At the recent Kaspersky Threatpost Security Analyst Summit in Puerto Rico, Cylance security researchers demonstrated a newly discovered vulnerability in Honeywell’s Tridium Niagara AX Framework.
“Billy Rios and Terry McCorkle, noted security researchers with Cylance, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years, demonstrated a zero-day attack on the system … The attack exploits a remote, pre-authenticated vulnerability that, combined with a privilege-escalation bug, gave them root on the system’s platform, which underlies the devices,” writes Wired’s Kim Zetter.
“[The] two explained that a zero-day vulnerability allows access to Tridium’s config.bog file, which holds usernames and passwords to login to building control systems,” Infosecurity reports. “From there an attacker could login to the administrator panel and commence wreaking havoc, with the ability to stop and start elevators, open doors in between floors, crank up the heat, shut down the lights, spy through CCTV cameras, turn off those cameras and unlock access to buildings for thieves, and much more.”
“The researchers said a recent query on the Shodan computer search engine found 21,541 Internet-connected Niagara devices, some operated by military installations, hospitals, and other mission-critical facilities,” writes Ars Technica’s Dan Goodin. “Tests the pair performed on a small sample of the machines confirmed they were accessible over the Internet. The nondescript boxes are often installed by third-party contractors in out-of-the-way closets, so on-site administrators and managers may not even know they’re in use.”