Two security researchers have found a new vulnerability in a software tool used to control heating and air conditioning systems, building electric and lighting grids, security and surveillance systems, electronic doors and other critical functions in hospitals, offices, government buildings and other facilities. Billy Rios and Terry McCorkle, researchers with CyLance who focus on the software security of the popular Tridium Niagara AX Framework and other industrial control systems, demonstrated a zero-day exploit during the recent Kaspersky Security Analyst Summit.
Rios and McCorkle have previously warned of security risks in Niagara, a control system linked to more than 11 million devices and machines in 52 countries and deployed in high-profile buildings such as Singapore’s Changi Airport and a federal government office in Chicago. In July 2012, The Washington Post reported on their discovery of a backdoor vulnerability in the software and warned that security issues might be inevitable in an increasingly connected control environment. In December, the FBI released a memo noting that a New Jersey company’s Niagara-controlled heating and air conditioning system had been hacked.
Tridium released a patch addressing the directory traversal exploit Rios and McCorkle had found last year, but the researchers’ latest discovery presents a new vector for attack. While they declined to release the full details of the exploit for security reasons, the latest attack targets a remote, pre-authenticated vulnerability that can be combined with a privilege escalation bug to get root on the system platform, Wired reported. An attacker can access Tridium’s SoftJACE system – the Windows system that runs the Java virtual machine responsible for handling the Tridium client – and all of the company’s embedded software.
“The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios said, according to Wired. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack].”
Protecting the Niagara AX system
For many Niagara AX deployments, such vulnerabilities present only a minor threat, as the systems are designed to be kept on virtual private networks (VPNs) and behind firewalls. However, Tridium’s own marketing materials tout the product’s capability to be managed remotely over the internet, and systems are configured to run this way by default, Engineering and Technology Magazine noted. Using the Shodan search engine, Rios and McCorkle found around 21,000 Tridium systems that were visible over the internet, and they have verified that many are actual Niagara units, Wired reported.
“If somebody wanted to, it’s easily exploitable,” McCorkle said, according to the publication.
Many customers do not realize their systems are exposed because the technology was set up by outside contractors and because building operators may not ever use the remote management options, Engineering and Technology Magazine noted. The publication added that building control software and equipment systems often stay in place for decades, frequently undergoing only sporadic patch updates. Tridium said it plans to release a patch for this current problem in the coming days, with updates for customers using older versions of the software scheduled to arrive soon as well.
“We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today,” spokesman Mark Hamel said. “The vast majority of Niagara AX systems are behind firewalls and VPNs – as we recommend – but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.”
Addressing the risk of vulnerabilities such as the ones that have cropped up in the Niagara AX control system requires a proactive approach to protect end users with sporadic patching habits. By implementing more secure development processes that make use of tools such as source code analysis, vendors can strengthen their product’s software security.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.