Serious building automation defect exposed in Honewell Tridium Niagara AX Series

Security researchers from Cylance have identified a serious flaw in the internet-enabled Honeywell Tridium Niagara AX line of building automation products. The researchers demonstrated how hackers could gain root-level access to the control system in less than 25 seconds. The Tridium product line provides control over crucial building systems such as security, mechanical, electrical, and plumbing.

Dan Goodin, writing for Ars Technica reports:

Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or sabotaging large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present.

Luckily, the researchers have been working with Honeywell to patch the flaws, according to Wired:

A Tridium spokesman said the researchers notified the company about the vulnerability last December and has been working on a patch to fix the vulnerability, which they expect to release this month.

“We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today,” spokesman Mark Hamel said in a statement. “The vast majority of Niagara AX systems are behind firewalls and VPNs — as we recommend — but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.”

Not An Isolated Occurrence

Most disconcerting, is that this is just the latest “proof of concept” vulnerability reported relating to building automation and industrial control systems. Goodin writes:

A raft of other ICS devices have been found to contain similar critical defects, including those from Siemens-owned Ruggedcom and another line of mission-critical routers made by a Fremont, California-based GarrettCom…

Security experts have long argued that the convenience often comes at the price of security, and there are some disturbing examples of the risks from the last couple of years. In 2009, a recently discharged security guard who had physical access to ICS computers was arrested after posting screen shots and videos showing him planning to remotely cripple air-conditioning systems at a Texas hospital, where temperatures regularly reach into the triple digits. Last year, hackers illegally accessed the Internet-connected heating and air-conditioning controls of a New Jersey-based company. The vulnerability the intruders exploited was the same one Tridium patched in secret last year.

Via Ars Technica and Wired