IBM's X-Force team hacks into smart building

As buildings get smarter and increasingly connected to the Internet, they become targets

As buildings get smarter and increasingly connected to the Internet, they become a potential vector for attackers to target.

IBM's X-Force ethical hacking team recently ran a penetration test against a group of office buildings using building automation systems that controlled sensors and thermostats.

In this particular case, a building management company operated more than 20 buildings across the United States, as well as a central server.

Without any social engineering, or online data gathering about employees, the team targeted one building.

"We did it old-school, just probing the firewall, finding a couple of flaws in the firmware," said Chris Poulin, research strategist for IBM's X-Force. "Once we had access to that, we had access to the management system of one building."

There, they found a remote execution flaw that allowed them to execute commands and get into a password file that helped them get into the building management system and a configuration file that pointed to the management company's central server, the final objective.

There, the X-Force team hit the only major obstacle -- even with the stolen login credentials and the configuration file pointing to the central server, they could not log in.

"It didn't not allow us to connect via the Internet from our address space," Poulin said. "There was white listing."

The building's location was not particularly far, however, so they simply drove over to the building and set up shop in the parking lot. Now they used the access they had already gained to the building's network.

"We connected to their wireless gateway and got an address that did allow us to connect to the central building management system," Poulin said.

That, in turn, gave them access to all the buildings that this company managed.

They could have done some serious damage, he said.

For example, the first building, in addition to housing offices, also had a data center.

"We had access to the environment controls for the data center," Poulin said. "We could have actually turned the heat up, turned off the air conditioning, potentially taking down all the servers. If you put on your evil hat, there are lots of ways to do bad things."

In the case of this particular set of buildings, IBM worked with the equipment vendors to address the security issues the team found, and with the building automation company to fix the configuration errors.

On a broader scale, however, the problem is actually getting worse.

For example, more and more companies are integrating their building automation systems with the rest of their IT infrastructure, Poulin said, opening up even more opportunities for attackers who are able to break into the building automation systems.

Meanwhile, according to Gartner, more than 206 million connected devices are already being used in commercial smart buildings, and this is expected to grow to 648 million devices by 2017.

Each of these devices creates the opportunity for configuration mistakes and unpatched vulnerabilities.

Companies need to start acting proactively. Whether they run their own buildings and outsource these systems to outside vendors, or rent managed office space, they need to pay attention whenever the contracts come up for renewal.

"Your leverage is the contract negotiation," Poulin said. "Ensure some of the big things, such as that the building automation system is not directly connected to the Internet. Virtual private network access should be fine -- at least then you're forcing them to have some kind of credentialed access. Or at the bare minimum enforce two-factor authentication."

The second issue is to ask for regular security audits or penetration tests.

"In the contract, you can build in a right to audit, or to look at the results of the pen test or security assessment," he said.

There should also be some built-in flexibility in case something unexpected happens, or a particular event occurs that can trigger a renegotiation.

Join the CSO newsletter!

Error: Please check your email address.

More about GartnerX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts