Tridium ICS Flaw Allows Hackers to Remotely Control Critical Building Facilities

The affected systems are used by the military, hospitals, hotels and others

  Experts have identified new vulnerabilities in the Niagara AX Framework
At the latest Kaspersky Security Analyst Summmit, security researchers Billy Rios and Terry McCorkle revealed the existence of a vulnerability in Tridium’s Niagara AX Framework that could be leveraged by cybercriminals to cause some serious damage.

At the latest Kaspersky Security Analyst Summmit, security researchers Billy Rios and Terry McCorkle revealed the existence of a vulnerability in Tridium’s Niagara AX Framework that could be leveraged by cybercriminals to cause some serious damage.

According to Wired, the security hole that plagues the industrial control system (ICS) can be exploited by an attacker to remotely access a configuration file that stores sensitive information such as usernames and passwords.

With this information in hand, hackers could take over a building’s critical facilities, including elevators, alarms, surveillance systems, electronic door locks and even lighting.

The experts have identified a total of 21,000 Tridium systems that are accessible on the Internet. Furthermore, the flawed framework is used by military facilities, hospitals, airports, hotels and even by Boeing’s manufacturing facility in Renton, Washington.

Tridium representatives say that they’re aware of the issues since last December, when they were notified by the researchers. They’re currently working on developing a patch, which is expected to be released by February 13.

However, they argue that most Niagara AX systems are behind firewalls and VPNs. On the other hand, they admit that a large number of systems are potentially at risk.

In August 2012, Tridium released patches to fix several vulnerabilities in the Niagara AX framework identified by the same researchers. At the time, Rios and McCorkle stated that it took the company almost a year to address the flaws. They even called the vendor “unresponsive.”

In December, the US Federal Bureau of Investigation revealed that the systems of a New Jersey air conditioning company had been breached by hackers. The company had also been using Tridium’s Niagara AX Framework.

Comments