
Hacking Google's HVAC Systems - ssclafani
http://cylance.com/techblog/Googles-Buildings-Hackable.shtml
======
driverdan
Just a reminder to anyone interested in doing this kind of research, what
Billy did here is illegal under CFAA. As we've seen from recent cases, he
could be prosecuted and imprisoned even if Google declined to press charges.

~~~
CaveTech
This worried me also. I've seen many articles here on HN where people have
done far less and have had serious crimes pressed. Glad Google takes the high
road but with the state of the current US legal system regarding "hacking" I
definitely would not be so bold.

------
watty
You don't need a "custom exploit" or a "custom developed tool" to access a
public file called config.bog and base64 decode the user:pass. This Tridium
exploit was well publicized in the past year but too many people (including
this contractor who installed it) failed to upgrade the security or install
the patches.

~~~
tiredofcareer
Running on Windows on the developer's workstation, no less...

Let me quickly clarify that I'm not anti-Windows, it was just a double-take to
see it used as a workstation for security research like this (though I'm using
the word 'research' lightly). Strange article all around, lots of it caught my
eye.

~~~
kybernetyk
Maybe they have only windows licenses of IDA pro? There are a few very useful
tools for windows - especially for reverse engineering and hardware/embedded
stuff.

------
aaronbrethorst
Interesting related story from July 2012:
[http://www.washingtonpost.com/investigations/tridiums-
niagar...](http://www.washingtonpost.com/investigations/tridiums-niagara-
framework-marvel-of-connectivity-illustrates-new-cyber-
risks/2012/07/11/gJQARJL6dW_story.html)

 _“We’re not going to say Niagara is secure”_

What I find most worrisome about this is that it can enable attackers to
access internal video feeds. Seems like an excellent vector to grab someone's
credentials.

Also, ironically, one of the people mentioned in the WaPo article who
discovered these vulnerabilities _used to work for Google._

edit: Aaron's reading comprehension is evidently VERY LOW today ;)

~~~
EvanKelly
That same guy [Billy Rios] is the one who wrote the blog post.

~~~
aaronbrethorst
ah, good catch. I edited my post accordingly.

------
achillean
The way they probably located these devices is using the following Shodan
search (27286 results at the moment):
<http://www.shodanhq.com/search?q=niagara>

------
mseebach
> [Pic: After hours button]

> (We don’t know what this button does… and we were afraid to test it :-))

How do you hack HVACs and not know what an after hours button does?

(it extends operation of the system so if you're working after hours, you
won't freeze/boil to death, without wasting energy running the HVAC out of
hours when no-one is there.)

~~~
daeken
I hacked the most prevalent hotel locks, but the latch on my gate constantly
outsmarts me. Limited domain knowledge is a thing!

------
jellicle
Posting the complete details of your felonious actions on the internet = not
bright.

Note that it doesn't matter whether Google is cool with your actions, after
the fact. What matters is whether the local prosecutor is cool with your
actions, or whether he needs an extra easy slamdunk conviction.

Kids: do not do this at home.

~~~
femto
It probably helps that "Wharf 7" is in Australia [1] and the access was from
the US. I can't imagine any officer in Pyrmont Police Station being too keen
on the paperwork involved in following up an incident of this magnitude!

[1] <http://maps.google.com.au/maps?ll=-33.867302,151.198268>

------
bifrost
I know some of the guys @ Cylance, they're good people. They've done a lot of
good work regarding embedded and grid security awareness. It is pretty funny
to see what people leave unprotected on the internet when they usually have
pretty good security practices.

In a situation like this, I'm going to guess that "facilities" was run as a
fiefdom and its network presence was obfuscated from infosec staff. Or in the
worst case, infosec was told to leave it alone...

------
kimburgess
Unfortunately this is far from an isolated issue. There are a multitude of
BMS's and control systems out there where security has had next to zero
consideration. Traditionally these systems have sat on isolated networks and
favoured serial communication. Unfortunately many of the people who have spent
the majority of their lives designing, installing and deploying these systems
have very little exposure to even the most basic network security principles.

When you consider these system have _complete_ control over many environments
- signal distribution, HVAC, occupancy sensing, motor control for things such
as dropping 3 tonne screens from roofs, even occasionally extending to
physical access control - this is a very scary thought.

------
kevingadd
I'm impressed that they had the balls to actively compromise the device before
reporting it to Google... under normal circumstances, wouldn't most companies
go after you in court for a CFAA violation or somesuch?

You certainly see lots of examples of lawsuits over changing numbers in URLs,
so you'd figure downloading configuration info from a machine and then
reversing a password would definitely provide grounds for a suit.

Nice to see Google not overreact here.

~~~
sweis
It's not a big surprise that they didn't overreact. Billy Rios has a long
relationship with Google.

He worked there for almost 3 years: <http://www.linkedin.com/pub/billy-
rios/3/a7a/5b1>

Before that, he was recognized for "ongoing and sustained contribution to the
security of Google's applications":
[http://www.google.com/about/appsecurity/hall-of-
fame/archive...](http://www.google.com/about/appsecurity/hall-of-
fame/archive/)

------
swalkergibson
This is not a part of the vulnerability rewards program? Why?

~~~
tantalor
It's not in scope, because it's not a "Google operated web service."

<http://www.google.com/about/appsecurity/reward-program/>

(I work for Google.)

~~~
HoochTHX
And potentially shutting down the HVAC for the web servers has no relation?

~~~
packetslave
What is it that led you to believe Google hosts web servers out of the Sydney
office building?

~~~
Smerity
Google Sydney has servers on site, but they may well just be to be local
productivity aids (mirrors for development etc). Google generally don't
publicise where their servers are or what they're for. Even if the servers are
just like any standard office's servers, this exploit could result in some
serious issues.

When I was at Google Sydney a few years ago for an internship, the AC died
prompting an interesting response. The server temps were rising to unsafe
levels and the AC wasn't expected to come back in time. The MacGyver solution
was to buy portable AC units and pump the heat into the coder's workspace.
That was a distinctly unpleasant afternoon =]

If the machines weren't important for production or productivity I'm certain
they'd save us the hassle and shut them down. If nothing else, abuse of this
office's AC system could severely impact the productivity of the office and
spring dozens of people into action.

Whilst not under the usual purview of the rewards program, I'd still think
it's noteworthy of recognition.

~~~
NickNameNick
I wonder if that was a similar time to when I visited that office ~feb 2011.

The aircon was clearly over capacity then, and there were portable air
conditioners scattered around the floor I was on, with flexible ducting
feeding up to the return ducts in the ceiling.

I assume they've fixed that by now, I know they've gone through at least on
remodel since.

------
fsckin
I'm surprised there aren't botnets running on these embedded devices... yet.
Probably because most people don't leave it openly available on the internet.

There are millions of rarely updated devices... printers, security systems,
fire alarms, cameras, etc... the list goes on and on.

~~~
GuiA
>I'm surprised there aren't botnets running on these embedded devices

That's a pretty bold assumption :)

~~~
hideo
I think this was posted on HN a few months ago:

<http://internetcensus2012.bitbucket.org/paper.html>

They ran their own botnet to map the internet, and then discovered other
malware already running on insecure home routers.

------
newman314
Related story :

[http://www.forbes.com/sites/markgibbs/2012/07/11/if-you-
use-...](http://www.forbes.com/sites/markgibbs/2012/07/11/if-you-use-tridiums-
niagara-you-could-get-hacked/)

~~~
anon1685
This is from Novemeber 2012, and they still haven't fixed it?

~~~
newman314
Apparently not

------
jrockway
_If Google can fall victim to an ICS attack, anyone can._

Did Google write this software? If not, it's kind of like writing "Google
locks vulnerable to lock picks". Well yeah, just like every other pin tumbler
lock ever made.

~~~
BHSPitMonkey
I think the point was that if any company should have awareness of what
internal tools are pointing web servers at the outside world, should be
capable of auditing its own security, should easily understand what that
software is doing and how it should be secured, it should be Google, a company
whose primary output is web software.

------
EvanAnderson
Makes more happy that I vetoed the vendor's request to one of my Customers to
expose one of these systems to the Internet. They asked for exposure to the
Internet and I laughed them out of the room.

