Enterprise security vendor ForeScout’s operational technology research unit has developed a PoC (Proof-of-Concept) malware that exposed the vulnerabilities in building automation systems (BAS) by compromising them due to the presence of two very critical bugs in the BAS’s PLC (programmable logic controller).
ForeScout researchers claim that the first of the two bugs use a hard-coded secret when the stored user passwords are encrypted. This allows an attacker to acquire the device’s valid user credentials. The other problem is a buffer overflow issue that allows remote code execution on the PLC.
Air-conditioned apocalypse: A blackout scenario involving smart climate control devices
Researchers noted that the attacks that may be launched by exploiting these flaws range from arbitrary file detection and cross-site scripting (XSS) to path traversal and authentication pass. The bugs were identified in gateway protocols and PLCs of the building automation systems. The PoC malware can target HVAC, surveillance, and access controls systems in modern smart buildings.
The PoC malware can also exploit the two vulnerabilities along with several previously discovered flaws, reveals the White Paper released by ForeScout with a presentation delivered by the CTO Elisa Costante at the s4x19 Industrial Control Systems’ cybersecurity conference.
According to data aggregated from two mainstream search engines used to identify internet-connected computer hardware showed thousands of devices that currently stand vulnerable to these glitches. It is worth noting that the developed malware can attack Industrial Control Systems (ICS) quite easily.
ForeScout researchers informed in their White Paper that the BAS systems’ attack surface is expanding rapidly because of the excessive integration of IoT devices in these systems. Resultantly, threat actors can benefit from the vulnerabilities and launch attacks. They can, for instance, choose to exploit and destruct HVAC devices leading to overheating at data centers or gaining unauthorized entry by compromising physical access control systems.
This is a very dangerous scenario since BAS systems’ network is quite extensive as it includes critical infrastructure like elevators, fire alarms, energy production units, video surveillance, apart from HVAC and access control systems. Such infrastructure is part of almost every building from airports to hospitals, data centers, and schools to stadiums, etc.
Researchers noted that their designed malware can attack BAS network in the following four ways:
- Exploit publicly accessible PLCs that operate the actuators and sensors
- Expose workstations that manage the whole BAS system to literally reach the PLCs
- Attack publicly accessible IoT devices such as a router or IP camera to gain access to the network followed by workstations and other systems
- Gain physical access to the air-gapped network to invade the network and reach the PLCs