1 / 20

Exploring Building Security: Now and Future

Exploring Building Security: Now and Future. Jimmy C. Chau Ph.D. Candidate Boston University. Overview. Cyber-security threats to buildings Billy Rois ( Qualys ). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 Context

sienna
Download Presentation

Exploring Building Security: Now and Future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Exploring Building Security:Now and Future Jimmy C. Chau Ph.D. Candidate Boston University

  2. Overview • Cyber-security threats to buildings • Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 • Context • Traditional (Low-Tech) • Future (Smart Buildings)

  3. Timeline Facility Management Systems Smart Rooms (and Smart Spaces) Manual Control Smart Grid Integration

  4. Modern Buildings

  5. Traditional Building Vulnerabilities

  6. On to Billy Rois’sBlackhat 2014 presentation… Owning a Building: Exploiting Access Control and Facility Management Systems

  7. Presentation Summary • Covers two facility management systems • Niagara Framework (Tridium) • MetaSys (Johnson Controls) • Password retrieval vulnerabilities • Then privilege escalation • Vendor response • Fixed by security patches in Niagara Framework • No response for MetaSys • (Local/on-site attacks)

  8. Tridium Niagara AX Framework • Rois (Blackhat 2014): • Unauthenticated user can retrieve encoded password • Decoded password gives admin access • Privilege escalation to get SYSTEM on device • ICSA-12-228-01A • Predictable session IDs • Base64-encoded username and password in cookies • Directory traversal (read parent directories) • Authentication credentials stored in config.bog • Wired (Kim Zetter Feb. 6, 2013) • Privilege escalation bug in SoftJACE

  9. Johnson Controls MetaSys • Windows CE • Typically has unauthenticated telnet & FTP • Docs indicate that telnet & FTP can be enabled • Inspect filesystem • Download & decompile .NET web services • Found services to • Directory listings • Upload arbitrary files to anywhere • Get user password hash (without authentication)

  10. Really a Problem? • Rois: • Shodan: 21,000 Tridium Systems on the Internet • Identified over 50,000 Internet-exposed buildings • ICS-CERT Monitor (Jan-Mar 2013): • Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS • A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures

  11. Into the future Smart Grid and Smart Spaces

  12. Smart Grid Smart Meter Electrical Grid Power Data Network

  13. Hart 1992

  14. Smart Rooms

  15. Smart Room System

  16. Privacy

  17. Future Building Security Issues • Many new privacy and security problems • Access control • k-anonymity • Differential privacy • Requires activity monitoring • Distinguish “good” from “bad” use

  18. References • Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat 2014. http://www.blackhat.com/docs/asia-14/materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access-Control-And-Facility-Management.pdf. • ICSA-12-228-01A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A • Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, 2013. http://www.wired.com/2013/02/tridium-niagara-zero-day/ • Johnson Controls docs (about telnet and FTP): • p.15: http://cgproducts.johnsoncontrols.com/met_pdf/1201993.pdf • p.26: http://cgproducts.johnsoncontrols.com/MET_PDF/1201990.pdf • Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p.1870-1891. 1992. • Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p.556-564. 2013.

  19. Thanks for Listening! Questions?

  20. Images (used with permission) • Old house: http://fc02.deviantart.net/fs44/i/2009/102/0/a/Spooky_Old_House_1_by_Ranald101.jpg • Smart grid: https://www.e-education.psu.edu/drupal6/files/engr312/lesson05/dynamic_infrastructure.jpg • Back door: http://farm7.staticflickr.com/6100/6322575335_22a7b52c74_z.jpg • Broken window: http://farm3.staticflickr.com/2097/2098210283_8da0e23ecb_z.jpg • Kicking door: http://content.artofmanliness.com/uploads/2011/10/Breaking-Doors.jpg • Trojan horse: http://farm3.staticflickr.com/2141/2403154755_7e74984b36.jpg • Lock-picking: http://upload.wikimedia.org/wikipedia/commons/thumb/9/9e/Pin_and_tumbler_lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG

More Related