Billy Rios and Terry McCorkle, researchers for Cylance, an Irvine, California-based security firm, discovered that Google was using an outdated version of the Niagara framework building management system.
In a blog post, Rios and McCorkle explained that Cylance has an ongoing project to identify vulnerable Industrial Control System (ICS) deployments. Tridium’s Niagara Framework is one such system. The patch for the Tridium systems was released a year after Cylance disclosed it to the company, a process described by Rios at the time as frustrating, due to the vendor being so unresponsive.
The patch addressed directory traversal flaws, weak credential storage – including plaintext, and easily predictable session IDs. The issue is that while a patch is available, customers are not applying it – which is where Google comes in.
“It turns out, Google is using Tridium Niagara for various Building Management Systems (BMS) in their Google Wharf 7 building,” a Cylance blog post on the discovery explains. Wharf 7 is Google’s base of operations in Sydney, Australia.
“Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device.”
Once accessed, the researchers had full control over the building’s security and HVAC controls. However, given the sensitive nature of the ICS deployment, they didn’t alter anything on the device. Instead, they reported their findings to Google via their Vulnerability Rewards Program (VRP).
“At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations,” the Cylance post concludes.
“If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… If Google can fall victim to an ICS attack, anyone can.”