Centralized building control allows organizations to achieve new levels of efficiency and productivity. And while centralizing these processes is something desirable, it comes with risks.
It’s common practice to seek centralized authority in building control, putting one device in charge of many others to accomplish greater efficiency. That is what, for example, Delta’s enteliBUS manager does for corporate and industrial settings, channeling orders and processes for many devices through a single controller.
Yet, the risk exponentially increases when management and control become centralized in this fashion. This is locating all power on a single device, one that is just as vulnerable as any other.
To adequately manage risk in scenarios like these, organizations must be highly aware of the challenge and do whatever it takes to protect devices such as Delta’s enteliBUS manager.
McAfee conducted an experiment on the enteliBUS manager from Delta, which is responsible for managing a plethora of devices in building control environments. The enteliBUS manager is often used to control critical environment settings at server rooms, manufacturing facilities, office space, positive pressure rooms at hospitals, and many others.
What McAfee did was emulate a real-life network where the enteliBUS manager was in charge of centralized control and then proceed to attack the system by fuzzing.
Fuzzing is a testing technique consisting in providing random data to a program. What happens is that an automated process floods the software under stress, allowing testers to monitor for crashes and memory leaks.
After fuzzing the test environment, McAfee found a problem. After handling the excess of data, the mismatch in memory size created a buffer overflow vulnerability, one that was ideal for a malicious party to access the device.
The next stage of the experiment involved implementing Delta’s management devices with an HVAC controller and then again put it to the test. The results led to the same direction. After attacking the system, McAfee testers were able to attach custom malware that created a backdoor itself, remotely issuing commands to all devices, manager and managed.
An important detail was pointed out by McAfee: in scenarios similar to this one, knowing the IP address would allow malicious agents to easily attack the devices over the Internet, something that is often possible thanks to Shodan. How Internet-connected devices, visible on Shodan, are creating serious problems for thousands of organizations is something we have discussed on Julie Security blog on multiple occasions.
After the experiment, McAfee contacted Delta and the company proceeded to successfully patch the vulnerability, making this procedure ineffective for those trying to take control of the enteliBUS manager. Nonetheless, the lesson here is clear and evergreen: all network-connected devices must be adequately protected, no matter what. Every single piece in a system is a liability to some degree and a capable malicious party may find a way to get in.
But how to protect them?
Moving Forward with Our Recommendations
The Julie Security team has some recommendations for your organization to successfully protect your building control devices:
- Make sure your network-connected devices are not visible publicly on the Internet, findable through search engines such as Shodan.
- Implement the right tools for automated monitoring of traffic and its activity on the network, such as Julie Security.
- Segregate devices within the network as much as possible, making it impossible for malicious agents to move freely through devices.
- In case of working with outside contractors, implement and use a VPN when providing remote access to the network.
- Keep your devices’ software up to date as many vendors are constantly fixing vulnerabilities such as the one found by McAfee.