At Cylance, we have an ongoing project to identify vulnerable Internet facing Industrial Control Systems (ICS) at scale. Our project is far from complete, but we wanted to share a story which we think our readers might be interested in. While looking through our scan results, we came across an interesting Tridium Niagara device on the Internet.
(The two gold keys means it s secure)
It turns out, Google is using Tridium Niagara for various Building Management Systems (BMS) in their Google Wharf 7 building. For those that don t know what the Google Wharf 7 is, here is a picture of the inside:
(Google Wharf 7 what a nice building!)
A quick interrogation of the Tridium device yields a wealth of information about the specific platform version (a slightly outdated version) and OS specifics (QNX running on an embedded device). Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device. A snippet from the config.bog file we took from Google is presented below.
(Encoded password for the device administrator)
Once we have access to the config.bog file, we used a custom developed tool to decode the passwords for all the users on the device.
(Decoded Admin password)
With the device administrator password in hand we can now take over the Google Tridium Device :-)
(The third floor of this building showing water and HVAC systems)
(Access to a variety of Building Management features)
(We don t know what this button does and we were afraid to test it :-))
Of course, once we re done perusing the building automation systems, we could always root the device (we did not do this but we could have!)
We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn t qualify for VRP rewards.
If you have a corporate campus or a modern building of any sort you re likely running similar systems someplace on your network. We ve already discovered over twenty five thousand of these systems facing the Internet one down, twenty four thousand, nine hundred, ninety nine to go :-)
If Google can fall victim to an ICS attack, anyone can.