Vulnerability discovered in Building Management Systems connected to the Internet

Vulnerable Building management systems connected to the internet can be hacked, disruptions and damage can be caused by remote entities

Internet-connected building devices used in commercial and industrial properties are now vulnerable to a new malicious attack, according to cybersecurity research experts. According to Bertin Bervis, a security researcher focused on offensive security, reverse engineering and network attacks and defense, this vulnerability exploits the properties in the building automation protocol (BACNET) which enables technicians and engineers performing monitoring, setup changes and remote control of a wide range of key smart systems that impact temperature control, and other monitoring systems.

Bervis said he analysed several building automation devices with built-in web applications for remote monitoring and control. BACnet is a communications protocol for Building Automation and Control (BAC) networks that leverage the ASHRAE, ANSI, and ISO 16484-5 standard protocol.

The BACnet protocol is designed to enable technicians and engineers be able to setup, monitor and control a wide range of critical systems via built-in web applications, but a vulnerability in the protocol can be exploited by attackers, according to Bertin Brevis.

The research is focused on internet-connected devices and industrial protocols and is focused on analyzing web servers on the wild and exploiting their vulnerabilities.

“Mixing industrial protocols with web application flaws in order to exploit devices connected to the internet” was a research paper presented at the DEF CON IoT Village at the Flamingo Hotel. DEF CON IoT Village is organized by security consulting and research firm Independent Security Evaluators.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

“Remote attackers can jump from that point to another using a technique to steal sensitive information from technicians or engineers who interacts directly with the infected devices,” Bervis said. “It opens a new door for remote attacks without touching or interacting with the web application in those devices. The attacker only needs an insecure building automation protocol to modify the data.”

What this essentially means is that the vulnerability can be used by those with malicious intent to modify the web application code by injecting JavaScript code in the Bacnet device, abusing the read/write properties from the Bacnet protocol itself.

The code is stored in the Bacnet database helping the attacker to achieve persistence on browser devices that are used in building environments or industrial facilities that connect viaBACnet.

The web applications allow malicious code modification in specific elements taken directly from the protocol level user interaction and protocol level database information changes, which means any data change performed directly from protocol interaction can modify pieces of code in the whole web application in a persistent way.

According to experts, remote attacks via Building Management Systems connected to the Internet may be a new worrying vector.

“It opens a new door for remote attacks without touching or interacting with the web application in those devices. The attacker only needs an insecure building automation protocol to modify the data.” He added.

Bervis also said he disclosed the vulnerabilities to the manufacturers of the affected devices however, has received no response.

This is not an isolated incident in this sphere. Some days earlier, researchers at McAfee demonstrated how vulnerability in a commonly used industrial control system from Delta Controls could allow hackers to take complete control of the operating system. This proved that the security challenges in internet of things-connected (IoT) devices and the need to focus on security in operation technology (OT) environments.

The vulnerability, tracked as CVE-2019-9569, was discovered by researchers from security firm McAfee and affects enteliBUS Manager (eBMGR), a control system that can be used to manage different I/O switches connected to things like sensors, alarms, motors, locks, valves and other industrial equipment. The system can also serve as a router for linking multiple Building Automation Control Network (BACnet) segments.

To demonstrate the attack, the McAfee researchers created an exploit that deploys a malware program on the device which gives attackers remote control capabilities over the device. While exploit code was not released it is clear that the system is vulnerable.

The control system was made by Delta Controls, which quickly and effectively managed the issue and has even released a firmware update, however systems without the update still remain under threat.

Vidya Lakshmi

IndustrialCyber Editor & Features Vidya is a freelance journalist with over 10 years of experience in business journalism. She started her career reporting on U.S. equities markets and later moved to niche financial news. She developed an interest in ICS cybersecurity after researching some incidents and reading about it online.