A built-in weakness

Ken Munro, managing director, SecureTest

From the May/June 2007 issue of Infosecurity magazine.

IP (internet protocol) networks are both a blessing and curse. Using one conduit for all your data brings economies of scale, ease of maintenance and adaptability. But such are the number of systems now using the network that the IT department may be blissfully unaware of systems that have hitched a ride.

It’s this kind of loophole that hackers look for. Take Building Management Systems (BMS) which are used to control HVAC (heating, ventilation and air conditioning), door access, alarm systems, lifts and other devices. In the past these were managed over dedicated serial networks using protocols related to Modbus, BACnet and LonWorks giving them a degree of ‘security by obscurity’.

However, these are being migrated to IP, particularly when new offices are built or refurbished. It’s not uncommon for the IT department to be left out of the loop when these new IP-based systems are deployed and security certainly doesn’t factor high in the priorities of IP BMS vendors.

Many of your employees will have the skills to attack your IP network. Few will be able to hack a serial network. Hence, anyone with access to your local area network could potentially interfere with the operation of your IP BMS.

This area fascinates me, as an attack could have real, physical consequences. What would happen if the server room air conditioning could be turned off? What if the office heating was turned off in winter? If the temperature falls below 14 degrees celsius, you would have to evacuate the office for Health and Safety reasons. Now that’s what I call a denial of service! BMS can manage your door access controls, so what would happen if the IP fire alarm could be set off, requiring all the doors to unlock?

Hack the friendly skies

IP BMS aren’t just used in offices. I searched on Google looking for BMS vendors that had publicized recent contracts. It didn’t take long to find that Heathrow and Gatwick airports also use this technology to supply aircraft with power, water and billing services on the ground – the vendor had helpfully published a press release.

I was more surprised to find another release indicating the exact kit they had implemented: “BAA [which runs both airports] recently awarded Novar a £42m contract for the supply of BMS for Terminal 5. Over 2,000 Trend Excite IQ3 controllers will be installed and managed by a Trend 945 unit.” Another release suggested the technology could be “managed from any point on the network” (bread and butter for the hacker) “and will be used to control fans and fire dampers”.

eBay is a handy source of equipment like this. It took a little searching globally, but I managed to find one of the ‘Excite IQ3’ controllers. We hooked it up to our testing network and spent some time investigating whether or not it was secure.

Within a few minutes we found several issues, including unencrypted login to a web server on the device, meaning that anyone with the ability to ‘sniff’ traffic could steal passwords to the system. Anyone could create an account on the device, so you wouldn’t even need to steal the passwords! And a nice Cross Site Scripting attack, that also allowed password theft.

Session hijacking was also an issue: session values should be highly random, to prevent an attacker guessing a session ID. This device used sequential session values! Memory leaks also featured, including the user’s password leaking into a UDP broadcast packet sent out by the device every few seconds. It’s usual to try out ‘fuzzing’ attacks against new devices. This involves throwing particular types and lengths of network traffic at the device to see what happens. Fuzzing the FTP server on the device quickly showed up an attack that crashes the device.

I found this a little scary. The device had failed even the most basic of security tests and technology similar to this is now in our airports and offices. These are wide open to attack from anyone with the ability to find and connect to the BMS network, be it an employee looking to cause mayhem, a hacker trying to prove a point, or even someone with an interest in compromising national security.

In fact, all IP BMSs may be sitting ducks. Poor network segregation, open access to the BMS controller and insecure network communications make it possible to interfere with transmissions.

Could facilities manage some infosecurity?

IP BMSs are usually configured in one of two ways: with a personal computer-interfaced serial BMS or an Ethernet-based connection. One could shut down the PC, triggering a locks override, or hack the Ethernet connection by unplugging it and sticking in a hub to carry out a man in the middle attack and sniff passing traffic.

But it is also possible to hack via the control device located near the BMS equipment. For example, one could dismantle the door lock and send in excess of 13 volts back up the network, disabling all points of entry to the premises.

So how can you protect yourself? Get in touch with your Facilities Management department and find out if it has BMS. Does it have any form of remote access? Systematically check whether the HVAC, door entry, lifts and fire alarm systems operate over IP and make sure these are vetted by IT. Test any prospective BMS you are looking to deploy.

But the safest measure? Segregate these systems from your corporate network, and protect the end point devices physically. Building management systems simply aren’t secure enough yet.

SecureTest is a UK penetration testing firm.

Lost highway: column by Ken Munro on IP networks and roads (June 2006)

Comment index