Summary: Two security researchers have had to point out old and unpatched vulnerabilities in the software responsible for Google's building management systems to get the web giant to take action.
For a period of time, hackers could have turned up the heat at
Google's Australian offices, with the systems responsible for
controlling the heating, ventilation, and air conditioning being
vulnerable to take-over.
Its Australian offices at Wharf 7, Pyrmont, Sydney, is looked after by a building management system made by Tridium. Building management systems like these regulate temperatures, air conditioning zones, and other such building elements by responding to building or environmental inputs, such as the temperature measured from a thermostat or the time of day, allowing buildings to be "warmed up" prior to employees first entering.
However, these back-end systems can be connected to and accessed from the internet. ZDNet found several Australian businesses last year that were running the same systems from Tridium without any form of authentication, potentially allowing anyone to shut down any of the connected building control systems without permission.
While Google's own instance of the system did implement some level of authentication, researchers Billy Rios and Terry McCorkle from information security company Cylance were able to bypass these restrictions easily, as the system was not kept up to date. Rios and McCorkle had previously contacted Tridium regarding a directory traversal vulnerability, which could allow access to restricted files within the management system.
Typically, the public-facing "root" of a site corresponds to a particular directory on a server. For example, www.example.com/ might correspond to /usr/home/public_html. However, when incorrectly configured, the web server may not recognise that it should not honour requests to traverse above this folder. Hence, navigating to www.example.com/../ could expose the /usr/home directory, or www.example.com/../../../ could expose the root file system, if the web server has permissions to view these directories.
This vulnerability was pointed out to Tridium by Rios and McCorkle in July 2012, and the company issued an alert to its customers to take precautionary steps. It released a security patch to further address the issue in August, and noted in a security alert that a specific file, config.bog, could be a security risk if attackers were able to access it.
A second patch against directory traversal was released in February this year, indicating that the problem had not been fully resolved.
The config.bog file was the prime target of Rios and McCorkle's infiltration into the system, as it contains the usernames and hashed passwords for all device users. As Google's implementation of Tridium's software was not kept up to date, Rios and McCorkle were able to exploit the directory traversal vulnerability, retrieve the config.bog file, and extract the hash of the administrator password.
The password itself was easily cracked by Rios and McCorkle, as Tridium's system does not use any form of salting to increase password complexity. The fact that Rios and McCorkle were able to reverse the hash also indicates that the password used on the system would have been weak.
From here, Rios and McCorkle had full run of Google's building management system, and stated that they could have rooted the device. This would provide the pair of researchers with access to a machine from which they could conduct further attacks.
Google has disagreed with their claim, with a Google spokesperson telling ZDNet that the device accessed by the researchers was capable only of managing the air conditioning system and nothing more.
Rios and McCorkle did not root the device, but instead reported the issue to the company via its Vulnerability Rewards Program; however, the issue was not eligible for a reward. According to the researchers, the system has now been pulled offline.
A Google Australia spokesperson said Google is grateful when researchers report their findings, and that it has taken appropriate action to resolve the issue.
Its Australian offices at Wharf 7, Pyrmont, Sydney, is looked after by a building management system made by Tridium. Building management systems like these regulate temperatures, air conditioning zones, and other such building elements by responding to building or environmental inputs, such as the temperature measured from a thermostat or the time of day, allowing buildings to be "warmed up" prior to employees first entering.
However, these back-end systems can be connected to and accessed from the internet. ZDNet found several Australian businesses last year that were running the same systems from Tridium without any form of authentication, potentially allowing anyone to shut down any of the connected building control systems without permission.
While Google's own instance of the system did implement some level of authentication, researchers Billy Rios and Terry McCorkle from information security company Cylance were able to bypass these restrictions easily, as the system was not kept up to date. Rios and McCorkle had previously contacted Tridium regarding a directory traversal vulnerability, which could allow access to restricted files within the management system.
Typically, the public-facing "root" of a site corresponds to a particular directory on a server. For example, www.example.com/ might correspond to /usr/home/public_html. However, when incorrectly configured, the web server may not recognise that it should not honour requests to traverse above this folder. Hence, navigating to www.example.com/../ could expose the /usr/home directory, or www.example.com/../../../ could expose the root file system, if the web server has permissions to view these directories.
This vulnerability was pointed out to Tridium by Rios and McCorkle in July 2012, and the company issued an alert to its customers to take precautionary steps. It released a security patch to further address the issue in August, and noted in a security alert that a specific file, config.bog, could be a security risk if attackers were able to access it.
A second patch against directory traversal was released in February this year, indicating that the problem had not been fully resolved.
The config.bog file was the prime target of Rios and McCorkle's infiltration into the system, as it contains the usernames and hashed passwords for all device users. As Google's implementation of Tridium's software was not kept up to date, Rios and McCorkle were able to exploit the directory traversal vulnerability, retrieve the config.bog file, and extract the hash of the administrator password.
The password itself was easily cracked by Rios and McCorkle, as Tridium's system does not use any form of salting to increase password complexity. The fact that Rios and McCorkle were able to reverse the hash also indicates that the password used on the system would have been weak.
From here, Rios and McCorkle had full run of Google's building management system, and stated that they could have rooted the device. This would provide the pair of researchers with access to a machine from which they could conduct further attacks.
Google has disagreed with their claim, with a Google spokesperson telling ZDNet that the device accessed by the researchers was capable only of managing the air conditioning system and nothing more.
Rios and McCorkle did not root the device, but instead reported the issue to the company via its Vulnerability Rewards Program; however, the issue was not eligible for a reward. According to the researchers, the system has now been pulled offline.
A Google Australia spokesperson said Google is grateful when researchers report their findings, and that it has taken appropriate action to resolve the issue.
Posts
