Pentagon, FBI Affected by Backdoored HVAC Software?

Looks like undocumented backdoors have led to another breach… This time the culprit seems to be older versions of the Niagara AX Framework software used by an unnamed company in New Jersey. With no firewall to block external access, malicious hackers were able to gain access to the HVAC system and interact with a GUI that provided floor plan layouts of various offices.

Beyond its various environmental control functions, organizations can also configure the Niagara software to manage surveillance systems. This particular security breach is significant since the same software is installed in over 300,000 organizations throughout the world, including the Pentagon, FBI, IRS, and other government agencies. We imagine a quick Shodan search and an IP ownership check might yield some interesting findings.

Look … we know it’s convenient for administration to hook these industrial control systems up to the Internet … and many of us would argue that this practice should banished altogether … but geez … at least put them behind a firewall.

via Arstechnica.com

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a “Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the memo, which was issued in July. “All areas of the office were clearly labeled with employee names or area names.”

An IT contractor for the unnamed business told FBI agents the “Niagara control box was directly connected to the Internet with no interposing firewall,” according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.

Continued here.

#####

Do you think the Pentagon, FBI, and other government organizations are affected by this backdoor? Post your comments below. Today’s post pic is from ControlConsultants.Inc.

9 comments for “Pentagon, FBI Affected by Backdoored HVAC Software?

  1. December 14, 2012 at 1:12 am

    #NoVABlogger Niagara AX Framework Software Compromised http://t.co/QJXgAUCa

  2. December 14, 2012 at 2:00 am

    #NOVABLOGGER: Niagara AX Framework Software Compromised http://t.co/5M9toqeq http://t.co/IntXkFbO

  3. December 14, 2012 at 2:15 am

    BLOGGED: Niagara AX Framework Software Compromised http://t.co/mHDZPJuq

  4. December 14, 2012 at 3:51 am

    Niagara AX Framework Software Compromised http://t.co/yQSRbr5K

  5. December 14, 2012 at 12:12 pm

    Niagara AX Framework Software Compromised /read in @feedly http://t.co/Ik1aF10i

  6. December 14, 2012 at 8:02 pm

    “@grecs: BLOGGED: Pentagon, FBI Affected by Backdoored HVAC Software? http://t.co/tdAK5Gt8 //Mmm?”

  7. December 15, 2012 at 12:51 am

    Pentagon, FBI Affected by Backdoored HVAC Software? https://t.co/FSqSCnFG

  8. December 18, 2012 at 9:41 am

    Tridium understands the importance of security and is committed to helping our customers make any necessary adjustments to their Niagara software to ensure the highest security. The incident discussed in the article documents a Niagara system accessible from the open internet, configured with the guest account feature enabled with administrative privileges. The systems integrator needed to take multiple specific actions to enable this.

    As shipped, the NiagaraAX guest account is turned off. The guest account had to be assigned specific privileges before it could do or see anything, such as allowing changing HVAC set points, reading histories, managing alarms, etc… We strongly discourage this. The Niagara guest account feature is intended for use only in demo systems. Over the past several months, we’ve issued security bulletins, releases upgraded software (http://www.tridium.com/cs/tridium_news/security_patch_36) as well as released NiagaraAX 3.7 with expanded support for cryptography with full support for PKI and encryption for core connection types.

    We strongly encourage all Niagara users to review their security policies and recommend that Niagara systems operate behind a firewall or vpn.

  9. January 26, 2013 at 3:09 am

    How Are Infosec Pros Affected by Pentagon’s 46K Layoffs Plans? | NoVA Infosec – https://t.co/5AjqQoee

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.