Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Building Security: Now and Future Jimmy C. Chau Ph.D. Candidate Boston University 6/23/20141.

Similar presentations

Presentation on theme: "Exploring Building Security: Now and Future Jimmy C. Chau Ph.D. Candidate Boston University 6/23/20141."— Presentation transcript:

1 Exploring Building Security: Now and Future Jimmy C. Chau Ph.D. Candidate Boston University 6/23/20141

2 Overview Cyber-security threats to buildings Billy Rois (Qualys). “Owning a Building: Exploiting Access Control and Facility Management Systems”. Blackhat Asia 2014 Context – Traditional (Low-Tech) – Future (Smart Buildings) 6/23/20142

3 Timeline 6/23/20143 Smart Grid Integration Smart Rooms (and Smart Spaces) Facility Management Systems Manual Control

4 Modern Buildings 6/23/20144

5 Traditional Building Vulnerabilities 6/23/20145


7 Presentation Summary Covers two facility management systems – Niagara Framework (Tridium) – MetaSys (Johnson Controls) Password retrieval vulnerabilities – Then privilege escalation Vendor response – Fixed by security patches in Niagara Framework – No response for MetaSys (Local/on-site attacks) 6/23/20147

8 Tridium Niagara AX Framework Rois (Blackhat 2014): – Unauthenticated user can retrieve encoded password – Decoded password gives admin access – Privilege escalation to get SYSTEM on device ICSA A – Predictable session IDs – Base64-encoded username and password in cookies – Directory traversal (read parent directories) – Authentication credentials stored in config.bog Wired (Kim Zetter Feb. 6, 2013) – Privilege escalation bug in SoftJACE 6/23/20148

9 Johnson Controls MetaSys Windows CE – Typically has unauthenticated telnet & FTP – Docs indicate that telnet & FTP can be enabled – Inspect filesystem Download & decompile.NET web services Found services to – Directory listings – Upload arbitrary files to anywhere – Get user password hash (without authentication) 6/23/20149

10 Really a Problem? Rois: – Shodan: 21,000 Tridium Systems on the Internet – Identified over 50,000 Internet-exposed buildings ICS-CERT Monitor (Jan-Mar 2013): – Attackers penetrated building energy management system (EMS) of NJ manufacturing company; access to Niagara AX EMS – A state gov’t facility’s building EMS compromised (Niagara); manipulated building temperatures 6/23/201410

11 SMART GRID AND SMART SPACES Into the future 6/23/201411

12 Smart Grid 6/23/ Power Smart Meter Electrical Grid Network Data

13 Hart /23/201413

14 Smart Rooms 6/23/201414

15 Smart Room System 6/23/201415

16 Privacy 6/23/201416

17 Future Building Security Issues Many new privacy and security problems Access control k-anonymity Differential privacy Requires activity monitoring Distinguish “good” from “bad” use 6/23/201417

18 References Billy Rois. “Owning a Building: Access Control and Facility Management Systems”. Blackhat /materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access- Control-And-Facility-Management.pdf. 14/materials/Rios/Asia-14-Rios-Owning-A-Building-Exploiting-Access- Control-And-Facility-Management.pdf ICSA A. “Tridium Niagara Vulnerabilites (Update A)”. ICS-CERT. Kim Zetter. “Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More”. Wired. Feb 6, Johnson Controls docs (about telnet and FTP): – p.15: – p.26: Hart, G. “Nonintrusive Appliance Load Monitoring.” Proceedings of the IEEE. p Jimmy Chau and Thomas Little. “Challenges in Retaining Privacy in Smart Spaces”. Procedia Computer Science. p /23/201418

19 Thanks for Listening! Questions? 6/23/201419

20 Images (used with permission) Old house: 101.jpg 101.jpg Smart grid: https://www.e- Back door: Broken window: Kicking door: Doors.jpg Doors.jpg Trojan horse: Lock-picking: lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG lock_picking.PNG/220px-Pin_and_tumbler_lock_picking.PNG 6/23/201420

Download ppt "Exploring Building Security: Now and Future Jimmy C. Chau Ph.D. Candidate Boston University 6/23/20141."

Similar presentations

Ads by Google