Building Hack Almost Landed Google in Hot Water
Google's Sydney office is located at Wharf 7.
Any savvy Internet denizen knows it's wise to keep his or her software up-to-date, but sometimes even the experts fall short.
A security firm recently probed Google's office in Sydney, Australia, for vulnerabilities in its building-management systems. The findings: The building's heating and cooling systems were ripe for hacking.
Cylance, an Irvine, Calif.-based online security provider, has made its bones by investigating facility-management-systems vulnerabilities at an industrial level and then contacting the company in question before actual malefactors exploit the flaws.
Google's offices at the waterfront Wharf 7 in Sydney run on a system called Tridium Niagara, which can monitor and control a variety of devices over the Internet.
Google Wharf 7 uses Niagara to control its building functions, including alarms, plumbing and temperature controls. Even though Google's version of Niagara was only "slightly" outdated, according to a Cylance blog post, the security experts were still able to hack it easily.
The Cylance team designed an exploit to gain access to the "config.bog" file in Niagara. In addition to giving specific details about the Wharf 7 office and its system, the config.bog file contained usernames and passwords for all local Niagara users.
Even though the passwords were all encrypted, a team of experienced hackers was able to decode them and gain control over the Niagara software.
Entering a username and password gave Cylance access to the building plans and alarm systems (useful if anyone wanted to plan a heist), but still blocked the company from performing more secure functions. Cylance insists that it could have "rooted" the program to gain full access to the building.
Cylance has requested payment from Google in accordance with the search-engine giant's Vulnerability Rewards Program, which awards money to independent agents who find security flaws in Google products. The Cylance employees who conducted the research are old friends with Google's staff, however, so this may have been more of a playful jab.
Root access would have granted Cylance control over Google Wharf 7's heating and cooling. Sure, that would be an inconvenience, but it also could have more serious consequences:
On an Australian summer day, for instance, cranking the heat up all the way could endanger sensitive server equipment. [See also: 7 Security Spring Cleaning Tips]
The most head-scratching part of the story is that Cylance notified Niagara's developer, Tridium, of this vulnerability over a year ago, and Tridium issued a patch in August 2012.
If Google had followed its own well-worn advice and kept all of its systems up-to-date, Cylance would have been unable to hack it — at least with such a well-known exploit.
Office managers should take note and be sure to keep all of their software up-to-date.
"If you have a corporate campus or a modern building of any sort ... you're likely running similar systems someplace on your network," wrote Billy Rios and Terry McCorkle, two directors at Cylance. "If Google can fall victim to an [industrial control systems] attack, anyone can."