New vulnerability found in internet-connected building automation devices
Critical internet-connected smart building devices used in many commercial and industrial properties, have been found to be vulnerable to a new malicious attack. This is according to a report from cybersecurity researcher Bertin Bervis.
The vulnerability exploits the properties in the building automation protocol (Bacnet) which enables technicians and engineers performing monitoring, setup changes and remote control of a wide range of key smart systems that impact temperature control, and other monitoring systems. Bervis analysed several building automation devices with built-in web applications for remote monitoring and control. They were disclosed to manufacturers who didn’t respond.
The research entitled Mixing industrial protocols with web application flaws in order to exploit devices connected to the internet, was presented at the DEF CON IoT Village at the Flamingo Hotel. DEF CON IoT Village is organised by security consulting and research firm Independent Security Evaluators.
The attacker is able to maliciously modify the system’s web application code by injecting javascript code in the Bacnet device, abusing the read/write properties from the Bacnet protocol itself. The code is stored in the Bacnet database helping the attacker to achieve persistence on browser devices that are used in building environments or industrial facilities that connect via BACnet.
The web applications allow malicious code modification in specific elements taken directly from the protocol level user interaction and protocol level database information changes, which means any data change performed directly from protocol interaction can modify pieces of code in the whole web application in a persistent way.
“Remote attackers can jump from that point to another using this technique to steal sensitive information from technicians or engineers who interacts directly with the infected devices,” Bervis says. “It opens a new door for remote attacks without touching or interacting with the web application in those devices. The attacker only needs an insecure building automation protocol to modify the data.”
Bertin Bervis is an independent cyber security researcher from Costa Rica. He has been a featured speaker at DEF CON, Ekoparty and other technical conferences worldwide. His research is focused on internet-connected devices and industrial protocols and is focused on analysing web servers on the wild and exploiting their vulnerabilities. Presentation is available on request.
IoT Village was founded by Independent Security Evaluators as a platform to educate, inform, and empower, IoT Village is a security research community that brings together the brightest minds from security researchers, product manufacturers, solution providers, and academics in order to collaborate on solving the security challenges that plague IoT.
It consists of many programming elements: talks, exploit demos, zero-day hunting contests, capture the flag style contests, and other hacktivites. As a security research platform, IoT Village has represented the discovery and publication of more than 300 zero-day vulnerabilities – previously unknown, critical security vulnerabilities that are readily exploitable in systems that are already out in the market being used by consumers, businesses, and governments alike. These critical issues afflict more than 50 different IoT device types.
Independent Security Evaluators (ISE) is a security consulting firm specialising in application, network, and blockchain vulnerability assessments, as well as training and secure software development for companies protecting high-value assets who may be frequently targeted. Our adversary-centric approach to security has proven highly effective for bolstering our clients’ defensive security postures. ISE analysts are also active in the security research community, speaking at conferences about relevant security issues and providing the public with cutting edge threat-based advisories. ISE is headquartered in Baltimore, with offices in San Diego and Los Angeles. For more information, visit here. Click here to subscribe to the ISE blog.
Comment on this article below or via Twitter @IoTGN