As discussed in previous posts on our blog, securing building automation systems (BAS) has been an active area of research at SecurityMatters (now Forescout) for the past couple of years.
It’s well known that cybersecurity is a constant game of cat and mouse, where both attackers and defenders are constantly evolving. Although we spent most of our time on the defensive side, our research activities involve thinking like an attacker to better defend the networks of our customers. This is useful not only to understand and defeat current tactics, techniques and procedures (TTPs) used by real-world malicious actors, but also to anticipate future threats.
Recently, the OT research team at Forescout performed an exercise in vulnerability and malware research for devices commonly used in BAS networks. Our goal was to create a proof-of-concept malware targeting building automation networks to raise awareness about a problem that we believe will become increasingly serious in the coming years. Although we haven’t yet seen malware specially crafted for smart buildings, malicious software targeting industrial control systems (ICS) have seen enormous growth in the past decade (see, e.g., Industroyer, TRITON, and the more recent GreyEnergy). These attacks can be devastating, and we believe that malware targeting smart buildings is an inevitable next step.
The main results of our research efforts were reported in a white paper and presented at the recent S4x19 conference. These results include:
- An analysis of the security landscape for building automation systems and networks
- The discovery and responsible disclosure of previously unknown vulnerabilities in building automation devices
- The development of a proof-of-concept malware that persists on devices at the automation level
- A discussion on how SilentDefense can help protect building automation systems by promptly detecting threats
The malware described in the white paper uses both new vulnerabilities found by our team (e.g., buffer overflow, hardcoded secrets, and severe device misconfigurations) and recent vulnerabilities found by others. In the white paper, we highlight the increased attack surface due to the introduction of IoT devices into building automation networks, detail attack scenarios that can be used by a malware to disrupt such networks, and outline the consequences of such an attack in two critical subsystems of many facilities:
- HVAC – Changing temperature setpoints or crashing devices used for heating, ventilation, and air conditioning (HVAC) can take data centres used by large companies to store and process sensitive data such as financial information offline, as well as harm people in facilities where these devices are vital, such as tunnels and mines
- Physical access control – These systems are used to grant or deny access to certain areas of a building in places such as office spaces, but also in critical facilities such as airports and hospitals. An attacker who has access to the automation network of these buildings could control the doors to gain access to forbidden areas or deny access to otherwise authorised personnel.
In this post, we want to highlight some of the vulnerabilities found during the research and development of the malware and have divided these vulnerabilities in two groups:
1. Two high severity vulnerabilities that were used in the malware
2. Five vulnerabilities affecting other vendors that were not used in the final attack because they were out of the scope for the attack path that we implemented and because most of them have a low severity in the context of a BAS
- High severity
These vulnerabilities allow a remote attacker to execute arbitrary code on the target device (a common access control PLC) and gain complete control of it. When we contacted the vendor about these issues, they informed us that the issues were already known and patched, but they were never publicly disclosed. Therefore, we’ll keep the vendor and affected device anonymous, but give some details on the vulnerabilities:
- Hardcoded secret – We found an encryption function using a hardcoded secret to store user passwords. This weakness allows an attacker to obtain the credentials of valid users of the device.
- Buffer overflow – We found a buffer overflow leading to remote code execution on the PLC, which allows an attacker to take full control of the device.
Even if these two issues are not 0-days in the proper sense (since they were known by the vendor and a patch existed for them), and they affect older versions of the framework used in the access control PLC (the versions we tested were from June 2013), they are still very serious for at least one reason, which is common to ICS, IoT, and BAS devices: the myriad of devices available online (and probably many more not directly exposed) that can still be exploited because they are unpatched (see the conclusion of this post).
More details on these vulnerabilities are reported in the white paper.
- Lower severity vulnerabilities
These vulnerabilities affect the web services that run in two BAS devices and are used to manage them either in the internal network or even remotely. They all result from improper sanitisation of output, e.g., cross-site scripting (XSS), or improper validation of user-input data, e.g., path traversal and authentication bypass.
The vulnerabilities found by our team are summarised in the table below. Each discovered vulnerability was reported to the responsible vendor and subsequently patched, as shown in the Notes column.
CVE | Vulnerability Type | Notes |
CVE-2018-14919 | XSS | Patched in firmware version 6.4.2 |
CVE-2018-14918 | Path traversal | Patched in firmware version 6.4.2 |
CVE-2018-14916 | Arbitrary file deletion | Patched in firmware version 6.4.2 |
CVE-2018-15820 | XSS | Patched in application version 2.0.5.27 |
CVE-2018-15819 | Authentication bypass | Patched in application version 2.0.5.27 |
The XSS vulnerabilities (CVE-2018-14919, CVE-2018-15820) allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting device administrator to access cookies, session tokens, or other sensitive information, or to perform malicious actions on behalf of the user. Besides accessing sensitive information, XSS attacks can be used for internal network discovery and traffic tunneling using tools such as BeEF. Stored XSS allows an attacker to store the malicious script in the application, potentially executing it for every user that accesses the application. Reflected XSS, on the other hand, allows the attacker to send a non-persistent request containing the malicious script to a targeted user.
The path traversal and file deletion vulnerabilities (CVE-2018-14918 and CVE-2018-14916) allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read or delete system and configuration files containing information such as usernames and passwords.
The authentication bypass vulnerability (CVE-2018-15819) allows an attacker to execute privileged requests in the vulnerable application without possessing valid credentials, by manipulating the session identifier sent in the request. Any string of the same size as a valid identifier is accepted. In this specific instance, the attacker can even steal the credential information of application users, including plaintext passwords.
Conclusion
Besides the vulnerabilities reported here, we also found severe misconfigurations on a second-hand workstation used to manage building automation devices, which allowed us to obtain remote code execution and finally administrator privileges on the running operating system. In this case, the vendor claimed that these issues were introduced by the integrator.
The fact that these kinds of vulnerabilities, which are simple to find and fix but also very simple to exploit, are still present in devices potentially used in critical buildings is alarming.
Another worrying fact is that these vulnerable devices can be found remotely accessible with publicly reachable network addresses using search engines such as Shodan and Censys. Using these search engines, we found 279 instances of the two devices mentioned in the table of low severity vulnerabilities (or similar devices from the same manufacturers, using the same vulnerable software), out of which 214 (76%) were potentially vulnerable. We also found 21,621 instances of devices like the access control PLC mentioned in the high severity issues, out of which 7980 (37%) were potentially vulnerable. Unfortunately, many of these devices seem to be located in hospitals and schools according to the information displayed in the banners captured by the search engines.
The results of this research highlight the need to make building automation systems more cyber resilient with an efficient network security monitoring solution, such as SilentDefense.
If you would like to learn more about the importance of network monitoring for BAS, watch our video or schedule a consultation with a cyber resilience expert.