IATC - Technical Tactics: Fear & loathing in Building Management Systems - Edward Farrell

my own can years awesome g'day guys my name's Edward Farrell I've come over here from Sydney Australia as a part of a an annual pilgrimage of Australians to hack a summer camp so thanks for having us we've yeah it's it's a good wake up here so first time presenting at any of the events and I guess this presentation has kind of been an interesting piece for me for the last 18 months it the whole fear and loathing piece that that came off the back of this was from a presentation I was due to give in 2016 at an event in in Perth so what what had taken place was I came across a building control system that

should have been out on the internet while preparing for another client in late 2015 and then in whatever spare time I had I decided to do a bit of research on it off the back of which I found a whole suite of vulnerabilities that allow you to get access to these systems without any usernames or passwords or anything but off the back of that I then started researching alright where else do these building systems exist I also managed to get permission to have a look at one of them a little bit or detail and off the back that discovered a a very rudimentary XSS bug but over early 2016 I spent my time going through and trying to do a bit of

coordinated disclosure with cert and a few other organizations in Australia including the vendor whom this was pretty much their first time ever dealing with anything in security the the vendor really didn't have a very positive reception to anything we found and probably by about early February they pretty much gave up on on talking to us so assert myself and a couple of other organizations spent a lot of our time advising people and giving me the heads-up of this particular bug now I was scheduled to present on the first weekend of May over in Perth and in the lead up to that we were actually trying to coordinate with a bunch of organizations to hey probably a good idea to take this

offline the Devender started to poke and prod with what we were doing and off the back of this I received a legal threat saying that everything I was doing was illegal I was a criminal and if you proceed we will see you now the reality is you know as far as I'm concerned I don't really think we did anything true to illegal in one case we actually had permission but at the end of the day I really couldn't go any further had any further forward with this the simple fact that I could not afford to stay in court for the next couple years whilst this person carries on with this legal thread so if there's anything we learned

from Team America you know letters aren't particularly effective when it comes to dealing with people so as of May this year we still identified that whilst the vendor had in fact released a patch and did it quite quietly even though they've ended their whole disclosure policy on the patch included some text from the original release we gave them at the end of the day within Australia there was still about 45 some of these systems that were still out there was still vulnerable because the vendor really didn't follow through and and advised people so this whole shifty and hidden May method with which they approached security hadn't really helped at all now there was also a another 46

percent of facilities that cert and I had been talking to who had in fact firewalled off these systems now worldwide I expect there's another 500 of these but I'm not really going to dive into those for the simple fact that well they could actually be be further ramifications so I guess my point with this whole pieces that with this initial engagement I had was that the litigious approach that had taken place really didn't achieve a great deal and you know when this was all taking place I couldn't bit help think of Dan gears quote for a few years ago that you know product liability such as this is really going to to cause us no more harm than

good in the future now look that being said I actually had a positive experience following my research on this BMS offenders system so I was effectively going through the Australian public facing internet I came across a another series of building control systems that were managed by an Australian event the product was from an Australian vendor now the vendors ask that their name remained withheld whilst they still go through a few other bits and pieces but I had some initial observations and decided to dive a little bit further and so since January of this year I've been doing a bit of pro bono work for them so I can in fact go through some of the facilities that

we did identified which included they were all Australian Air Force Base as well as 52 Martin place so a few - - Mountain places where the New South Wales premier and cabinet so this is pretty much the executive branch for the state of New South Wales it also was co-located with New South Wales Treasury as well but the one building that really stood out was a facility called instead of building 80 this house is a 20 megawatt research reactor it's the only nuclear facility in Australia now my conversation with ANSTO they had stated that the system there was only responsible for administering for administering after working within the administrative facilities at Lucas Heights and there was no impact on the

actual reactor itself so whilst that was the case it was still enough for us to go hey look we probably should be taking this thing offline if not for any sort of second or third order effects an attack on that sort of system would would result in but just for the media value of of providing assurance for a facility that just happens to be managing a nuclear reactor so off the back of working with this vendor we've identified several other high risk facilities and we've coordinated getting them offline or at least putting them behind a and OpenVPN the application itself had heaps of cross-site scripting vulnerabilities but the the really significant one and I haven't provided

full details on the URL here the more significant one was it was possible to effectively you reset the administrators password and get full control of the system and then there were heaps of other low-risk issues so all in all we did this whole recon piece and identified 200 internet-facing facilities most of which have been patched or in the process of getting patched just by taking a more collaborative approach with the vendor with cert and system owners now the the vendor is also looking at in fact I believe have now implemented it properly is having open VPN in front in front of a lot of these systems just for some extra security but they've now got a

constant review and remediation program in place without any lawyers without any overpriced consulting or without any any Gucci check so off the back of this this was actually a really big win just by taking a far more collaborative approach than the previous organization so that ends my my talk as much as I could present in ten minutes are there any questions

so for those of us who aren't really familiar with building management systems like what are the what are the scary things that are controlled by a building management system that you could take over and do bad things with so interesting question the interestingly enough I had a good chat with the the first vendor and off the back that we were able to extrapolate a few interesting attack scenarios so I mean the the more significant one that we picked up on was well if they're managing air conditioning systems that are responsible for keeping a data center call what happens if you turn off those air conditioners but the the more peculiar one that didn't really hit me

was a lot of building systems are run by a run by companies a place out there building saying they usually run on pretty thin margins so if all of a sudden you're able to miss with their electricity bill and given the cost of electricity in Australia that would be very easy you could you could quite easily bankrupt someone just by increasing their power bill but it would depend on a case-by-case basis of what's actually plugged in on the other side for two simple examples there since we started a few minutes early with EADS talked as we transition faster than I expected if you have questions for Daniel - he said he can also take some

questions presumably at this point you've contacted several vendors over the course of this what percentage would you say react by getting on the problem versus the ones that react by threatening legal actions so the reality is we've only been working with two vendors and both and have had you know drastically different responses one has put their head in the sand and then threatened legal action after that whereas this other one really took a very open and honest approach now I have started looking around a few other systems that are facing out to the Internet but I haven't really being approaching been it's just because of that really bad experience I had first up I'm now kind of and this is the

other problem is you then start getting reluctant to take that to take that more open approach just because you know the the rewards may not necessarily be there but the risk is is significant so what you described here with BMS rings very similar to what we see in SCADA and industrial control systems now you mentioned establishing the security life cycle program with them so you've brought them sort of from from zero to having an awareness and actually building out a process yeah how did you take an organization that by example here didn't have a good skill set a good fundamental understanding in the first place and educate them to the need and then actually build that process with them

that interesting so look I I come from a pen testing background before that network engineering so yeah I tend to have that sort of very narrow focus and taking that approach of hey guys here's something that's kind of interesting you may want to be thinking about about these controls in place taking them through through that sort of initial let's actually start having a look at what's here and and breaking it down that was sort of my initial standpoint with with approaching these guys but off the back of that I think it was also interesting where I was hearing on the air side of well this is actually what our concerns are so there's kind of a

good sort of mix you know engaging with that vendor of understanding what they're after and you know bringing that little bit I know about about about you know what problems do exist out there we have time for one more question I was curious with the the work you said you were doing pro bono was that what was the decision to go pro bono versus setting up some contractor or whatever I I think it was twofold one is you know these guys already the whole the problem with building management systems in Australia and and technology as a whole is if I was to do it as a consulting engagement it would actually be expensive I would

also argue that it would be a bit of a conflict as well like I I don't believe in ambulance-chasing so I think that was a big reason why I chose to go pro bono it also meant that I can actually kind of be a little bit more open a little bit or more honest about it and you know even come out and talk about these issues quite openly without disclosing too much even still so I think by taking a a pro bono approach it was going to be taken on it meant I could actually give an honest opinion but it also meant that I could actually you know talk about this a little bit more whereas say if it was a

a paid customer it would have taken longer to get things done for me I would have actually felt quite guilty about taking money off you know finding these mugs in the first place without any solicitation and thirdly you know I would be compelled to to actually not talk about it and turn this into a lesson which is really where I wanted to take this research after the back of the legal threat thing thank you very much and again if you would like to continue the conversation with these presenters please follow them on peer list thank you [Applause]