Security Flaws Found in Tridium's Niagara Framework
The vulnerabilities could enable an attacker to access user names and passwords.
According to a recent report in The Washington Post, an unknown number of systems being managed via Tridium's Niagara Framework are vulnerable to cyber attacks. The vulnerabilities, uncovered by security researchers Billy Rios and Terry McCorkle, could allow an attacker to download and decrypt user names and passwords.
"The exploit used by the researchers is called a directory traversal attack," Infosecurity reports. "With some alterations to the Niagara Framework’s web address, Rios was able to order the framework to perform certain tasks. One of them was to electronically hand over a 'configuration file,' which contained user names, passwords, and other sensitive material."
"Last week, after more than a month of conversations with The Post, the company in a confidential security bulletin warned customers about the vulnerabilities and described ways to mitigate them," writes The Washington Post's Robert O’Harrow Jr. "'We’re not going to say Niagara is secure,' [Tridium CTO John] Sublett said in an interview. 'We try to soften it and say we’re trying to make it as secure as possible.'"
"The implications of this security problem are not to be underestimated," writes Forbes' Mark Gibbs. "What’s important about this story is the scale of the potential threat: Tridium services support enterprises (including the U.S. Defense Department and scores of educational establishments) and every kind of organization down to individual consumer homes and the potential for run-of-the-mill hacking right through to industrial and military espionage appears to be of biblical proportions. This will be a story to watch."