Smart building security flaws leave schools, hospitals at risk

Vendors of smart building hardware issued updates to products without disclosing that vulnerabilities were patched, leading security systems for schools and hospitals to be accessible via the web.

IoT and the security challenges that tech companies face

Security professionals are typically charged with ensuring the integrity of data security on equipment stored in the cloud, or on premises--less so with ensuring the integrity of the physical premises itself. As a result, building automation systems often go untested, if not outright ignored. These systems may constitute shadow IT in certain organizations, as leased buildings may come with non-negotiable automation systems installed by the management company.

These building automation systems are fundamentally purpose-built computers, and are subject to security vulnerabilities as any other computer would be. Engineers at ForeScout developed a proof-of-concept malware for smart buildings to demonstrate why it is urgent for security leaders to address vulnerabilities in building automation systems. In a presentation on Wednesday at the S4x19 conference, ForeScout presented a whitepaper detailing the current security landscape, newly-discovered vulnerabilities, and some proposed solutions.

SEE: IT staff systems/data access policy (Tech Pro Research)

ForeScount researchers found high severity vulnerabilities allowing remote attackers to execute arbitrary code on a target device, enabled by the vendor's use of a hardcoded key or ability to exploit a buffer overflow. The vendor in question is left unnamed--they were aware of, and have patched, the vulnerabilities in question, the whitepaper noted--though the vendor never disclosed to customers that a vulnerability existed. The lack of disclosure can contribute to customers not applying updates with necessary urgency to ensure the integrity of physical premises.

A variety of lower-severity vulnerabilities were found on Loytek and EasyIO systems, with path traversal and arbitrary file deletion possible on Loytec and authentication bypass possible on EasyIO, and with cross-site scripting (XSS) possible on both. These vulnerabilities have since been patched by the vendors.

Researchers at ForeScout note that these vulnerabilities are easy to find and fix, but are also easy to exploit. As a result of building automation systems being connected to the internet, they can be located "using search engines such as Shodan and Censys." Using these, the researchers found 279 instances of devices affected by the lower-severity vulnerabilities, of which 214 were potentially vulnerable. For the high severity vulnerabilities, 21,621 devices were found, of which the reachers claim 7,890 are potentially vulnerable-many located in hospitals and schools. This means those systems could be accessible to nefarious actors over the web.

As security issues with IoT devices powering smart homes and offices are surfaced, check out TechRepublic's 10 best practices to getting security right in digital transformation, and the 5 biggest IoT security failures of 2018.

The big takeaways for tech leaders:

  • 7,890 of 21,621 physical security systems with known high-severity security vulnerabilities were unpatched and accessible via the internet. -ForeScout, 2019
  • The vendor in question patched the vulnerability, but did not disclose that a vulnerability existed to customers.

Also see

Image: iStockphoto/sinology