Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 7 Feb 2013 01:40:34 -0600 (CST)
http://www.wired.com/threatlevel/2013/02/tridium-niagara-zero-day/

By Kim Zetter
Threat Level
Wired.com
02.06.13
SAN JUAN, PUERTO RICO -- A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.
The vulnerability in the Tridium Niagara AX Framework allows an attacker to remotely access the system’s config.bog file, which holds all of the system’s configuration data, including usernames and passwords to log in to the framework and control systems managed by it.
Billy Rios and Terry McCorkle, noted security researchers with Cylance, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years, demonstrated a zero-day attack on the system at the Kaspersky Security Analyst Summmit on Tuesday. The attack exploits a remote, pre-authenticated vulnerability that, combined with a privilege-escalation bug, gave them root on the system’s platform, which underlies the devices.
“The platform is written in Java, which is really, really good from an exploitation standpoint,” Rios said. “Once we can own the platform, a lot of the other stuff is very, very straightforward [to attack].” 

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Previous By Date Next
Previous By Thread Next

Current thread: