More and more devices are connecting to the Internet; the ones that control your building’s heating, lighting and air conditioning are no exception. According to Gartner, devices in smart homes and smart commercial buildings represented 45 percent of total connected things in use in 2015.

Unfortunately, little attention is being paid to the potential cybersecurity risks created by smart office technology since these devices fall outside the scope of traditional IT. In fact, a recent survey of building automation system (BAS) operators found that only 29 percent had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems.

If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building. For example, cybercriminals could gain control of the devices that regulate data center temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.

Understanding the Risks of a Smart Office

Did you know it’s very hard to update an embedded device? Think about your thermostat or the software in your furnace. Those aren’t typically things you would be rebooting periodically for a software update. If a security bug was found, the best way to apply a fix would be to replace the thermostat. But the types of interconnected thermostats used in building automation aren’t exactly cheap.

How about software security practices? Many embedded devices are designed for networks that are completely isolated from the outside world, and therefore, authorization controls for these systems are often very lax, if they exist at all. The administrative Web interfaces for these systems aren’t expected to sustain the type of attacks you’d see on a publicly facing website. In many cases, they aren’t even protected by basic security controls and devices.

Today’s connected building implementations were not contemplated by some device manufacturers. For example, the building automation system can be set up with a multitude of stations connecting to a central control server. The technicians can log into the central server to obtain real-time access to sensor data and control various devices of the station.

Below is a diagram that shows how a connected BAS is typically set up. Notice that the stations go through the Internet to connect to the central server. In many cases, operators may use virtual private network (VPN) and firewall devices with access rules to secure this connection. In some cases, however, these measures may be skipped.

Because technicians need to be able to share access to the stations, the passwords may be easy to guess, usually following some pattern that is internally known. These passwords may never be changed, and many devices in the station network may be configured with the same password. To avoid travel, the technicians may also enable additional administrative interfaces such as router or controller Web interfaces.

A Real-World Experiment

While the design of these systems makes them a potential hacking target, many of these vulnerabilities and risks remain unknown to building system operators and property management.

To drive more awareness of these risks and learn how they could impact systems in real life, IBM Security’s X-Force Ethical Hacking team conducted a pen test to break into a building automation system to find out what kind of software flaws we could uncover and whether traditional application security products can help secure these devices.

We offered our services to a building management team who was more than happy to have us to try to break in. In fact, they asked us to test whether we could break into their main monitoring and control server, which controls several other locations in North America.

During the engagement, we found that all the security concerns outlined above were justified. The devices were directly connected to the Internet, they had several previously unknown security vulnerabilities, they were sharing passwords, and through public Internet access to administrative interfaces, we were able to break into the main central control server.

At a high level, here’s how we were able to accomplish the hack:

  • We found design flaws that allowed us to gain control of the wireless access point that connected the building automation system to the Internet. We also discovered the device password stored in cleartext (not encrypted).
  • From there, we found and accessed the BAS control software from the Internet.
  • A flaw in the system diagnostics page allowed us to access configuration settings for the device, including encrypted passwords. We were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America.
  • We were ultimately able to gain access to the central command server by using this password and connecting to the system from outside the building through the Wi-Fi network.

With control of the central BAS server, a malicious actor could tamper with the physical conditions of all the buildings controlled by this system. This type of control could lead to destruction of IT property by overheating data centers as well as impacting the physical comfort and safety of employees.

Thankfully, through the results of the experiment, we were able to bring these issues to the attention of BAS operators and device manufacturers, who patched the software vulnerabilities and made sure that the system itself was updated to prevent future hacks. That said, we learned firsthand that patching a building automation system is no easy feat, given the complex ecosystem of software, devices and ownership involved.

Improving Smart Building Security

The largest issue impacting smart office security is that there is no easy way to patch a building. In our project, it took extensive work and coordination to not only get the vulnerabilities patched, but also to make sure those fixes actually made their way into the affected devices in the building.

There are several steps that building automation management companies and manufacturers can do to improve security at a basic level:

  • The vulnerabilities we used to gain access could have been prevented by the software manufacturer employing secure engineering and coding practices. These would have allowed the manufacturer to better design controls for who has access to the software, avoid information leakage and include better password encryption.
  • Use application security scanning tools to identify flaws in software and applications before they are deployed.
  • Implement IP address restrictions to connect to the building automation system devices, especially if using public Internet.
  • If possible, disable remote administration features and unnecessary ports on wireless routers. If remote administration is required for business purposes, add controls like two-factor authentication and login anomaly detection.
  • Security incident and event management (SIEM) systems can be used to scan network activity between the router, BAS system and embedded devices to identify suspicious activity on the network.
  • Stronger network security rules should be used on all devices — specifically, safer password practices would have gone a long way toward preventing the attack. Never reuse or share passwords between devices and avoid making these passwords predictable. Never store passwords in cleartext.
  • Ensure that all your device software is up to date since new security issues are found every day.

Changing mindsets, policies and technologies to create secure connected buildings will take time, effort and investment. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces in order to protect their building, employees and data. Continued research in this field will be critical to raise awareness about a growing problem with potentially catastrophic consequences.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…