Tens of thousands of Internet-connected devices used to manage large buildings, such as hospitals, are vulnerable to attacks that could give hackers remote access to alarm, elevator and climate-control systems.
The flaw, which affects hardware and software made by Tridium of Richmond, Va., and marketed under the Niagara AX name, was unveiled at the Kaspersky Security Analyst Summit in San Juan, Puerto Rico last week. (Tridium is a division of tech and aerospace giant Honeywell.)
Cylance security researchers Billy Rios and Terry McCorkle demonstrated a custom-made script that gave them access to critical building controls in less than 30 seconds.
"We actually just used this against one of our premium clients a couple weeks ago," Rios told the tech blog Ars Technica. "They were pretty shocked. They took their device off the Internet before the engagement was over."
Rios and McCorkle said an Internet scan revealed more than 21,000 Niagara industrial-control-system (ICS) products, many being run by military, medical and other sensitive institutions. Attacks and disruptions targeting such facilities could have catastrophic results.
Last year, the researchers found a different flaw, since patched, in Tridium's Niagara ICS software that also allowed hackers to gain unauthorized entry. Attackers exploited that flaw last year when they hacked into a New Jersey company's climate-control system.
Despite industrial control systems' integral role in infrastructure management, information-technology administrators at large facilities may be unaware the devices even exist. As Ars Technica noted, building systems are often installed by third parties in forgettable places.
The convenience of managing an entire facility from a single control room, combined with a surefire way to cut costs, makes ICS devices like Niagara attractive.
However, as many security experts have noted, convenience often comes at the cost of compromised security, and holes in ICS facilities can be easily found.