14 DAY TRIAL // Cylance security researchers Terry McCorkle and Billy Rios, who specialize in identifying vulnerabilities in industrial control systems (ICS), have discovered that the building management system from Google Australia’s Wharf 7 headquarters could have been compromised by hackers.
The building control system is Tridium’s Niagara AX, which has been known to contain security holes.
The vulnerabilities uncovered by the researchers have been patched by Tridium, but because Google hadn’t applied the patches, Rios and McCorkle managed to gain access to control panels, Wired reports.
Although they didn’t touch anything, they’ve found panels that showed building blueprints, water pipe diagrams and alarms.
McCorkle says they could have installed a rootkit to take over the operating system.
“We could have taken over the operating system and accessed any other control systems that are on the same network as that one. We didn’t do that because that wasn’t the intent…. But that would be the normal path if an attacker was actually looking to do that,” the expert told Wired.
After being notified, Google immediately disconnected the control system from the Internet.
The search giant’s representatives claim that the control panels accessed by the experts could have only be utilized to control heating and air conditioning systems. An incident report made by Google showed that electricity, doors, elevators and other automation could not be controlled.
Tiridium ICS has often been in the spotlight because of security holes. The company has released patches for many of the vulnerabilities, but it’s clear that not all of their customers have applied them.
While in this case the vulnerabilities have been discovered by security researchers, flaws in ICS are abused by malicious cyber actors as well.
For instance, in December 2012, an FBI memo revealed that cybercrimnials breached the systems of a New Jersey air conditioning company.