Penetration testing a building automation system

Similar documents
May the (IBM) X-Force Be With You

The McGill University Health Centre (MUHC)

Combatting advanced threats with endpoint security intelligence

IBM Security Access Manager

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Be effective in protecting against the cybercrime

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Accelerating growth and digital adoption with seamless identity trust

Integrated, Intelligence driven Cyber Threat Hunting

Modern Realities of Securing Active Directory & the Need for AI

Best Practices in Securing a Multicloud World

Continuous Diagnostics and Mitigation demands, CyberScope and beyond

Data Security and Privacy Principles IBM Cloud Services

An ICS Whitepaper Choosing the Right Security Assessment

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Choosing the Right Security Assessment

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Think Like an Attacker

The New Era of Cognitive Security

IBM Cloud Lessons Learned: VMware Cloud Foundation on IBM Cloud VMworld 2017 We are a cognitive solutions and cloud platform company that leverages th

Designing and Building a Cybersecurity Program

Fabrizio Patriarca. Come creare valore dalla GDPR

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

ISAM Advanced Access Control

10 FOCUS AREAS FOR BREACH PREVENTION

RiskSense Attack Surface Validation for IoT Systems

Building Resilience in a Digital Enterprise

Securing global enterprise with innovation

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

CYBERSECURITY RISK LOWERING CHECKLIST

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SECURING DEVICES IN THE INTERNET OF THINGS

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

IBM SmartCloud Notes Security

IBM Internet Security Systems Proventia Management SiteProtector

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SECURING DEVICES IN THE INTERNET OF THINGS

IBM Cloud IBM Cloud for VMware Solutions Zeb Ahmed Senior Offering Manager and BCDR Leader VMware on IBM Cloud VMworld 2017 Content: Not for publicati

IBM Security Network Protection Solutions

hidden vulnerabilities

IBM BigFix Compliance

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

CoreMax Consulting s Cyber Security Roadmap

CyberArk Privileged Threat Analytics

Protect Your Organization from Cyber Attacks

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Ponemon Institute s 2018 Cost of a Data Breach Study

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

WHITE PAPER. Best Practices for Web Application Firewall Management

How to Secure Your Cloud with...a Cloud?

IBM MaaS360 Kiosk Mode Settings

Cyber security tips and self-assessment for business

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Security Audit & Roadmap Business Process and

SECURITY TESTING. Towards a safer web world

ISDP 2018 Industry Skill Development Program In association with

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

CCISO Blueprint v1. EC-Council

Think Like an Attacker

Secure Access & SWIFT Customer Security Controls Framework

IBM FlashSystem 720 & FlashSystem 820 Remote Support Overview

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

K12 Cybersecurity Roadmap

CPTE: Certified Penetration Testing Engineer

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CloudSOC and Security.cloud for Microsoft Office 365

Security Solutions. Overview. Business Needs

C1: Define Security Requirements

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Chapter 5: Vulnerability Analysis

Trustwave Managed Security Testing

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Mobilize your corporate content and apps

IBM Application Security on Cloud

Gujarat Forensic Sciences University

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

CCNA Cybersecurity Operations 1.1 Scope and Sequence

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

PCI DSS and VNC Connect

Department of Management Services REQUEST FOR INFORMATION

Eight important criteria for selecting a managed security services provider

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Cybersecurity Today Avoid Becoming a News Headline

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Transcription:

Penetration testing a building automation system Is your smart office creating backdoors for hackers? IBM X-Force Research Click here to start

There is much focus in the IT industry on securing web servers, applications and critical network infrastructure from cyber attack, but what about the new class of web-enabled devices that are connected to the systems that control heating, lights and locks in buildings? If compromised, such devices may have a more profound impact on our physical surroundings than, for example, the defacing of a web server. Even in an ordinary office building, hackers could gain control of the devices that regulate data center temperatures, causing cooling fans to shut down and servers to overheat. Not only could these devices impact physical surroundings, but through shared connections with enterprise IT networks, they could also open a backdoor to company data. To help companies understand risks associated with IT systems and how to protect them, the IBM X-Force Ethical Hacking team conducts simulated attacks on various software and systems with the purpose of identifying security flaws. The idea behind ethical hacking, also known as penetration testing, is to identify weak areas and help enterprises implement countermeasures that can strengthen the system. Our Ethical Hacking team conducted an assessment of a building automation system (BAS) that controlled sensors and thermostats in a commercial office. Working with the system operator and building management, we tested and found several areas of concern in the BAS architecture that could allow a malicious attacker not only to take control of the individual building system, but also to then gain access to a central server, operated by the system operator, which could extend control to several other geographically dispersed buildings. IBM X-Force then worked directly with all the identified vendors and with the building management to ensure that fixes and mitigations were addressed and patches are now available. The aim of this paper is to help educate enterprises on how to test for the potential risks associated with building automation systems and how to implement the proper controls to protect those systems. The IBM X-Force Ethical Hacking team presents here the lessons gleaned from this simulation and describes best practices and configuration settings that should help companies develop secure architectures and protections for these building automation devices. 2

1 2 Working with the operators of the building automation system, the IBM X-Force Ethical Hacking team attempted to determine if it was possible to break into the main monitoring and control BAS server. This central BAS server controls building automation in several other locations; therefore, access to the central BAS server could allow attackers to control all the buildings in the system. Each building location is defined as a station in the system, and each station does various things. For example, one of the stations, Station 1 in our diagram (see Figure 1), measures the temperature in a computer lab that contains virtual machine (VM) farms and web servers. Keeping this temperature constant is important to preventing the servers from overheating. Each station is composed of a modem/router for Internet connectivity, a building automation controller, which connects to the central BAS server and reports status, and a series of interconnected sensors and thermostats responsible for controlling the room temperature. The diagram in Figure 2 represents the architecture of the automation system we tested. Internet Modem/ Router BAS Controller Computer Lab Figure 1. This diagram represents Station 1, which is a building location supported by the building automation system central server. Central BAS Server Station 1 1.1.1.1 Internet Station 2 2.2.2.2 Figure 2. This diagram represents the architecture of the building automation system tested. 3

1 2 1 2 3 4 5 6 For testing purposes, we were given three public IP addresses by the building system management operator; we will represent those using the fake addresses in the following table: Location First Building Site Station 1 1.1.1.1 IP address Second Building Site Station 2 2.2.2.2 Central BAS Server 3.3.3.3 What follows is a complete list of security issues and incorrect configurations identified in the building automation system. Port Protocol State Service Version 443 tcp open https 25 tcp closed Smtp 80 tcp open http 135 tcp closed Msrpc 139 tcp closed netbios-ssn 445 tcp closed microsoft-ds 1234 (edited) tcp open http 8080 tcp open http D-Link Building Automation Controller Administration Port Navigating to port ht tp://1.1.1.1:8080, the team was presented with the login screen of a D-Link router. 1. Exposed administration ports A scan of the 1.1.1.1 address (Station 1), performed using Nmap, an open source utility for network discovery and security auditing, identified several available ports, detailed in the following table. 4

1 2 3 4 5 6 The login was available because the building system management operator had enabled remote management on the router in order to resolve networking problems remotely. On port 1234(Edited) there was a different, unfamiliar web server showing a platform authentication dialog. The team investigated and determined that this was the building controller running an embedded device framework software instance, which is used to report environmental sensor information to the central server, and that the D-Link router was port-forwarding to it. However, the team determined that by adding an extra carriage return after the page request, it was possible to bypass the router s authentication. You can notice in the next screenshot that instead of displaying an Authentication fail error the router returns the message OK. This means that the router was manipulated to send ping requests without authentication. 2. Bypassing the router login screen The team attempted to access the router s diagnostic page and received an authentication failure message. This was expected as the router was password protected. 3. Remote command execution on the router Because the diagnostic page executed a system command (ping), the team needed to assess whether the diagnostic page could be manipulated to execute commands other than ping. This could allow attackers to take control of the router. This type of attack is called command injection and is conducted by replacing the arguments of the request with system commands. 5

1 2 3 4 5 6 It is important for testers to recognize command injection vulnerabilities because they often allow attackers to completely compromise a system. The team tried a black box approach to identify potential ways to exploit the diagnostic page. As sending several commands and combinations of characters to the page was not successful, the team looked for other alternatives. Since the D-Link router firmware was open source, the team downloaded the entire source code to look at the code of the diagnostic.php page and potentially understand more about whether or not it was vulnerable to exploit. This is commonly known in security testing as white box analysis or security code review. The screenshot that follows shows how an attacker could easily use this vulnerability to control the router like they would control a computer terminal. As it turned out, the white box analysis of diagnostic.php was not necessary because in the source code, right next to the diagnostic page, there was a page named command.php, which seemed to do exactly what was needed: execute commands. 6

4. Router password in clear text The team also looked to see if sensitive data, such as passwords, were available. They found the passwd file in the var directory. 1 2 3 4 5 6 The contents of this file are shown in the following screenshot. The actual password was in clear text, but it has been replaced with a dummy password in the image. Storing passwords in clear text is never advisable because if attackers can access the file where the password is stored, they can access the clear text password. This is why it is advised that software use techniques like cryptography to protect stored passwords. Note that with this password the team was able to log in to the router s administration interface and used the password multiple times during this assessment. Protect passwords by using techniques such as encryption rather than storing them in clear text. 7

1 2 3 4 5 6 5. Using the same password for both router and building controller Because the task was to determine if the central BAS server for the building system could be breached, the team proceeded to check whether it was possible to take over the station s building automation controller. Going back to the Nmap scan we notice that port 1234(Edited) was open. Port Protocol State Service Version............... 1234 (edited) tcp open http Building Automation Controller Administration Port 8080 tcp open http D-Link (edited) The team determined that the building controller device had the same password as the router. The team was then able to log in to its administration interface. 6. Remote command execution on the building controller The team had established that it was possible to obtain full control of the individual station. To provide a full assessment of the risk profile for the entire BAS system, the team needed to determine if they could reach that central BAS server. The same password did not work on the central BAS server located at 3.3.3.3. The team had to establish whether it was possible to obtain the password to the central BAS server from the file system of the building automation controller running on port 1234. After doing a Google search, the team discovered that the embedded device software running on the building controller provided diagnostic pages that allowed executing commands. For example, the ifconfig command can be executed by navigating to a URL similar to the one below: Important security note: Had the router password been encrypted or if a different password had been used, it would have been much harder for to the team to get access to the building automation controller. ht tp://1.1.1.1:1234/diagnostics/ifconfig!-a (not the actual URL) By tampering with the URL information and substituting different commands, remote execution on the controller was possible. 8

1 2 3 4 5 6 Note: IBM has notified the embedded device software manufacturer of these issues, and it has taken measures to prevent access to the diagnostics page from a browser. The manufacturer informed IBM that the command set accessible from this interface is limited and that this interface is not intended to be exposed to the outside world. Therefore, to prevent access to this page, we advise that a firewall blocking external connections to the device should be implemented. By exploiting this misconfiguration, the team was able to take control of the controller device including accessing configuration files. By extracting one of those files, the team identified the IP address of the central BAS server and admin credentials to it. 7. Ineffective encryption of central BAS server password The password to the central BAS server was encrypted, which should make it harder to obtain than if it were stored in clear text. However, in this case, the team could decrypt the password by downloading the available Java libraries from the controller device itself and writing a simple Java program to invoke the decrypt method. To prevent such an attack, keys should be dynamically generated based on device characteristics. This way an attacker would need complete access to the system to be able to decrypt the password. In this case such a countermeasure would have proven effective since the team only had file system access. 8. Using a wireless router for Internet access The building system management operator had enabled whitelisting of the IP address as a security defense on the central BAS server. Therefore, logging in directly with the decrypted password was not possible. However, the D-Link router IP was whitelisted and the router had wireless capabilities. Since the team had the password of the router (see issue 4) and all the details of the wireless connection, they verified that it was possible to connect from the parking lot of the building and bypass the IP address restriction. However, this did require being close enough physically to access the router s Wi-Fi network. Once on the Wi-Fi network, the team was able to log in to the central server s administration interface. From there someone could control sensors and thermostats for several other buildings all across the company. 9

1 2 This simulation contained all aspects of penetration testing even a bit of wardriving at the end. The vulnerabilities and misconfigurations that the team found could have allowed someone to gain access to the target system, the main monitoring and control BAS server. IBM worked with the equipment vendors to address these previously unknown security issues, and they all have released patches. We have also worked with the building automation operator to correct the misconfigurations in any systems they managed. Based on our experience, we offer the following best practices that organizations should consider when designing and implementing network security architectures for their building automation system environments: Ensure that all your device software is up to date as new security issues are found every day. Employ IP address restrictions or firewall rules to prevent connections to vulnerable ports. Employ a whitelisting approach when designing a BAS network infrastructure, but be aware that firewall rules on their own are not always enough to prevent attacks. Additional controls should be used when needed. If there is no business justification for remote access, disable remote administration features on the devices of the building automation system. While remote administration pages can be an easy way to manage the devices, they expose the system to serious security attacks. If remote access is required for business reasons, strengthen the controls around logins. For example, enable two-factor authentication, restrict logins to certain known IP addresses, and increase the alert threshold on failed logins. Never re-use or share passwords between devices, and avoid making these passwords predictable. Also, never store passwords in clear text. Employ secure engineering and coding practices for authentication control, execution of shell commands and password encryption. Tools such as IBM AppScan can be used as part of the development process to help identify vulnerabilities in applications and remediate them before the application is put into a production environment. Security Incident and Event Management systems (SIEMs) can be used to scan network activity between the router, the BAS system and embedded devices to identify suspicious activity on the network. 10

1 2 Changing mindsets, policies and technologies to create secure connected buildings will take time, effort and investment, but it can be done. In the meantime, companies must start paying attention to the potential cybersecurity risks within their physical spaces, in order to protect their building, employees and data. Continued research in this field will be critical to raise awareness about a potentially serious problem. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. IBM operates one of the world s broadest security research, development and delivery organizations, monitors billions of security events per day in more than 130 countries, and holds more than 3,000 security patents. Building automation systems can offer hackers a way in to corporate networks and data. 11

Paul Ionescu, IBM X-Force Ethical Hacking Team Lead Jonathan Fitz-Gerald, IBM X-Force Ethical Hacker John Zuccato, IBM X-Force Ethical Hacker Warren Moynihan, IBM X-Force Ethical Hacker Brennan Brazeau, IBM X-Force Ethical Hacker (Former) The IBM X-Force Ethical Hacking Team conducts penetration testing services designed to identify systems vulnerabilities, validate existing controls and provide a roadmap for remediation. Drawing on the combined expertise of skilled consultants and industry-leading security assessment tools, the team helps simplify the process of identifying and prioritizing weaknesses while reducing risks and downtime by providing specific guidance and recommendations designed to reduce exposures. With this, clients can improve return on investment by helping strengthen protection of their critical IT assets. For more information To learn more about the IBM Security portfolio, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security For more information on IBM X-Force security intelligence, visit: ibm.com/security/xforce Follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog 12

Copyright IBM Corporation 2016 IBM Corporation IBM Security Route 100 Somers, NY 10589 Produced in the United States of America February 2016 IBM, the IBM logo, ibm.com, AppScan and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. WGL03110-USEN-00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback