The headquarters of one of Australia’s national security agencies was left vulnerable to cyber attack for at least five months last year due to a vulnerability in its building management system.
Security researcher Edward Farrell of Mercury Information Security Services discovered the problem in December 2015. He was doing some work for a customer when a string search in data he had on internet-facing assets identified a facility “I knew should not have been on the internet”.
Subsequent research identified that the building - which iTnews is not able to name for legal reasons, but which is the headquarters for one of Australia’s national security agencies - was vulnerable to two potentially dangerous software flaws.
One, an access control bug, allowed anyone to view certain system interfaces in read-only mode because the administration panels didn’t enforce access control and issue session cookies.
The second was a cross-site scripting vulnerability, which could be used to steal session cookies or compromise administrator sessions.
The bugs would allow an attacker to, among other things, direct hardware inside the building to perform certain actions, and access detailed maps and data on the facility itself.
Traditional IT security focuses on protecting computers and data centres, but in recent years building management systems (BMS) have become more of a target.
These systems monitor and control building operations like electrical power, elevators, electronic card reading, and video surveillance, and have not historically been designed with cyber security in mind.
Exploitation of these systems, however, has the potential for highly damaging consequences: in 2013 two security researchers revealed how easily an attacker could gain administrative access to the building management system used by Google in its Sydney headquarters, install a rootkit and take over any other systems on the same network.
Kaspersky Labs says over 40 percent of all industrial control systems - including building management systems - showed signs of a cyber attack in the second half of last year.
Farrell was able to identify the flaws in the Australian national security agency’s building management system because its instance of the software was accessible on the open web; he said engineers often do this on purpose for operational access reasons.
He also spotted that a lot of other customers using the same building management software were similarly vulnerable.
Mercury ISS presented its findings of a working vulnerability to the BMS vendor - who iTnews is similarly unable to name - and CERT Australia. The latter started work with the facility in early 2016 to address the problem, alongside a handful of the vendor’s other customers.
How not to handle a vulnerability report
However, the firm found the vendor less than receptive to notification of the vulnerability.
“They were apathetic about what I had found,” Farrell told iTnews.
“This was a deer in the headlights moment for them.”
By this point Mercury ISS had mapped out the entire IPv4 space to identify other vulnerable systems and found as many as 100 other customers at risk of the same vulnerability.
The firm told the vendor it had 120 days to patch the flaws, and started alerting its other users to the problem. Still no response.
It wasn’t until Mercury ISS informed the vendor Farrell was planning on presenting his findings at the Wahckon hacker conference in Perth that it stirred into action.
“We were observing the vulnerable systems and started noticing a bunch of them were getting patched,” he said.
“I was due to fly out on April 29 2016 [to Wahckon in Perth]. I received a letter two hours before my flight that threatened legal action if I presented the talk in its current form. My lawyer estimated they could argue millions of dollars in losses.”
Farrell subsequently pulled the talk and decided not to attend the conference.
At this year’s Wahckon on May 6-7, however, he will finally present a sanitised case study after coming to a legal agreement with the vendor to avoid identifying them or the customer.
He plans to juxtapose the BMS vendor’s response with that of a similar local outfit to provide some lessons in handling a vulnerability report.
It’s still unclear if the vulnerability has been patched for the national security agency - its instance of the software has been pulled down from the open internet.
However, it appears the vendor released a patch for the problem to customers in August last year.
But Mercury ISS has only been able to verify that six customer instances of the software facing the internet have been patched. A further 36 have either been taken offline or firewalled.
Another 36 remain both online and unpatched.
The firm is also still finding new vulnerable instances of the software online, Farrell said.