Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Building Control System at Google Found Hackable

Billy Rios and Terry McCorkle, researchers for Cylance, an Irvine, California-based security firm, discovered that Google was using an outdated version of the Niagara framework building management system.

Billy Rios and Terry McCorkle, researchers for Cylance, an Irvine, California-based security firm, discovered that Google was using an outdated version of the Niagara framework building management system.

In a blog post, Rios and McCorkle explained that Cylance has an ongoing project to identify vulnerable Industrial Control System (ICS) deployments. Tridium’s Niagara Framework is one such system. The patch for the Tridium systems was released a year after Cylance disclosed it to the company, a process described by Rios at the time as frustrating, due to the vendor being so unresponsive.

The patch addressed directory traversal flaws, weak credential storage – including plaintext, and easily predictable session IDs. The issue is that while a patch is available, customers are not applying it – which is where Google comes in.

Niagara Security Vulnerabilities

“It turns out, Google is using Tridium Niagara for various Building Management Systems (BMS) in their Google Wharf 7 building,” a Cylance blog post on the discovery explains. Wharf 7 is Google’s base of operations in Sydney, Australia. 

“Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device.”

Once accessed, the researchers had full control over the building’s security and HVAC controls. However, given the sensitive nature of the ICS deployment, they didn’t alter anything on the device. Instead, they reported their findings to Google via their Vulnerability Rewards Program (VRP).  

“At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations,” the Cylance post concludes.

“If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… If Google can fall victim to an ICS attack, anyone can.”

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.