SAN JUAN, PUERTO RICO – A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.

The vulnerability in the Tridium Niagara AX Framework allows an attacker to remotely access the system's config.bog file, which holds all of the system's configuration data, including usernames and passwords to log in to operator work stations and control the systems that are managed by them.

Billy Rios and Terry McCorkle, noted security researchers with Cylance, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years, demonstrated a zero-day attack on the system at the Kaspersky Security Analyst Summmit on Tuesday. The attack exploits a remote, pre-authenticated vulnerability that, combined with a privilege-escalation bug, gave them root on the system's platform, which underlies the devices.

"The platform is written in Java, which is really, really good from an exploitation standpoint," Rios said. "Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack]."

The vulnerability allows them to get root on what Tridium calls its SoftJACE system – basically a Windows system with a Java virtual machine and the Tridium client software running on it – as well as all of the company's embedded software.

McCorkle said they developed a backdoor module to maintain a foothold on the system once they had access to it, but won't be releasing it publicly.

A Tridium spokesman said the researchers notified the company about the vulnerability last December and has been working on a patch to fix the vulnerability, which they expect to release this month.

"We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today," spokesman Mark Hamel said in a statement. "The vast majority of Niagara AX systems are behind firewalls and VPNs – as we recommend – but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk."

Tridium's Niagara Framework is the platform for millions of control systems sold by the company worldwide. But in a Washington Post story last year, the company said it believed attacks on its systems were unlikely because the systems were obscure and hackers didn't traditionally target such systems.

Such systems normally would be protected if they were not connected to the internet or to other systems that are connected to the internet, but as Rios and McCorkle pointed out in their demonstration, Tridium's own product documentation for the system touts the fact that it's ideal for remote management over the internet.

"These boxes are designed to control 16 to 34 devices and they can be run in series so they're designed to run a whole building," McCorkle says.

In a search of the Shodan search engine, Rios and McCorkle found some 21,000 Tridium systems visible over the internet.

"We've gone through and verified that a lot of these are actual Niagara boxes," McCorkle said.

One of the connected systems they found belonged to a medical testing lab at a college.

"If somebody wanted to, it's easily exploitable," McCorkle said.

Tridium systems are used to manage HVAC, lighting and security in a federal office building, and kitchen refrigeration in a hospital, among other things.

Tridium's website provides information on some of its customers through a number of published case studies. These indicate that the systems are used at a government office complex in Chicago that houses a number of federal agencies, including the FBI, the Drug Enforcement Agency, the U.S. Marshals Service, the IRS and the Passport Office.

The systems are also used in a British Army training facility, at Boeing's manufacturing facilities in Renton, Washington, at the Changi airport in Singapore, the Four Points Sheraton hotel in Sydney, Australia, among other facilities around the world.

Rios and McCorkle performed their research on a Tridium box that they purchased on eBay. The device came with a packing slip indicating that it had once been owned by Long Building Technologies, a firm that sells and installs building control systems.

According to the company's website, it "provides design, installation, and integration of building automation systems, energy management systems, controllable and dimmable lighting systems, fire life safety systems, CCTV and card access employing cutting edge technology and TCP/IP connectivity."

The device they bought on eBay came with documentation providing the default username and password for the platform administration of the device.

"So the zero-day that we have doesn't depend on this obviously," Rios said. "[But] we're like, 'Way to go, guys. Way to go,'" Rios said of their reaction when they saw that.

Home Page Photo: Zigazou / Flickr