ICS Security Attack Enables Remote Control of Buildings
You can “[m]anage your entire central plant from one controller.”
That marketing boast refers to the capabilities of the enteliBUS control system from Delta Controls.
The ease of use connected industrial systems offer can also make them a single point of failure in a cyberattack, potentially giving an adversary control over industrial and building assets. For instance, a hacker targeting such a system could dismantle an HVAC system’s heating or cooling during an extreme weather event. Such an ICS security exploit could also cause the temperature to spike in a manufacturing facility or a data center. Networked lighting and access control systems would also be fair game. Because the enteliBUS manager and other similar products are programmable BACnet controllers, potential targets of such systems could include virtually any enterprise or industrial environment housed within a building. A blog post from McAfee also points out that such BACnet systems are used to control the positive pressure room within a hospital. This room is responsible for stopping contaminants from entering operating rooms.
On stage at McAfee MPOWER, Doug McKee, a senior security researcher at the company, showed off the potential of a zero-day exploit targeting the enteliBUS system in a live demo. “One of the things we were able to do is to exploit this vulnerability 100% remotely,” McKee said.
Demonstrating the Damage
In an on-stage demo, McKee proceeded to demonstrate how easy it is to exploit the CVE-2019-9569 vulnerability, for which a patch is available. With a simulated data center that was rigged up for the event, McKee said an attacker using the exploit could control networked pumps, valves and fans in the imaginary data center’s HVAC system.
A summary describing the ICS security vulnerability in the National Vulnerability Database also indicates that it could enable a hacker to cause a denial of service attack as well. The underlying problem that made the attack possible related to an inconsistency in managing network traffic created a buffer overflow, a vulnerability type the U.S. government documented in a 1972 Computer Security Technology Planning Study. According to Wikipedia, the first documented case of a buffer overflow attack occurring in the wild was in 1988.
In the stage presentation at McAfee MPOWER, McKee showed how malware developed to exploit the vulnerability permitted him to toggle HVAC controls and an alarm on and off via a reverse shell. An alarm hooked up to such a system could be linked to a security information and event management system, or send an alert to a facilities manager via an SMS or email message. “With a few keystrokes, I can go ahead and turn on the alarm,” McKee said. Addressing McKee on stage, Steve Grobman, McAfee’s chief technology officer said: “Knowing your sense of humor, you would probably be sitting in the parking lot, and when the person who’s responsible for [the data center facility] drives in, you would probably turn the alarm back off.”
But hackers could carry out more cunning attacks that accomplish more than just annoying maintenance and facilities management workers. For instance, for a liquid-cooled data center or any facility with a boiler room or a water-cooled HVAC system, an attacker could shut off networked pumps at will. “My HVAC back at home doesn’t use water pumps, but industrial systems do. And they’re providing critical cooling for mission-critical components,” Grobman said.
After the pump demonstration, McKee went on to turn off the HVAC system’s damper to block airflow, followed by shutting off a valve.
The vulnerability would also enable an attacker to manipulate data, changing temperature readings or other variables.
Action at a Distance
Because the ICS security attack is exploitable over the internet, an adversary could essentially carry out such an exploit anywhere. According to a McAfee blog post, there were 1,600 enteliBUS Manager devices that displayed in an August search on the IoT search engine Shodan.io. A search for “eBMGR” on Oct. 4 turned up almost 500 such devices, with the bulk of them in North America. Shodan flagged a portion of those devices, however, as honeypots. A number of the eBMGR devices displaying on Shodan had version 3.40.571848 firmware installed, which was the vulnerable version McAfee exploited in its labs. Likely, devices using earlier firmware are also at risk.
McAfee first shared its research regarding the eBMGR devices with Delta Controls on Dec. 7, 2018. Delta Controls responded to McAfee’s vulnerability disclosure within a matter of weeks and, as mentioned before, released a patch to address this exploit. “Once that patch was ready to go, they sent it back to us, and I personally verified it 100% remediates this vulnerability,” McKee said.