BACnet IoT building automation devices vulnerable to attack

An independent security researcher has highlighted another vulnerability in building control systems that could be exploited by cyber attackers and has not been patched by manufacturers.

Days earlier, researchers at McAfee demonstrated how a vulnerability in a commonly used industrial control system from Delta Controls could allow malicious actors to take complete control of the operating system, further highlighting security challenges in internet of things-connected (IoT) devices and the need to focus on security in operation technology (OT) environments as much as business IT environments.

The focus of the latest research is the BACnet data communication protocol for building automation and control networks that is widely used in internet-connected devices in industrial and commercial properties.

The BACnet protocol is designed to enable technicians and engineers setup, monitor and control a wide range of critical systems via built-in web applications, but a vulnerability in the protocol can be exploited by attackers, according to cyber security researcher Bertin Bervis.

The vulnerability can be used to modify the web application code by injecting JavaScript code in the Bacnet device, abusing the read/write properties from the Bacnet protocol itself, he told attendees of the IoT Village at the DEF CON security conference in Las Vegas.

The DEF CON IoT Village was founded by security consulting firm Independent Security Evaluators to bring together security researchers, product manufacturers, solution providers and academics to collaborate on solving the security challenges facing IoT.

According to Bervis, the code is stored in the Bacnet database helping the attacker to achieve persistence on browser devices that are used in building environments or industrial facilities that connect via BACnet.

The web applications allow malicious code modification in “specific elements” taken directly from the protocol level user interaction and protocol level database information changes, he said, which means any data change performed directly from protocol interaction can modify pieces of code in the whole web application in a persistent way.

“Remote attackers can jump from that point to another using this technique to steal sensitive information from technicians or engineers who interact directly with the infected devices,” said Bervis.

“It opens a new door for remote attacks without touching or interacting with the web application in those devices. The attacker only needs an insecure building automation protocol to modify the data.”

Bervis, an independent cyber security researcher from Costa Rica whose research is focused on analysing web servers in the wild and exploiting their vulnerabilities, said he disclosed the vulnerabilities to the manufacturers of the affected devices, but received no response.

In contrast, the McAfee researchers said that when they contacted Delta Controls, the company responded with a beta version of a patch that the researchers were able to confirm was effective in blocking the attack they had developed.

“This is our idea of a success story – researchers and vendors coming together to improve security for end users and ultimately reduce the attack surface for the adversary,” said Mark Bereza, the security researcher at McAfee Advanced Threat Research who discovered the vulnerability.