14 DAY TRIAL // As part of a penetration test they carried out on their own initiative, IBM security researchers chose a random building that had implemented smart IoT solutions for its employees, and hacked into its infrastructure just to prove a point about the lack of proper security measures in smart building and smart office environments.
Most of today's BAS (Building Automation Systems) work in the same way. The building is connected to the Internet through routers that spread the connection to WiFi access points placed in various locations, on different building floors.
Each building has a BAS controller, responsible for managing each of the building's "smart" features and for collecting and aggregating data from various sensors (humidity, temperature, light, etc.). This BAS controller connects to the Internet through local WiFi spots and the building router, where, in some cases, it sends data to manufacturers or central company servers that gather information from different buildings across the country.
IBM researchers faced this exact setup in their pen-testing experiment, carried out in the last months, with the delightful cooperation of a company that got a free IoT security audit from one of the leading cyber-security firms around.
Researchers find zero-days and improperly configured equipment
Researchers say that they found it incredibly easy to discover Internet-connected devices inside the building and escalate their access to reach the local BAS controller, and later the central BAS server used by the same company to manage its other buildings.
The researchers discovered the following flaws: ► The local building router had administrative ports open to external connections ► The router login screen could be bypassed to... ► ... leverage an RCE (remote code execution) zero-day vulnerability that gave them access to the device ► The router stored its admin password in a local file, in cleartext ► The building's admin staff reused the same admin password for the router and the BAS controller ► Another RCE vulnerability granted the IBM team access to a configuration file that stored details about the central BAS server's IP and password (in an encrypted format) ► The encryption format for this configuration file was weak, and the IBM team cracked it, accessing the central BAS server with admin privileges ► Even if the central BAS server allowed access only through certain IP addresses, the local WiFi router could be hijacked to serve as a proxy for malicious commands
IBM worked with the company to harden its security protocols but also reported the vulnerabilities it discovered to the BAS manufacturer.
There are some lessons to be learned from this experiment, which the team shares in its Penetration Testing a Building Automation System report, which the company plans to present at the InterConnect 2016 security conference.
