IBM Research Calls Out Smart Building Risks

A test of building management software found that it was often weakly protected and Internet connected.
A test of building management software found that it was often weakly protected and Internet connected.

In-brief: IBM researchers are warning that building automation systems pose a security risk to companies – and one that few companies take seriously. 

IBM researchers are warning that building automation systems used to power so-called “smart buildings ” pose a security risk to companies – and one that few companies take seriously.

A survey of building automation system software by researchers at IBM X-Force found that the systems suffer from a range of security issues, from weak authentication and authorization controls. Administrative web interfaces used to provide remote access to the systems also are vulnerable to application based attacks and lack basic security controls, said X-Force researcher Paul Ionescu.

Ionescu and other X-Force researchers put their skills to the test with an established building management firm in North America, and found that a range of predictable security flaws left the system available to remote hacks.

In a “red team” exercise performed for the firm, the IBM researchers found they were able to compromise the company’s main monitoring and control server, which was used to manage several locations in North America. Ionescu told Security Ledger that the attack exploited a weakly secured DLink router that was used to link the building automation system to the Internet.

A flaw in the system diagnostics page in the building automation software allowed the X-Force researchers to access configuration settings for the device, including encrypted passwords. From there, they were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America, he said.

The attackers then drove by the facility where the software was deployed and were able to gain access to the central command server by using that password and connecting to the system from outside the building through the Wi-Fi network, he told Security Ledger.

IBM said that the combination of weak security, Internet connectivity and vulnerable systems is common in the building management sector, exposing companies that own or even rent in modern office buildings to attack, said Diana Kelly, Executive Security Advisor at IBM.

Building automation systems are increasingly Internet connected and have played a role in high profile hacks. For example, the compromise of Target Stores in 2014 was linked to heating, ventilation and air conditioning (HVAC) systems running within Target’s headquarters. In 2012, the FBI issued an alert to businesses after unknown attackers breached a computer used to control the HVAC system of a New Jersey company, accessing a graphical user interface for the system, including a floor play layout of the company’s office.

IBM notes a recent survey that found that 84% of facility managers surveyed reported that their building automation systems are connected to the Internet, while just
29% had taken action or were in the process of taking action to improve cybersecurity for their Internet-connected systems.

Kelly said that organizations that are worried about cyber attacks need to pay more attention building automation software that may be at use within their facility. Building automation software should be isolated from the rest of their network. Building management firms should also actively manages the software: applying patches and monitoring for unusual activity, in the same way that other software applications are managed.

Companies should vet building management vendors carefully, building security hygiene requirements into service level agreements or contracts. Building management systems that are directly under the control of a company should be monitored alongside other IT assets, Kelly said.

“Its really about making your architecture ‘cyber’ aware,” she said.

Comments are closed.