industrial control systems (ICS), which are designed to use computers to control building temperatures, turn alarms on and off, and maintain emergency generators and industrial power supplies. Tridium quietly patched its Niagara software last year after Rios and McCorkle found it contained a separate vulnerability that also allowed unauthorized access. A raft of other ICS devices have been found to contain similar critical defects, including those from Siemens-owned Ruggedcom and another line of mission-critical routers made by a Fremont, California-based GarrettCom.

The devices are billed as a way to lower the cost of maintaining large collections of equipment that are often scattered throughout buildings or other facilities. Rather than requiring engineers to travel to where each device is physically located, they can make changes remotely, from a single office in the building, or even off-site. Indeed, Tridium's marketing material defines the Niagara framework as a "universal software infrastructure that allows companies to build custom, web-enabled applications for accessing, automating, and controlling smart devices in real time over the Internet." The company provides a wealth of customer case studies, including one from the James Cook University Hospital in the UK.

Security experts have long argued that the convenience often comes at the price of security, and there are some disturbing examples of the risks from the last couple of years. In 2009, a recently discharged security guard who had physical access to ICS computers was arrested after posting screen shots and videos showing him planning to remotely cripple air-conditioning systems at a Texas hospital, where temperatures regularly reach into the triple digits. Last year, hackers illegally accessed the Internet-connected heating and air-conditioning controls of a New Jersey-based company. The vulnerability the intruders exploited was the same one Tridium patched in secret last year.

Despite the potentially critical consequences of ICS hacks, manufacturers sometimes decline to patch their wares at all, giving rise to the term forever-day vulnerabilities. Last year, Rios said the security of iTunes was more robust than most ICS software.

Game Over

Rios and McCorkle declined to describe the specific series of vulnerabilities behind their latest hack other than to say the bugs allowed them to remotely acquire a configuration file used to customize a Niagara box for a specific network. Among other things, the config.bog file contains user names and passwords that are encoded using "encraption," the word the research pair uses to describe Tridium engineers' encryption routines. Using the credentials, they were able to gain access to the "station" layer of the device that provides only limited user rights. Exploiting another series of vulnerabilities allowed them to access Niagara's "platform," which gives them full "system" access when it runs on Microsoft Windows or "root" access when running on Linux or a proprietary embedded operating system.

"Once we own the platform, it's game over," Rios said.

Rios said he acquired a Tridium box by purchasing one on eBay. He then spent months reverse engineering the firmware it ran. His job was made easy by the fact that much of the Niagara framework uses unsigned, unobfuscated Java code, allowing him to decompile the binary and read the raw source code.

In a statement issued Wednesday evening, Tridium officials said:

Tridium takes these security issues very seriously and we appreciate the efforts by researchers like Billy Rios and Terry McCorkle to raise awareness about them. Tridium was made aware of the vulnerability cited at the conference in late December 2012, and immediately began working on a solution, in cooperation with both ICS-Cert and the researchers. We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today. We share the concern that Mr. Rios and Mr. McCorkle have in raising awareness about the need to protect Internet-facing control systems. The vast majority of Niagara AX systems are behind firewalls and VPNs—as we recommend—but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.

The Tridium vulnerabilities are among more than 1,000 bugs Rios and McCorkle have reported to ICS manufacturers over the past year, resulting in 30 advisories issued by the Department of Homeland Security-affiliated ICS-CERT. They said the engineers who designed the systems are often defensive and direct their anger back at the researchers once the vulnerabilities are disclosed.

"We don't think we're the only ones that are doing this," Rios said of the research into ICS. "There's tons of other people that are doing this and they're not standing on a stage somewhere presenting their work for the whole world to see. That's what they really need to worry about. These guys are kind of stuck a little bit in the stone age."