More and more devices are connecting to the Internet; the ones that control your building’s heating, lighting and air conditioning are no exception. According to Gartner, devices in smart homes and smart commercial buildings represented 45 percent of total connected things in use in 2015.

Unfortunately, little attention is being paid to the potential cybersecurity risks created by smart office technology since these devices fall outside the scope of traditional IT. In fact, a recent survey of building automation system (BAS) operators found that only 29 percent had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems.

If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building. For example, cybercriminals could gain control of the devices that regulate data center temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.

Understanding the Risks of a Smart Office

Did you know it’s very hard to update an embedded device? Think about your thermostat or the software in your furnace. Those aren’t typically things you would be rebooting periodically for a software update. If a security bug was found, the best way to apply a fix would be to replace the thermostat. But the types of interconnected thermostats used in building automation aren’t exactly cheap.

How about software security practices? Many embedded devices are designed for networks that are completely isolated from the outside world, and therefore, authorization controls for these systems are often very lax, if they exist at all. The administrative Web interfaces for these systems aren’t expected to sustain the type of attacks you’d see on a publicly facing website. In many cases, they aren’t even protected by basic security controls and devices.

Today’s connected building implementations were not contemplated by some device manufacturers. For example, the building automation system can be set up with a multitude of stations connecting to a central control server. The technicians can log into the central server to obtain real-time access to sensor data and control various devices of the station.

Below is a diagram that shows how a connected BAS is typically set up. Notice that the stations go through the Internet to connect to the central server. In many cases, operators may use virtual private network (VPN) and firewall devices with access rules to secure this connection. In some cases, however, these measures may be skipped.

Because technicians need to be able to share access to the stations, the passwords may be easy to guess, usually following some pattern that is internally known. These passwords may never be changed, and many devices in the station network may be configured with the same password. To avoid travel, the technicians may also enable additional administrative interfaces such as router or controller Web interfaces.

A Real-World Experiment

While the design of these systems makes them a potential hacking target, many of these vulnerabilities and risks remain unknown to building system operators and property management.

To drive more awareness of these risks and learn how they could impact systems in real life, IBM Security’s X-Force Ethical Hacking team conducted a pen test to break into a building automation system to find out what kind of software flaws we could uncover and whether traditional application security products can help secure these devices.

We offered our services to a building management team who was more than happy to have us to try to break in. In fact, they asked us to test whether we could break into their main monitoring and control server, which controls several other locations in North America.

During the engagement, we found that all the security concerns outlined above were justified. The devices were directly connected to the Internet, they had several previously unknown security vulnerabilities, they were sharing passwords, and through public Internet access to administrative interfaces, we were able to break into the main central control server.

At a high level, here’s how we were able to accomplish the hack:

  • We found design flaws that allowed us to gain control of the wireless access point that connected the building automation system to the Internet. We also discovered the device password stored in cleartext (not encrypted).
  • From there, we found and accessed the BAS control software from the Internet.
  • A flaw in the system diagnostics page allowed us to access configuration settings for the device, including encrypted passwords. We were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America.
  • We were ultimately able to gain access to the central command server by using this password and connecting to the system from outside the building through the Wi-Fi network.

With control of the central BAS server, a malicious actor could tamper with the physical conditions of all the buildings controlled by this system. This type of control could lead to destruction of IT property by overheating data centers as well as impacting the physical comfort and safety of employees.

Thankfully, through the results of the experiment, we were able to bring these issues to the attention of BAS operators and device manufacturers, who patched the software vulnerabilities and made sure that the system itself was updated to prevent future hacks. That said, we learned firsthand that patching a building automation system is no easy feat, given the complex ecosystem of software, devices and ownership involved.

Improving Smart Building Security

The largest issue impacting smart office security is that there is no easy way to patch a building. In our project, it took extensive work and coordination to not only get the vulnerabilities patched, but also to make sure those fixes actually made their way into the affected devices in the building.

There are several steps that building automation management companies and manufacturers can do to improve security at a basic level:

  • The vulnerabilities we used to gain access could have been prevented by the software manufacturer employing secure engineering and coding practices. These would have allowed the manufacturer to better design controls for who has access to the software, avoid information leakage and include better password encryption.
  • Use application security scanning tools to identify flaws in software and applications before they are deployed.
  • Implement IP address restrictions to connect to the building automation system devices, especially if using public Internet.
  • If possible, disable remote administration features and unnecessary ports on wireless routers. If remote administration is required for business purposes, add controls like two-factor authentication and login anomaly detection.
  • Security incident and event management (SIEM) systems can be used to scan network activity between the router, BAS system and embedded devices to identify suspicious activity on the network.
  • Stronger network security rules should be used on all devices — specifically, safer password practices would have gone a long way toward preventing the attack. Never reuse or share passwords between devices and avoid making these passwords predictable. Never store passwords in cleartext.
  • Ensure that all your device software is up to date since new security issues are found every day.

Changing mindsets, policies and technologies to create secure connected buildings will take time, effort and investment. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces in order to protect their building, employees and data. Continued research in this field will be critical to raise awareness about a growing problem with potentially catastrophic consequences.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read