Author Topic: Zero-Day Vulnerabilities Leave Smart Buildings Open to Cyber Attacks  (Read 82 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com


A team of researchers discovered six zero-day vulnerabilities in protocols and individual components used in smart buildings. The flaws could be used to steal sensitive information, access or delete critical files, or perform malicious actions.

The glitches range from cross-site scripting (XSS), and path traversal, to arbitrary file deletion, and authentication bypass. They were found in building automation devices such as programmable logic controllers (PLCs) and gateway protocols.

Aggregated data from two search engines for discovering computer hardware connected to the internet shows that thousands of devices affected by these vulnerabilities are exposed online.

To demonstrate that the risks in modern smart buildings are real, the researchers built proof-of-concept malware that targeted surveillance, access control, and HVAC systems set up in a laboratory.



A typical Building Automation System (BAS) network is larger than this, though, and comprises a variety of systems, like elevators, access control systems, video surveillance, HVAC, lighting, fire alarms, or energy producing systems.

This type of infrastructure is present not only in residential and commercial buildings but also in hospitals, airports, stadiums, schools or data centers.



Zero days and non-public vulnerabilities

Following security assessment and penetration testing standards, members of the OT Research team at ForeScout started to evaluate their targets.

They found three XSS vulnerabilities in the Access Control PLC and the protocol gateway, a component that allows connections over a specific protocol. It can be used to inject malicious scripts into the web interface running on the vulnerable devices, giving an attacker access to cookies and session tokens.

The protocol gateway component was also affected by a path traversal and an arbitrary file deletion vulnerability, which provide access to files (system included) and directories present outside the root folder of the web app running on the affected device.

Another vulnerability unknown to the vendor before the researcher's reporting was in the HVAC PLC - an authentication bypass that permits stealing user credentials, "including plaintext passwords."

Two other issues, a buffer overflow, and hardcoded password were discovered in the Access Control PLC from June 2013. However, the vendor was aware of them ahead of ForeScout's disclosure and had released a patch.

These flaws are the most severe of the bunch as they could allow code execution on the system, allowing a remote attacker to take full control.

All vulnerabilities were disclosed responsibly to the vendors of the affected products and patches are now available.

Exposed vulnerable devices

ForeScout researchers checked to see how many of the systems they analyzed were vulnerable and exposed.

They searched on Shodan and Censys for the same models in their lab and found that out of a total of 22,902 publicly reachable devices (IP cameras excluded), 9,103 were affected by the zero-days they uncovered.



Things are worse with the IP cameras in the surveillance system. Out of 11,269 devices, over 91% (10,312) were vulnerable.



Door to a BAS network: publicly exposed systems

Elisa Costante, Technology Innovation Director at ForeScout, presented the team's findings in a presentation today at S4X19 ICS security event in Miami South Beach.

She says that an ideal architecture, the subsystems would be isolated from one another and from the IT network. In practice, this is rarely the case, though.



One of the weak spots is that the implementation of the security features for data authentication is optional. Also, many buildings rely on old versions of the protocols and do not exchange data in a secure way.

"Regardless of the protocol employed, IoT and building automation devices are notoriously vulnerable to, e.g., injection and memory corruption vulnerabilities, due to poor coding practices, which allow attackers to bypass their security features and gain full control of them," reads the research report ForeScout shared with BleepingComputer.

According to the report, malware designed to hit BAS network could have four possible attack paths:

1. Publicly reachable PLCs (programmable logic controllers) that command the actuators and sensors (follow the green arrows in the pic below)

2. Exposed workstations responsible with managing the entire system; the attacker would then have to move laterally to reach the PLCs (yellow arrows)

3. Publicly reachable IoT devices - an IP camera or router - and use it as an entry point into the network, then move to the workstations and other subsystems (red arrows)

4. Air-gapped network - this requires physical access to enter the network, but this is not difficult to achieve most of the times - and then try to reach the PLCs (purple arrows)



Devices exposed on the internet are discoverable via dedicated search engines (Shodan, Censys, ZoomEye) that scan for systems that are online. If they are accessible and should not be so, chances are it's because of misconfiguration or inherent weakness.

Malware targeting Operational Technology (OT) can get on the network from a management workstation, whose admin fell victim to a phishing attack. It can move laterally or stay at the same level. Once it achieves persistence on the network, it typically launches a final payload.

Connected automation systems in the buildings offer a wide attack surface that could be reduced by applying patches for reported vulnerabilities. But despite the availability of a fix, they remain vulnerable, leaving open the possibility of large-scale cyber attacks.

The researchers say that exploiting vulnerabilities in smart buildings would have devastating effects. They believe that malware targeting smart buildings is inevitable in the near future.

source