A major vulnerability was found in an industrial control system that is widely in use by the military, hospitals and other entities. The flaw would allow an attacker to control an electronic door lock, elevators, boiler systems, lighting systems, video cameras, alarms, electricity and other crucial building functions.
The issue is that a config file can be remotely accessed within the Tridium Niagara AX Framework that contains all of the systems configuration data such as usernames, passwords. This results in the ability to control all the systems managed by it. The platform is written in Java and in the last two years Cylance security researchers Billy Rios and Terry McCorkle have reportedly found numerous vulnerabilities in the Tridium system along with other industrial control systems.
The flaw basically allows root access to the virtual machine that all of the Tridium software is running on. A backdoor module was developed that would allow for the system to continue to be accessed one it was initially attacked but naturally won’t be publicly released.
“We will be issuing a security patch that resolves the problem by Feb. 13 and are alerting our user community about this today,” spokesman Mark Hamel said in a statement. “The vast majority of Niagara AX systems are behind firewalls and VPNs — as we recommend — but clearly, as Rios and McCorkle have shown, there are many systems potentially at risk.”
The company has been aware of the issue since last December and has since then been working on a patch to fix the vulnerability expected to be released this month.
Last year Tridium claimed attacks on its systems were unlikely because hackers don’t traditionally target obscure systems such as theirs. Quite an assumption for a platform that millions of control systems employ across the globe. With a critical environment such as this, a system would normally be locked down to only local access and restricted from the internet or other systems connected to the internet. Tridium’s documentation instead boasts that it’s ideal for remote management over the internet.
It’s a little scary because of the clients that use this system including: the FBI, Drug Enforement Agency, U.S. Marshals Services, the IRS, Passport Office along with many government offices and medical facilities. Imagine a hacker shutdown critical life systems in a hospital?
Massive and major companies/organizations are using these systems and there is no room for error in some cases. I guess it’s good that researchers found the exploit before a real attacker did and caused some real damage!
Hope you liked this post! Please feel free to like, share, tweet and comment. If you want to discuss your favorite interests and make money while doing it then click here.
I write about anything and everything that crosses my path and end up making money from it. Check out this video to find out how. Click here to watch the video.