Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Building Security: Now and Future

Published bySheldon Salters Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploring Building Security: Now and Future"— Presentation transcript:

1 Exploring Building Security: Now and Future
Jimmy C. Chau Ph.D. Candidate Boston University 6/23/2014

2 Overview Cyber-security threats to buildings
Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 Context Traditional (Low-Tech) Future (Smart Buildings) Goal is to present a survey. 6/23/2014

3 Timeline Facility Management Systems Smart Rooms (and Smart Spaces)
Manual Control Smart Grid Integration Tridium Security image from 6/23/2014

4 Modern Buildings Illustration of Tridium system from Here’s an example of one such system Provides: Improved energy-efficiency Building security: Access control Surveillance Tennant billing info And worldwide access to through the Web See animations on slide 8-16 in Rois’s presentation 6/23/2014

5 Traditional Building Vulnerabilities
Now, traditional buildings have vulnerabilities too: Back doors Vulnerabilities in windows Brute-forcing Trojans Lock-picking And many others But generally, not what we’d classify as cybersecurity threats 6/23/2014

6 On to Billy Rois’s Blackhat 2014 presentation…
Owning a Building: Exploiting Access Control and Facility Management Systems 6/23/2014

7 Presentation Summary Covers two facility management systems
Niagara Framework (Tridium) MetaSys (Johnson Controls) Password retrieval vulnerabilities Then privilege escalation Vendor response Fixed by security patches in Niagara Framework No response for MetaSys (Local/on-site attacks) Reference: Rois’s presentation focuses more on MetaSys, presumably due to the lack of response. 6/23/2014

8 Tridium Niagara AX Framework
Rois (Blackhat 2014): Unauthenticated user can retrieve encoded password Decoded password gives admin access Privilege escalation to get SYSTEM on device ICSA A Predictable session IDs Base64-encoded username and password in cookies Directory traversal (read parent directories) Authentication credentials stored in config.bog Wired (Kim Zetter Feb. 6, 2013) Privilege escalation bug in SoftJACE So I had to do a little research to figure out what the vulnerabilities were Industrial Control Systems Cyber Emergency Response Team (ics-cert.us-cert.gov) SoftJACE is “basically a Windows system with a Java virtual machine and the Tridium client software running on it”. Purpose of JACE (Java Application Control Engine) is to provide connectivity between a diverse collection of systems within a building. 6/23/2014

9 Johnson Controls MetaSys
Windows CE Typically has unauthenticated telnet & FTP Docs indicate that telnet & FTP can be enabled Inspect filesystem Download & decompile .NET web services Found services to Directory listings Upload arbitrary files to anywhere Get user password hash (without authentication) See slides in Rois’s presentation before proceeding to 2nd bullet point. 6/23/2014

10 Really a Problem? Rois: ICS-CERT Monitor (Jan-Mar 2013):
Shodan: 21,000 Tridium Systems on the Internet Identified over 50,000 Internet-exposed buildings ICS-CERT Monitor (Jan-Mar 2013): Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures Both through Internet. See Rois slide 50-60 6/23/2014

11 Smart Grid and Smart Spaces
Into the future Smart Grid and Smart Spaces 6/23/2014

12 Smart Grid Smart Meter Electrical Grid Power Network Data 6/23/2014

13 Hart 1992 6/23/2014

14 Smart Rooms 6/23/2014

15 Smart Room System 6/23/2014

16 Privacy 6/23/2014

17 Future Building Security Issues
Many new privacy and security problems Access control k-anonymity Differential privacy Requires activity monitoring Distinguish “good” from “bad” use 6/23/2014

18 References Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat ICSA A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, Johnson Controls docs (about telnet and FTP): p.15: p.26: Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p 6/23/2014

19 Thanks for Listening! Questions?
6/23/2014

20 Images (used with permission)
Old house: Smart grid: Back door: Broken window: Kicking door: Trojan horse: Lock-picking: Bing “Images” search indicates that these images are “Free to share and use”. 6/23/2014

Download ppt "Exploring Building Security: Now and Future"

Similar presentations

1/3/20141 SGVFFL League Information Comish RON WEYANT Cell phone 909 477-1211

1/3/20141 SGVFFL League Information Comish RON WEYANT Cell phone
EER to Relation Models Mapping

EER to Relation Models Mapping
Texas Conference of Urban Counties TIJIS Update TCJUIG Conference May 4, 2011 Tarrant County 1/8/20141.

Texas Conference of Urban Counties TIJIS Update TCJUIG Conference May 4, 2011 Tarrant County 1/8/20141.
Previous training sessions by our Consultants 1/9/20141 Presented by Achieve Strategies International.

Previous training sessions by our Consultants 1/9/20141 Presented by Achieve Strategies International.
1/13/20141 What is SimNet? LEARNING & ASSESSMENT MODULES FOR… Office 2010 | Windows Vista & IE7,8,9 | Windows XP, Vista & 7 | Computer Concepts In a simulated.

1/13/20141 What is SimNet? LEARNING & ASSESSMENT MODULES FOR… Office 2010 | Windows Vista & IE7,8,9 | Windows XP, Vista & 7 | Computer Concepts In a simulated.
Monday, January 13, 20141 Instructor Development Unit 1 Instructional Responsibilities Ed Humphrey.

Monday, January 13, Instructor Development Unit 1 Instructional Responsibilities Ed Humphrey.
Monday, January 13, 20141 Instructor Development Strand 7 / Lesson 8.

Monday, January 13, Instructor Development Strand 7 / Lesson 8.
Monday, January 13, 20141 Instructor Development Unit 1 Instructional Responsibilities Ed Humphrey.

Monday, January 13, Instructor Development Unit 1 Instructional Responsibilities Ed Humphrey.
Monday, January 13, 20141 Instructor Development Lesson 9.

Monday, January 13, Instructor Development Lesson 9.
Monday, January 13, 20141 Instructor Development Lesson 6 Instructor Resources.

Monday, January 13, Instructor Development Lesson 6 Instructor Resources.
1/15/20141 1. A car starts from rest and travel 10s with uniform acceleration 5m/s 2. Find out its final velocity. Here, u=0 m/s t=10s a= 5m/s 2 v=? We.

1/15/ A car starts from rest and travel 10s with uniform acceleration 5m/s 2. Find out its final velocity. Here, u=0 m/s t=10s a= 5m/s 2 v=? We.
Measles / MMR Vaccine Developments last 6 months Dr.Sanjay Srirampur 1/16/20141IAPCOI Measles/MMR - Dec 2011.

Measles / MMR Vaccine Developments last 6 months Dr.Sanjay Srirampur 1/16/20141IAPCOI Measles/MMR - Dec 2011.
Energy Thermodynamics-study of energy and its interconversions Labs

Energy Thermodynamics-study of energy and its interconversions Labs
ALASKA Fleet Operations 1/23/20142 The State Equipment Fleet (SEF) is responsible for procuring, maintaining, and disposing of vehicles and equipment.

ALASKA Fleet Operations 1/23/20142 The State Equipment Fleet (SEF) is responsible for procuring, maintaining, and disposing of vehicles and equipment.
Dr. Peter OReilly Chairperson- ISM Services Group 480-471-2388 1/23/20141 NAPM-AZ Presentation- March 2009.

Dr. Peter OReilly Chairperson- ISM Services Group /23/20141 NAPM-AZ Presentation- March 2009.
Instituto Politécnico do Porto Escola Superior de Tecnologia e Gestão de Felgueiras Mestrado de Redes e Segurança de Computadores A. Paulo.

Instituto Politécnico do Porto Escola Superior de Tecnologia e Gestão de Felgueiras Mestrado de Redes e Segurança de Computadores A. Paulo.
Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system.

Dipartimento di Scienze, 27 gennaio ? What is the scenario? An enterprise and its IT system.
an innovative solution by central control

an innovative solution by central control
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
The Benefits of Publishing with IEEE Updated 2013 13-PROD-0073 Print Fix - Author PPT.

The Benefits of Publishing with IEEE Updated PROD-0073 Print Fix - Author PPT.

Similar presentations

Ads by Google