200 likes | 384 Views
Exploring Building Security: Now and Future. Jimmy C. Chau Ph.D. Candidate Boston University. Overview. Cyber-security threats to buildings Billy Rois ( Qualys ). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 Context
E N D
Exploring Building Security:Now and Future Jimmy C. Chau Ph.D. Candidate Boston University
Overview • Cyber-security threats to buildings • Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 • Context • Traditional (Low-Tech) • Future (Smart Buildings)
Timeline Facility Management Systems Smart Rooms (and Smart Spaces) Manual Control Smart Grid Integration
On to Billy Rois’sBlackhat 2014 presentation… Owning a Building: Exploiting Access Control and Facility Management Systems
Presentation Summary • Covers two facility management systems • Niagara Framework (Tridium) • MetaSys (Johnson Controls) • Password retrieval vulnerabilities • Then privilege escalation • Vendor response • Fixed by security patches in Niagara Framework • No response for MetaSys • (Local/on-site attacks)
Tridium Niagara AX Framework • Rois (Blackhat 2014): • Unauthenticated user can retrieve encoded password • Decoded password gives admin access • Privilege escalation to get SYSTEM on device • ICSA-12-228-01A • Predictable session IDs • Base64-encoded username and password in cookies • Directory traversal (read parent directories) • Authentication credentials stored in config.bog • Wired (Kim Zetter Feb. 6, 2013) • Privilege escalation bug in SoftJACE
Johnson Controls MetaSys • Windows CE • Typically has unauthenticated telnet & FTP • Docs indicate that telnet & FTP can be enabled • Inspect filesystem • Download & decompile .NET web services • Found services to • Directory listings • Upload arbitrary files to anywhere • Get user password hash (without authentication)
Really a Problem? • Rois: • Shodan: 21,000 Tridium Systems on the Internet • Identified over 50,000 Internet-exposed buildings • ICS-CERT Monitor (Jan-Mar 2013): • Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS • A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures
Into the future Smart Grid and Smart Spaces
Smart Grid Smart Meter Electrical Grid Power Data Network
Future Building Security Issues • Many new privacy and security problems • Access control • k-anonymity • Differential privacy • Requires activity monitoring • Distinguish “good” from “bad” use
References • Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat 2014. http://www.blackhat.com/docs/asia-14/materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access-Control-And-Facility-Management.pdf. • ICSA-12-228-01A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A • Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, 2013. http://www.wired.com/2013/02/tridium-niagara-zero-day/ • Johnson Controls docs (about telnet and FTP): • p.15: http://cgproducts.johnsoncontrols.com/met_pdf/1201993.pdf • p.26: http://cgproducts.johnsoncontrols.com/MET_PDF/1201990.pdf • Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p.1870-1891. 1992. • Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p.556-564. 2013.
Images (used with permission) • Old house: http://fc02.deviantart.net/fs44/i/2009/102/0/a/Spooky_Old_House_1_by_Ranald101.jpg • Smart grid: https://www.e-education.psu.edu/drupal6/files/engr312/lesson05/dynamic_infrastructure.jpg • Back door: http://farm7.staticflickr.com/6100/6322575335_22a7b52c74_z.jpg • Broken window: http://farm3.staticflickr.com/2097/2098210283_8da0e23ecb_z.jpg • Kicking door: http://content.artofmanliness.com/uploads/2011/10/Breaking-Doors.jpg • Trojan horse: http://farm3.staticflickr.com/2141/2403154755_7e74984b36.jpg • Lock-picking: http://upload.wikimedia.org/wikipedia/commons/thumb/9/9e/Pin_and_tumbler_lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG