An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security.
The IBM X-Force team of Paul Ionescu, Jonathan Fitz-Gerald, John Zuccato, and Warren Moynihan, along with Akamai engineer Brennan Brazeau, conducted the test on an unnamed business with multiple offices.
The team owned several buildings through the internet-facing building automation system which sported a controller, sensors, and thermostats.
"[We could] take control of the individual building system, but also gain access to a central server … which could extend control to several other geographically dispersed buildings," the team wrote in a report (PDF).
The hackers say they found exposed administration ports in the company's first building, gaining access to a D-Link panel enabled to allow remote monitoring, and an environmental reporting web server used by the building controller device.
The team say that "... by adding an extra carriage return after the page request it was possible to bypass the router’s authentication."
They found command injection vulnerabilities in the router and found a list of commands in the firmware source code.
They found a cleartext password in the router's var directory that not only granted more router pwnage but, thanks to password-reuse, allowed them to compromise the building management system.
"Had the router password been encrypted or if a different password had been used, it would have been much harder … to access the building automation controller."
The building automation system server used a different password and so the hacking gang turned to Google and found the embedded device software ran diagnostic pages allowing for command execution.
Some URL flipping led to remote code execution and a configuration file contained within coughed up the softly-encrypted admin credentials.
"To prevent such an attack, keys should be dynamically generated based on device characteristics [meaning] attackers would need complete access to the system to be able to decrypt the password."
The building automation system vendor says the service should not be exposed and therefore did not patch the device.
The final step required the hackers to drive to the company's car park to get around the admin's IP address whitelisting set on the building automation system server. The D-Link was whitelisted so the team used the previously stolen credentials to log into the wireless.
Admins should ensure devices are patched; IP addresses are whitelisted; firewalls are up; unnecessary remote access is down, and passwords are unique. ®