More and more devices are connecting to the Internet; the ones that control your building’s heating, lighting and air conditioning are no exception. According to Gartner, devices in smart homes and smart commercial buildings represented 45 percent of total connected things in use in 2015.

Unfortunately, little attention is being paid to the potential cybersecurity risks created by smart office technology since these devices fall outside the scope of traditional IT. In fact, a recent survey of building automation system (BAS) operators found that only 29 percent had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems.

If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building. For example, cybercriminals could gain control of the devices that regulate data center temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.

Understanding the Risks of a Smart Office

Did you know it’s very hard to update an embedded device? Think about your thermostat or the software in your furnace. Those aren’t typically things you would be rebooting periodically for a software update. If a security bug was found, the best way to apply a fix would be to replace the thermostat. But the types of interconnected thermostats used in building automation aren’t exactly cheap.

How about software security practices? Many embedded devices are designed for networks that are completely isolated from the outside world, and therefore, authorization controls for these systems are often very lax, if they exist at all. The administrative Web interfaces for these systems aren’t expected to sustain the type of attacks you’d see on a publicly facing website. In many cases, they aren’t even protected by basic security controls and devices.

Today’s connected building implementations were not contemplated by some device manufacturers. For example, the building automation system can be set up with a multitude of stations connecting to a central control server. The technicians can log into the central server to obtain real-time access to sensor data and control various devices of the station.

Below is a diagram that shows how a connected BAS is typically set up. Notice that the stations go through the Internet to connect to the central server. In many cases, operators may use virtual private network (VPN) and firewall devices with access rules to secure this connection. In some cases, however, these measures may be skipped.

Because technicians need to be able to share access to the stations, the passwords may be easy to guess, usually following some pattern that is internally known. These passwords may never be changed, and many devices in the station network may be configured with the same password. To avoid travel, the technicians may also enable additional administrative interfaces such as router or controller Web interfaces.

A Real-World Experiment

While the design of these systems makes them a potential hacking target, many of these vulnerabilities and risks remain unknown to building system operators and property management.

To drive more awareness of these risks and learn how they could impact systems in real life, IBM Security’s X-Force Ethical Hacking team conducted a pen test to break into a building automation system to find out what kind of software flaws we could uncover and whether traditional application security products can help secure these devices.

We offered our services to a building management team who was more than happy to have us to try to break in. In fact, they asked us to test whether we could break into their main monitoring and control server, which controls several other locations in North America.

During the engagement, we found that all the security concerns outlined above were justified. The devices were directly connected to the Internet, they had several previously unknown security vulnerabilities, they were sharing passwords, and through public Internet access to administrative interfaces, we were able to break into the main central control server.

At a high level, here’s how we were able to accomplish the hack:

  • We found design flaws that allowed us to gain control of the wireless access point that connected the building automation system to the Internet. We also discovered the device password stored in cleartext (not encrypted).
  • From there, we found and accessed the BAS control software from the Internet.
  • A flaw in the system diagnostics page allowed us to access configuration settings for the device, including encrypted passwords. We were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America.
  • We were ultimately able to gain access to the central command server by using this password and connecting to the system from outside the building through the Wi-Fi network.

With control of the central BAS server, a malicious actor could tamper with the physical conditions of all the buildings controlled by this system. This type of control could lead to destruction of IT property by overheating data centers as well as impacting the physical comfort and safety of employees.

Thankfully, through the results of the experiment, we were able to bring these issues to the attention of BAS operators and device manufacturers, who patched the software vulnerabilities and made sure that the system itself was updated to prevent future hacks. That said, we learned firsthand that patching a building automation system is no easy feat, given the complex ecosystem of software, devices and ownership involved.

Improving Smart Building Security

The largest issue impacting smart office security is that there is no easy way to patch a building. In our project, it took extensive work and coordination to not only get the vulnerabilities patched, but also to make sure those fixes actually made their way into the affected devices in the building.

There are several steps that building automation management companies and manufacturers can do to improve security at a basic level:

  • The vulnerabilities we used to gain access could have been prevented by the software manufacturer employing secure engineering and coding practices. These would have allowed the manufacturer to better design controls for who has access to the software, avoid information leakage and include better password encryption.
  • Use application security scanning tools to identify flaws in software and applications before they are deployed.
  • Implement IP address restrictions to connect to the building automation system devices, especially if using public Internet.
  • If possible, disable remote administration features and unnecessary ports on wireless routers. If remote administration is required for business purposes, add controls like two-factor authentication and login anomaly detection.
  • Security incident and event management (SIEM) systems can be used to scan network activity between the router, BAS system and embedded devices to identify suspicious activity on the network.
  • Stronger network security rules should be used on all devices — specifically, safer password practices would have gone a long way toward preventing the attack. Never reuse or share passwords between devices and avoid making these passwords predictable. Never store passwords in cleartext.
  • Ensure that all your device software is up to date since new security issues are found every day.

Changing mindsets, policies and technologies to create secure connected buildings will take time, effort and investment. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces in order to protect their building, employees and data. Continued research in this field will be critical to raise awareness about a growing problem with potentially catastrophic consequences.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today