On Trend - Can Hackers Turn The Heat Off?

• Content
• Energy Management
• On Trend - Can Hackers Turn The Heat Off?

15 December 2017 | Updated 01 January 1970

Ken Munro of Pan Test Partners has written a blog - the original of which and more pictures can be accessed if you Click Here 

Munro says he has found weaknesses in a number of BMS modules that will allow hackers to turn the heat off...or get up to even more mischief if they wish.

The blog is reproduced here with minor edits, reordering and redactions. ThisWeekinFM does not approve, corroborate or endorse Munro's statements.

 

It’s cold out there today isn’t it? Good job offices and schools are lovely and toasty thanks to well maintained heating systems. I mean, if someone were to find a way to hack them, over the internet and turn them off it could cause mild chaos. Which reminded me…

Way back in 2006, I was given a Trend IQ3 Building Management System (BMS) controller. My interest was piqued as these devices were being installed in Heathrow’s Terminal 5, according to the manufacturers press release.

Smart building controllers manage door access control, heating, ventilation and air conditioning and much more. Remember the Target breach in the US? The ingress point was believed to be their HVAC management company.

I’ve just taken delivery of a used 2013 model of the same controller and a brand new 2017 controller from the same vendor. So, has anything improved?

Yes and no. The controller security has improved some but we’ve found large numbers installed on the public internet, unprotected, with complete authentication bypass in some cases!

We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations.

We also found some that had already been compromised to a point by malware. Further compromise would be trivial.

 

It’s about lax installers NOT vendors

Most of these issues have been caused by HVAC & BMS installers, rather than the vendor. The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though.

I tried to disclose responsibly at the time but got nowhere with the vendor. The story had a little coverage in the press – smart buildings weren’t a big thing at the time.

I presented the findings to GCHQ and the industry at the old CHECKCON conference too.

 

The vulnerabilities we found

The 2006 IQ3 Excite building management controller. This one is running firmware version 1.2.6.2, here’s a list of what we found:

Plaintext authentication - authentication bypass for embedded web server (see below). Reflected XSS on various parameters (reported again in 2013 by Darius Freamon, 7 years after it was first found). Trivial session hijacking through incremental session IDs (e.g. http://192.168.0.244/modules.htm?param0=22, simply incrementing with every request)

And a really fun memory leak in to broadcast UDP packets – ‘test1’ was the password set.

Trivial fuzzing causes a DoS & possibly a buffer overflow. When fuzzed over FTP with APPE $P at size 513, the FTP server crashes. But even more amusingly, $P is then found being broadcast over the network from the controller, which is clearly operating in a very odd state.

 

Manufacturer security advice

Trend Controls, the manufacturer, offers some reasonable advice for installers. They make the point that these devices should be on isolated subnets and never exposed to the internet.

That’s good advice, though what efforts have Trend Controls made to ensure and audit their installers to ensure they aren’t installing insecurely? It took me less than 10 seconds to find >1000 exposed, vulnerable Trend controllers.

This advice also assumes that the threat is only from an attacker on the public internet. These controllers are found in quiet areas of buildings, hopefully in locked plant rooms and electrical panels. Ideal for the social engineer. Also, compromise the guy who manages the building, pop his PC and you can potentially unlock doors to order.

 

IQ3 Excite 2013 model, used

I bought this used from eBay. The firmware version was more recent and most of the significant flaws had been fixed. Authentication bypass was still possible in default configuration.

 

IQ412 Excite, latest 2017 model, new and unused

The XSS from 2006 has now been fixed, though we think there’s still a convoluted XSS present. There’s also plenty of opportunity for CSRF. Auth bypass was still present. If the ‘guest’ user has not been created, anyone can add it.

 

Shodan searches

www.shodanhq.com couldn’t be better suited to finding these controllers. Installers helpfully name the controllers right at the top of the embedded web server home page. With a search for the names of a couple of types of controller I got greater than 1,000 hits without trying hard.

 

Compromised controllers, serving malware?

Many of these controllers also have FTP enabled, often with simple, default or blank credentials. Whilst clicking through the web UI of a BMS controller, anti-virus popped up. On poking around further, it appears that a number of these controllers have been compromised over FTP by a crypto mining worm: Win32/Crytes.

We don’t think that the worm can actually execute on the controller but it has successfully dropped an infection marker in to the web page covering network config (modules | networks). We found the same marker on multiple controllers on the internet. Whilst on this occasion the vendor/installer/clients have dodged a bullet, it would not be difficult to write malware that did successfully infect these controllers.

 

Searching for other BMS controller brands

Trend Controls aren’t the only BMS controllers we’ve found available on the public internet. Useful Shodan searches include:

“G50” – the Mitsubishi G50 BMS

“Saia PCD BMS Web Server” – this features plaintext login. There’s no username, just a password!

Conquest BACnet Controller” – default creds of admin/admin are common

“BACnet Communication Module”

“ACP BACnet”

“Distech Controls BACnet Router Configuration”

“Server: BACnet4Linux”

“SIP Modbus Trend”

Not really a BMS, but searching for “webrelay” will find you very simple, insecure online relays. Amusingly, we’ve found that the relays will actually trigger if you port scan them hard! We achieved this consistently on two we bought for testing.

 

Conclusion

Building management systems are often installed by electricians and HVAC engineers who simply don’t understand security.

Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. Whilst you’re there, ask about your door controllers and your IP alarm systems.

BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible.

Picture: Main - for illustration. Below - Ken Munro’s 'hacked' BMS controllers

 

Article written by Ken Munro of Pan Test Partners | Published 15 December 2017

Share

---

---

Related Articles

---