Researchers have discovered unpatched vulnerabilities in the physical controls to Google Australia's office that would have allowed an attacker to plant malware and access air conditioning systems within the Pyrmont building.
The office runs on the Tridium Niagara AX building management system in which the researchers previously found and reported serious vulnerabilities.
Patches were issued last year for the directory traversal and weak credential storage flaws which could have resulted in privilege escalation.
Cylance researchers Billy Rios and Terry McCorkle obtained the root password to Google's system and tapped into control panels that could have permitted system overrides and alarms to be modified.
They reported the flaws to Google which has since pulled the system offline.
"A quick interrogation of the Tridium device yields a wealth of information about the specific platform version and OS specifics (QNX running on an embedded device)," the researchers wrote.
"Armed with a few pieces of data, we utilised a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file."
The file contained usernames and hashed passwords along with device configuration data.
While Google was no longer vulnerable, the researchers found more than 25,000 similar systems on the internet.
"If you have a corporate campus or a modern building of any sort… you’re likely running similar systems wiresomeplace on your network," they wrote.
Google told Wired the system was not linked to the corporate network or other automation systems and could not be used to control electricity or elevators.
The researchers credited Google for quickly pulling the system offline.
"We also applaud Google for creating a program like the VRP (Vulnerability Rewards Program) and giving us the chance to share our story with a wider audience. "
"At the time of this blog post, this exact issue affects tens of thousands of devices on the internet and thousands of different organisations."