More and more devices are connecting to the Internet; the ones that control your building’s heating, lighting and air conditioning are no exception. According to Gartner, devices in smart homes and smart commercial buildings represented 45 percent of total connected things in use in 2015.

Unfortunately, little attention is being paid to the potential cybersecurity risks created by smart office technology since these devices fall outside the scope of traditional IT. In fact, a recent survey of building automation system (BAS) operators found that only 29 percent had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems.

If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building. For example, cybercriminals could gain control of the devices that regulate data center temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.

Understanding the Risks of a Smart Office

Did you know it’s very hard to update an embedded device? Think about your thermostat or the software in your furnace. Those aren’t typically things you would be rebooting periodically for a software update. If a security bug was found, the best way to apply a fix would be to replace the thermostat. But the types of interconnected thermostats used in building automation aren’t exactly cheap.

How about software security practices? Many embedded devices are designed for networks that are completely isolated from the outside world, and therefore, authorization controls for these systems are often very lax, if they exist at all. The administrative Web interfaces for these systems aren’t expected to sustain the type of attacks you’d see on a publicly facing website. In many cases, they aren’t even protected by basic security controls and devices.

Today’s connected building implementations were not contemplated by some device manufacturers. For example, the building automation system can be set up with a multitude of stations connecting to a central control server. The technicians can log into the central server to obtain real-time access to sensor data and control various devices of the station.

Below is a diagram that shows how a connected BAS is typically set up. Notice that the stations go through the Internet to connect to the central server. In many cases, operators may use virtual private network (VPN) and firewall devices with access rules to secure this connection. In some cases, however, these measures may be skipped.

Because technicians need to be able to share access to the stations, the passwords may be easy to guess, usually following some pattern that is internally known. These passwords may never be changed, and many devices in the station network may be configured with the same password. To avoid travel, the technicians may also enable additional administrative interfaces such as router or controller Web interfaces.

A Real-World Experiment

While the design of these systems makes them a potential hacking target, many of these vulnerabilities and risks remain unknown to building system operators and property management.

To drive more awareness of these risks and learn how they could impact systems in real life, IBM Security’s X-Force Ethical Hacking team conducted a pen test to break into a building automation system to find out what kind of software flaws we could uncover and whether traditional application security products can help secure these devices.

We offered our services to a building management team who was more than happy to have us to try to break in. In fact, they asked us to test whether we could break into their main monitoring and control server, which controls several other locations in North America.

During the engagement, we found that all the security concerns outlined above were justified. The devices were directly connected to the Internet, they had several previously unknown security vulnerabilities, they were sharing passwords, and through public Internet access to administrative interfaces, we were able to break into the main central control server.

At a high level, here’s how we were able to accomplish the hack:

  • We found design flaws that allowed us to gain control of the wireless access point that connected the building automation system to the Internet. We also discovered the device password stored in cleartext (not encrypted).
  • From there, we found and accessed the BAS control software from the Internet.
  • A flaw in the system diagnostics page allowed us to access configuration settings for the device, including encrypted passwords. We were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America.
  • We were ultimately able to gain access to the central command server by using this password and connecting to the system from outside the building through the Wi-Fi network.

With control of the central BAS server, a malicious actor could tamper with the physical conditions of all the buildings controlled by this system. This type of control could lead to destruction of IT property by overheating data centers as well as impacting the physical comfort and safety of employees.

Thankfully, through the results of the experiment, we were able to bring these issues to the attention of BAS operators and device manufacturers, who patched the software vulnerabilities and made sure that the system itself was updated to prevent future hacks. That said, we learned firsthand that patching a building automation system is no easy feat, given the complex ecosystem of software, devices and ownership involved.

Improving Smart Building Security

The largest issue impacting smart office security is that there is no easy way to patch a building. In our project, it took extensive work and coordination to not only get the vulnerabilities patched, but also to make sure those fixes actually made their way into the affected devices in the building.

There are several steps that building automation management companies and manufacturers can do to improve security at a basic level:

  • The vulnerabilities we used to gain access could have been prevented by the software manufacturer employing secure engineering and coding practices. These would have allowed the manufacturer to better design controls for who has access to the software, avoid information leakage and include better password encryption.
  • Use application security scanning tools to identify flaws in software and applications before they are deployed.
  • Implement IP address restrictions to connect to the building automation system devices, especially if using public Internet.
  • If possible, disable remote administration features and unnecessary ports on wireless routers. If remote administration is required for business purposes, add controls like two-factor authentication and login anomaly detection.
  • Security incident and event management (SIEM) systems can be used to scan network activity between the router, BAS system and embedded devices to identify suspicious activity on the network.
  • Stronger network security rules should be used on all devices — specifically, safer password practices would have gone a long way toward preventing the attack. Never reuse or share passwords between devices and avoid making these passwords predictable. Never store passwords in cleartext.
  • Ensure that all your device software is up to date since new security issues are found every day.

Changing mindsets, policies and technologies to create secure connected buildings will take time, effort and investment. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces in order to protect their building, employees and data. Continued research in this field will be critical to raise awareness about a growing problem with potentially catastrophic consequences.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today