Last week’s DarkReading edition
a case study on the security of industrial IT systems. Unfortunately, neither in the article of the publication, nor in the original
the researchers give almost no technical details. Nevertheless, this story is still interesting, because it is a fairly rare (fortunately) documented case of a destructive attack on specialized systems, specifically on a building automation system.
Limes Security representatives describe an attack on a smart home system in Germany in October this year. The industrial control system in the office building used the company’s devices KNX… They have one interesting feature that attackers took advantage of: individual controllers can be password protected. The password is not initially used, but can be set remotely. If you forget the password, the configuration of the device cannot be changed, and this can only be solved by sending the controller back to the manufacturer. Unknown attackers, having gained access to the internal network of the organization managing the building, set a password on several hundred devices, thus making the entire “smart home” system inoperable.
So-called BCU Key (bus-coupling unit key) in KNX devices makes it impossible to change the configuration of the controller without entering a password. The attackers clearly knew how such devices work, so the affected controllers were first disconnected from the public network, and then a password was set on them. The device manufacturer was only able to offer a complete replacement and dismantling of the devices, which would have cost the operator approximately € 100,000 for a single building. In the meantime, the building had to be urgently transferred to manual control, as the automatic light switches, blinds, locks and similar devices stopped working.
The affected organization ended up on Limes Security thanks to workpublished in 2017 by one of the company’s experts. There he talks about possible attacks on industrial systems of a “smart home” with somewhat less realistic scenarios, such as “an intruder turns off the light in the corridor before stealing jewelry from the office so as not to get into the camera lens.” Researchers received several damaged devices and quickly found out that it would not be possible to simply return the “password-protected” device to its original state. Brute force the password would take many weeks due to the extremely slow hardware. It is here that I would like to see more technical details, but it is known that we managed to dump the device’s RAM and extract the password from there.
The victims of the attack were relatively lucky: the attackers set the same password on all devices. In theory, attackers could put a unique password on each controller and implement a unique attack followed by extortion, when they take hostage not data, but the performance of an entire building. However, no one ever sent a ransom demand to the affected organization. That is, it was a destructive attack, digital vandalism, a well-thought-out hack, the initiator of which was not looking for profit. The conclusions from this story are simple, but if you think about them in advance, they will save a lot of money and nerves. First, you need maximum protection of the corporate network from intrusion and reliable isolation of the industrial “loop” from other working systems. Secondly, there would be no problem if the owners of the “smart home” system used the features to protection controllers and set the password yourself. When left unused, this feature has caused more problems than benefits.
What else happened:
Kaspersky Lab researchers tell on the use of machine learning technologies to combat spam.
Bleeping computer writes about bugs in updating BIOS for a number of laptops and one Dell desktop. After the update, laptops either did not boot at all, or immediately fell into a blue screen. Fortunately, and unlike many other similar cases, the manufacturer allows a rollback to the previous firmware version, which temporarily solves the problem.
Four vulnerabilities discovered in the corporate messenger Microsoft Teams. They can hardly be called critical, but in some cases (in particular, when using a client for Android), a prepared message can cause the program to crash or reveal the user’s IP address.
At Zoho ManageEngine, software for centralized device management on a corporate network, discovered another critical, actively exploited vulnerability. This is the third such hole in ManageEngine closed this year.
Dear editors wish everyone a Happy New Year! We will resume our weekly broadcast on January 10th.