Britain's freezing weather has reanimated the issue of insecure building control systems.
Security researchers at Pen Test Partners have discovered that the web interfaces of heating controllers in many schools are accessible on the public internet and fundamentally insecure. The problem largely stems from lax installers who have disregarded installation advice rather than kit manufacturers, according to PTP.
Many UK schools are already closed because of the snow in much of the country and general cold weather. The presence of heating controllers on the open web – coupled with authentication bypass security shortcomings – make it possible for miscreants to turn heating off during the current cold snap.
Among the insecure systems accessible on the open net was one controlling the heating at an infants school in Chelmsford, Essex.
Shodan search throws up web control panel for building management system of an Essex school [Source: PTP]
The problem is far from limited to schools. Queries to the Internet of Things search engine Shodan by PTP have revealed the same vulnerable kit and set-ups are present in government offices, universities, fire stations and even a restaurant.
PTP is highlighting the issue, of which mischievous hackers would already be aware, to raise awareness and to encourage building owners to ensure systems are set up correctly.
Ken Munro, a security consultant at Pen Test Partners, and his colleagues have looked into the issue before (first in 2006 and later 2013) but it has not yet been picked up by manufacturers or (more importantly) heating and air conditioning installation engineers.
Shodan searches threw up hits for building controllers made by Trend Controls, Mitsubishi, BACnet and more. Some of these devices are vulnerable, have weak or no authentication (meaning they are easy to take over) or "wobbly" web interfaces that make it easy to crash built-in web servers, as demonstrated by previous research.
During recent tests comparing a used 2013 model of the same controller and a brand new 2017 controller from the same vendor, Munro discovered continuing cause for concern. Some of the accessed systems have already been hacked.
"The controller security has improved some, but we've found large numbers installed on the public internet, unprotected, with complete authentication bypass in some cases," he writes.
"We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations.
"We also found some that had already been compromised to a point by malware. Further compromise would be trivial."
In at least some of these cases the malware was an opportunistic infection by a crypto-mining worm that had been dropped onto controllers and wouldn't run on the devices. But that is no excuse for complacency.
Bob the bodger
Most of these issues have been caused by HVAC [heating, ventilation and air conditioning] and building management system installers, rather than the vendor. Trend Controls, for example, tells installers (PDF) that its devices should be on isolated subnets and never exposed to the internet.
Despite this, Munro found more than a thousand insecure Trend Controls on the net within seconds through a simple Shodan search.
"The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements, though," Munro said.
The issue of insecure building management systems is far from purely a seasonal concern.
"Smart building controllers manage door access control, heating, ventilation and air conditioning and much more," Munro notes. "Remember the Target breach in the US? The ingress point was believed to be their HVAC management company."
Authentication bypass vulnerabilities present in some of the systems open the door to a range of hacking possibilities far beyond messing with heating controls. These include unlocking doors, setting off alarms and using compromised controllers as a stepping stone into the corporate network. Dodgy insiders might be just as much a problem as external hackers in many scenarios.
"Building management systems are often installed by electricians and HVAC engineers who simply don't understand security," Munro concludes.
"Ask questions about what 'stealth' technology is in your buildings. Ask the guys who look after your HVAC how it's monitored and managed. While you're there, ask about your door controllers and your IP alarm systems.
"BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible." ®