Suppliers of intelligent building materials (connected buildings, smart buildings), have recently published product updates without warning that vulnerabilities have been previously fixed, resulting in web access to the security systems of the schools and hospitals in question. Building automation systems are inherently subject to significant security vulnerabilities because they are basically designed as computers containing parallel information. Even if security professionals are responsible for ensuring the integrity of data security (in the cloud or on the premises), the security of building automation systems is often ignored and not tested because rented buildings may be equipped with non-negotiable automation systems installed by the management company. In response, ForeScout engineers developed proof-of-concept malware for intelligent buildings to demonstrate the urgency for security managers to address vulnerabilities in building automation systems.
ForeScout researchers have discovered significant vulnerabilities that allow remote attackers to execute arbitrary code on a target device, thanks to the supplier’s use of a hard-coded key or the ability to exploit a buffer overflow. The name of the supplier in question was never disclosed and the supplier never revealed to its customers that a vulnerability existed. The absence of disclosure can lead to customer errors such as lack of updates.
Several vulnerabilities were found with different degrees of severity on the Loytek and EasyIO systems. However, researchers have indicated that these vulnerabilities are easy to find and fix, but are also easy to exploit. Building automation systems can be easily located on the Internet using search engines such as Shodan and Censys. With this data, “researchers discovered 279 cases of devices affected by low severity vulnerabilities, 214 of which were potentially vulnerable”. In addition, for the most serious vulnerabilities, “21,621 devices have been found, of which 7,890, according to the survey authors, are potentially vulnerable – many are in hospitals and schools“. These analyses therefore reveal that these systems could be accessible to hackers on the Web.