Exploring Building Security: Now and Future

Exploring Building Security:Now and Future Jimmy C. Chau Ph.D. Candidate Boston University

Overview • Cyber-security threats to buildings • Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 • Context • Traditional (Low-Tech) • Future (Smart Buildings)

Timeline Facility Management Systems Smart Rooms (and Smart Spaces) Manual Control Smart Grid Integration

Modern Buildings

Traditional Building Vulnerabilities

On to Billy Rois’sBlackhat 2014 presentation… Owning a Building: Exploiting Access Control and Facility Management Systems

Presentation Summary • Covers two facility management systems • Niagara Framework (Tridium) • MetaSys (Johnson Controls) • Password retrieval vulnerabilities • Then privilege escalation • Vendor response • Fixed by security patches in Niagara Framework • No response for MetaSys • (Local/on-site attacks)

Tridium Niagara AX Framework • Rois (Blackhat 2014): • Unauthenticated user can retrieve encoded password • Decoded password gives admin access • Privilege escalation to get SYSTEM on device • ICSA-12-228-01A • Predictable session IDs • Base64-encoded username and password in cookies • Directory traversal (read parent directories) • Authentication credentials stored in config.bog • Wired (Kim Zetter Feb. 6, 2013) • Privilege escalation bug in SoftJACE

Johnson Controls MetaSys • Windows CE • Typically has unauthenticated telnet & FTP • Docs indicate that telnet & FTP can be enabled • Inspect filesystem • Download & decompile .NET web services • Found services to • Directory listings • Upload arbitrary files to anywhere • Get user password hash (without authentication)

Really a Problem? • Rois: • Shodan: 21,000 Tridium Systems on the Internet • Identified over 50,000 Internet-exposed buildings • ICS-CERT Monitor (Jan-Mar 2013): • Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS • A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures

Into the future Smart Grid and Smart Spaces

Smart Grid Smart Meter Electrical Grid Power Data Network

Hart 1992

Smart Rooms

Smart Room System

Privacy

Future Building Security Issues • Many new privacy and security problems • Access control • k-anonymity • Differential privacy • Requires activity monitoring • Distinguish “good” from “bad” use

References • Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat 2014. http://www.blackhat.com/docs/asia-14/materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access-Control-And-Facility-Management.pdf. • ICSA-12-228-01A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A • Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, 2013. http://www.wired.com/2013/02/tridium-niagara-zero-day/ • Johnson Controls docs (about telnet and FTP): • p.15: http://cgproducts.johnsoncontrols.com/met_pdf/1201993.pdf • p.26: http://cgproducts.johnsoncontrols.com/MET_PDF/1201990.pdf • Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p.1870-1891. 1992. • Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p.556-564. 2013.

Thanks for Listening! Questions?

Images (used with permission) • Old house: http://fc02.deviantart.net/fs44/i/2009/102/0/a/Spooky_Old_House_1_by_Ranald101.jpg • Smart grid: https://www.e-education.psu.edu/drupal6/files/engr312/lesson05/dynamic_infrastructure.jpg • Back door: http://farm7.staticflickr.com/6100/6322575335_22a7b52c74_z.jpg • Broken window: http://farm3.staticflickr.com/2097/2098210283_8da0e23ecb_z.jpg • Kicking door: http://content.artofmanliness.com/uploads/2011/10/Breaking-Doors.jpg • Trojan horse: http://farm3.staticflickr.com/2141/2403154755_7e74984b36.jpg • Lock-picking: http://upload.wikimedia.org/wikipedia/commons/thumb/9/9e/Pin_and_tumbler_lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG

Exploring Building Security: Now and Future