Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Building Security: Now and Future

Similar presentations

Presentation on theme: "Exploring Building Security: Now and Future"— Presentation transcript:

1 Exploring Building Security: Now and Future
Jimmy C. Chau Ph.D. Candidate Boston University 6/23/2014

2 Overview Cyber-security threats to buildings
Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 Context Traditional (Low-Tech) Future (Smart Buildings) Goal is to present a survey. 6/23/2014

3 Timeline Facility Management Systems Smart Rooms (and Smart Spaces)
Manual Control Smart Grid Integration Tridium Security image from 6/23/2014

4 Modern Buildings Illustration of Tridium system from Here’s an example of one such system Provides: Improved energy-efficiency Building security: Access control Surveillance Tennant billing info And worldwide access to through the Web See animations on slide 8-16 in Rois’s presentation 6/23/2014

5 Traditional Building Vulnerabilities
Now, traditional buildings have vulnerabilities too: Back doors Vulnerabilities in windows Brute-forcing Trojans Lock-picking And many others But generally, not what we’d classify as cybersecurity threats 6/23/2014

6 On to Billy Rois’s Blackhat 2014 presentation…
Owning a Building: Exploiting Access Control and Facility Management Systems 6/23/2014

7 Presentation Summary Covers two facility management systems
Niagara Framework (Tridium) MetaSys (Johnson Controls) Password retrieval vulnerabilities Then privilege escalation Vendor response Fixed by security patches in Niagara Framework No response for MetaSys (Local/on-site attacks) Reference: Rois’s presentation focuses more on MetaSys, presumably due to the lack of response. 6/23/2014

8 Tridium Niagara AX Framework
Rois (Blackhat 2014): Unauthenticated user can retrieve encoded password Decoded password gives admin access Privilege escalation to get SYSTEM on device ICSA A Predictable session IDs Base64-encoded username and password in cookies Directory traversal (read parent directories) Authentication credentials stored in config.bog Wired (Kim Zetter Feb. 6, 2013) Privilege escalation bug in SoftJACE So I had to do a little research to figure out what the vulnerabilities were Industrial Control Systems Cyber Emergency Response Team ( SoftJACE is “basically a Windows system with a Java virtual machine and the Tridium client software running on it”. Purpose of JACE (Java Application Control Engine) is to provide connectivity between a diverse collection of systems within a building. 6/23/2014

9 Johnson Controls MetaSys
Windows CE Typically has unauthenticated telnet & FTP Docs indicate that telnet & FTP can be enabled Inspect filesystem Download & decompile .NET web services Found services to Directory listings Upload arbitrary files to anywhere Get user password hash (without authentication) See slides in Rois’s presentation before proceeding to 2nd bullet point. 6/23/2014

10 Really a Problem? Rois: ICS-CERT Monitor (Jan-Mar 2013):
Shodan: 21,000 Tridium Systems on the Internet Identified over 50,000 Internet-exposed buildings ICS-CERT Monitor (Jan-Mar 2013): Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures Both through Internet. See Rois slide 50-60 6/23/2014

11 Smart Grid and Smart Spaces
Into the future Smart Grid and Smart Spaces 6/23/2014

12 Smart Grid Smart Meter Electrical Grid Power Network Data 6/23/2014

13 Hart 1992 6/23/2014

14 Smart Rooms 6/23/2014

15 Smart Room System 6/23/2014

16 Privacy 6/23/2014

17 Future Building Security Issues
Many new privacy and security problems Access control k-anonymity Differential privacy Requires activity monitoring Distinguish “good” from “bad” use 6/23/2014

18 References Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat ICSA A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, Johnson Controls docs (about telnet and FTP): p.15: p.26: Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p 6/23/2014

19 Thanks for Listening! Questions?

20 Images (used with permission)
Old house: Smart grid: Back door: Broken window: Kicking door: Trojan horse: Lock-picking: Bing “Images” search indicates that these images are “Free to share and use”. 6/23/2014

Download ppt "Exploring Building Security: Now and Future"

Similar presentations

Ads by Google