1
Exploring Building Security:Now and Future
Jimmy C. ChauPh.D. Candidate
Boston University
6/23/2014
2
Overview
• Cyber-security threats to buildings• Billy Rois (Qualys). “Owning a Building:
Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014
• Context– Traditional (Low-Tech)– Future (Smart Buildings)
6/23/2014
3
Timeline
6/23/2014
Smart Grid Integration
Smart Rooms (and Smart Spaces)Facility Management Systems
Manual Control
4
Modern Buildings
6/23/2014
5
Traditional Building Vulnerabilities
6/23/2014
6
OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
On to Billy Rois’s Blackhat 2014 presentation…
6/23/2014
7
Presentation Summary
• Covers two facility management systems– Niagara Framework (Tridium)– MetaSys (Johnson Controls)
• Password retrieval vulnerabilities– Then privilege escalation
• Vendor response– Fixed by security patches in Niagara Framework– No response for MetaSys
• (Local/on-site attacks)
6/23/2014
8
Tridium Niagara AX Framework• Rois (Blackhat 2014):
– Unauthenticated user can retrieve encoded password– Decoded password gives admin access– Privilege escalation to get SYSTEM on device
• ICSA-12-228-01A– Predictable session IDs– Base64-encoded username and password in cookies– Directory traversal (read parent directories)– Authentication credentials stored in config.bog
• Wired (Kim Zetter Feb. 6, 2013)– Privilege escalation bug in SoftJACE
6/23/2014
9
Johnson Controls MetaSys
• Windows CE– Typically has unauthenticated telnet & FTP– Docs indicate that telnet & FTP can be enabled– Inspect filesystem
• Download & decompile .NET web services• Found services to– Directory listings– Upload arbitrary files to anywhere– Get user password hash (without authentication)
6/23/2014
10
Really a Problem?
• Rois:– Shodan: 21,000 Tridium Systems on the Internet– Identified over 50,000 Internet-exposed buildings
• ICS-CERT Monitor (Jan-Mar 2013):– Attackers penetrated building energy management
system (EMS) of NJ manufacturing company; access to Niagara AX EMS
– A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures
6/23/2014
11
SMART GRID AND SMART SPACESInto the future
6/23/2014
12
Smart Grid
6/23/2014
Power
Smart Meter Electrical Grid
Network
Data
13
Hart 1992
6/23/2014
14
Smart Rooms
6/23/2014
15
Smart Room System
6/23/2014
16
Privacy
6/23/2014
17
Future Building Security Issues
• Many new privacy and security problems
• Access control• k-anonymity• Differential privacy
• Requires activity monitoring• Distinguish “good” from “bad” use6/23/2014
18
References
• Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat 2014. http://www.blackhat.com/docs/asia-14/materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access-Control-And-Facility-Management.pdf.
• ICSA-12-228-01A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A
• Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, 2013. http://www.wired.com/2013/02/tridium-niagara-zero-day/
• Johnson Controls docs (about telnet and FTP):– p.15: http://cgproducts.johnsoncontrols.com/met_pdf/1201993.pdf– p.26: http://cgproducts.johnsoncontrols.com/MET_PDF/1201990.pdf
• Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p.1870-1891. 1992.
• Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p.556-564. 2013.
6/23/2014
19
Thanks for Listening! Questions?
6/23/2014
20
Images (used with permission)• Old house:
http://fc02.deviantart.net/fs44/i/2009/102/0/a/Spooky_Old_House_1_by_Ranald101.jpg
• Smart grid: https://www.e-education.psu.edu/drupal6/files/engr312/lesson05/dynamic_infrastructure.jpg
• Back door: http://farm7.staticflickr.com/6100/6322575335_22a7b52c74_z.jpg • Broken window:
http://farm3.staticflickr.com/2097/2098210283_8da0e23ecb_z.jpg • Kicking door:
http://content.artofmanliness.com/uploads/2011/10/Breaking-Doors.jpg • Trojan horse: http://farm3.staticflickr.com/2141/2403154755_7e74984b36.jpg • Lock-picking:
http://upload.wikimedia.org/wikipedia/commons/thumb/9/9e/Pin_and_tumbler_lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG 6/23/2014