Security researchers have blown the whistle on serious vulnerabilities in an Internet-connected system used by the US military, hospitals, and private industry to control boilers, air-conditioners, security alarms, and other critical industrial equipment.

The defects in the Niagara Framework, which links more than 11 million devices in 52 countries, could allow malicious hackers to seize control of critical infrastructure, an article published by The Washington Post warned. The vulnerabilities were unearthed by Billy Rios and Terry McCorkle, two researchers who have spent the past 18 months exposing security holes in a variety of ICS, or industrial control systems.

"The ICS software community is light years behind modern software security," Rios wrote in a blog post recounting his odyssey in getting Niagara officials to publicly acknowledge the vulnerabilities after he and McCorkle reported them. "Sadly, we can honestly say that the security of iTunes is more robust than most ICS software."

The 2,000-word Washington Post article recounts the researchers' steps in discovering the vulnerability, which they said makes it trivial for them to retrieve system files that contain user names, hashed passwords, and other sensitive material. "All told, it took me two days to go from zero knowledge to remote password theft," the paper quotes Rios as saying. Niagara allows administrators to remotely control boiler, heating, lighting, fire detection, elevator, and surveillance systems for the Pentagon, the FBI, the US Attorney's Office, and the Internal Revenue Service, to name just a few. The vulnerabilities could allow hackers anywhere in the world to sabotage the equipment using an Internet-connected computer.

A Tridium official told the paper: "We're committed to making our framework more secure. And we know it's our responsibility to educate our community."

Earlier this month, about a year after Tridium officials learned of the weaknesses, they issued a confidential advisory that describes ways customers can mitigate them.

The report is only the latest cautionary tale about the dangers of connecting gasoline pumps, power generation plants, and other critical infrastructure to the Internet. The number of serious security bugs that remain unpatched in ICS software sold by companies including GE, Siemens, Schneider, and ABB has given rise to the term forever-day vulnerabilities. One of the most recently discovered weaknesses affected users of Internet-connected devices made by Canada-based RuggedCom. An undocumented backdoor that couldn't be disabled made it possible for hackers to gain unauthorized access to equipment in electrical power stations. Following the exposure of the weakness, the company pledged to remove it.

Rios said the most disappointing thing he encountered in his interactions with Tridium was its "eagerness to blame the customer." He continued: "It should never be the customer's responsibility to have to compensate for poor design. Many ICS vendors expect customers to ensure their product is implemented securely, yet provide zero (or extremely vague) guidance on how to do so. In many cases, secure deployment is simply impossible due to the extremely poor security design."