Malware Built to Hack Building Automation Systems
Originally posted on DarkReading: Researchers dig into vulnerabilities in popular building automation systems, devices.
S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.
Security researcher Elisa Costante and her team at ForeScout last summer created the test malware – a modular design that includes a worm that spreads itself among BAS devices – using intelligence they gathered over the past three years while testing popular BAS systems, such as protocol gateways and PLCs for HVACS and access control, for vulnerabilities. During that period, they uncovered 10 security flaws, half of which were cross-site scripting (XSS) bugs in their associated Web application interfaces, as well as privilege escalation and buffer overflow vulnerabilities.
Costante shared the team’s research here at S4x19 this week.
While the affected BAS vendors – which ForeScout declined to reveal – have since patched the vulnerabilities, more than 11,000 of the affected devices today remain exposed on the public Internet to the buffer overflow flaw, mostly in schools and hospitals, due to poor patching processes or none at all, Costante says. Some had already fixed the flaws quietly in new versions of the devices.
“You still have a lot of [BAS] devices running on old firmware,” Costante said in an interview with Dark Reading. BAS devices and equipment don’t get updated or replaced regularly: Some 60% of BAS products in place today are around 20 years old, she said.
Read more :