Abstract
In recent years, the buildings where we spend most part of our life are rapidly evolving. They are becoming fully automated environments where energy consumption, access control, heating and many other subsystems are all integrated within a single system commonly referred to as smart building (SB). To support the growing complexity of building operations, building automation systems (BAS) powering SBs are integrating consumer range Internet of things (IoT) devices such as IP cameras alongside with operational technology (OT) controllers and actuators. However, these changes pose important cybersecurity concerns since the attack surface is larger, attack vectors are increasing and attacks can potentially harm building occupants. In this paper, we analyze the threat landscape of BASs by focusing on subsystems which are strongly affected by the advent of IoT devices such as video surveillance systems and smart lightining. We demonstrate how BAS operation can be disrupted by simple attacks to widely used network protocols. Furthermore, using both known and 0-day vulnerabilities reported in the paper and previously disclosed, we present the first (at our knowledge) BAS-specific malware which is able to persist within the BAS network by leveraging both OT and IoT devices connected to the BAS. Our research highlights how BAS networks can be considered as critical as industrial control systems and security concerns in BASs deserve more attention from both industrial and scientific communities. Even within a simulated environment, our proof-of-concept attacks were carried out with relative ease and a limited amount of budget and resources. Therefore, we believe that well-funded attack groups will increasingly shift their focus towards BASs with the potential of impacting the live of thousands of people.
Similar content being viewed by others
Notes
References
Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014). https://doi.org/10.1109/JIOT.2014.2306328
Barcena, M., Wueest, C.: Insecurity in the Internet of Things, Symantec Corporation (2015). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/insecurity-in-the-internet-of-things-15-en.pdf. Accessed 16 Mar 2020
Mahmoud, R., Yousuf, T., Aloul, F., Zualkernan, I.: Internet of things (IOT) security: Current status, challenges and prospective measures. In: 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 336–341 (2015). https://doi.org/10.1109/ICITST.2015.7412116
Hilt, S., Huq, N., Rösler, M., Urano, A.: Securing Smart Homes and Buildings: Threats and Risks to Complex IoT Environments, Trend Micro Inc. (2019). https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/threats-and-risks-to-complex-iot-environments. Accessed 16 Mar 2020
BitDefender: The IoT Threat Landscape and Top Smart Home Vulnerabilities in 2018 (2018). https://www.bitdefender.com/files/News/CaseStudies/study/229/Bitdefender-Whitepaper-The-IoT-Threat-Landscape-and-Top-Smart-Home-Vulnerabilities-in-2018.pdf. Accessed 16 Mar 2020
Sadeghi, A., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (2015)
Maggi, F., Vosseler, R., Quarta, D.: The Fragility of Industrial IoT’s Data Backbone, Trend Micro Inc. (2018). https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols. Accessed 16 Mar 2020
Mundt, T., Wickboldt, P.: Security in building automation systems—a first analysis. In: International Conference On Cyber Security And Protection Of Digital Services (Cyber Security), Vol. 2016, 1–8 (2016). https://doi.org/10.1109/CyberSecPODS.2016.7502336
Ciholas, P., Lennie, A., Sadigova, P., Such, J.M.: The Security of Smart Buildings: A Systematic Literature Review, arXiv:1901.05837 [cs.CR] (2019)
Hersent, O., Boswarthick, D., Elloumi, O.: The Internet of Things: Key Applications and Protocols. Wiley, New York (2012)
Walker, K.: The impact of the internet of things on buildings. (2018) http://www.smartbuildingsmagazine.com/features/the-impact-of-the-internet-of-things-on-buildings . Accessed 16 Mar 2020
Eclipse IoT Working Group: IoT Developer Survey 2018 (2018). https://iot.eclipse.org/resources/iot-developer-survey/iot-developer-survey-2018.pdf. Accessed 16 Mar 2020
Banks, A., Briggs, E., Borgendale, K., Gupta, R.: MQTT Version 5.0, OASIS Standard (2019). https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. Accessed 16 Mar 2020
Tridium: Niagara MQTT Architecture (2016). https://www.tridium.com/~/media/tridium/library/documents/software/niagara%204/mqtt%20architecture.ashx. Accessed 16 Mar 2020
Systec Electronic: Industrial control in special applications (2018). https://www.systec-electronic.com/en/solutions/smart-buildings-industrial-building-automation/. Accessed 16 Mar 2020
Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.M.: Communication systems for building automation and control. Proc. IEEE 93(6), 1178–1203 (2005). https://doi.org/10.1109/JPROC.2005.849726
Minoli, D., Sohraby, K., Occhiogrosso, B.: Iot considerations, requirements, and architectures for smart buildings–energy optimization and next-generation building management systems. IEEE Internet Things J. 4(1), 269–283 (2017). https://doi.org/10.1109/JIOT.2017.2647881
Bugeja, J., Jacobsson, A., Davidsson, P.: An empirical analysis of smart connected home data. In: International Conference on Internet of Things (2018)
Guo, H., Heidemann, J.: Detecting IoT Devices in the Internet (Extended). USC/Information Sciences Institute (2018)
IETF: RFC 1889—-RTP: A Transport Protocol for Real-Time Applications (1996). https://tools.ietf.org/html/rfc1889. Accessed 16 Mar 2020
IETF: RFC 3550—RTP: A Transport Protocol for Real-Time Applications (2003). https://tools.ietf.org/html/rfc3550. Accessed 16 Mar 2020
IETF: RFC 3711—The Secure Real-time Transport Protocol (SRTP) (2004). https://tools.ietf.org/html/rfc3711. Accessed 16 Mar 2020
IETF: RFC 2326—Real-Time Streaming Protocol (1998). https://tools.ietf.org/html/rfc2326. Accessed 16 Mar 2020
IETF: RFC 7826—Real-Time Streaming Protocol Version 2.0 (2016). https://tools.ietf.org/html/rfc7826. Accessed 16 Mar 2020
Tratz-Ryan, B., Finnerty, B.: Hype Cycle for Smart City Technologies and Solutions. Gartner, New York (2018)
Arrow Intelligent Systems: Connectivity Protocols for Smart Lighting Systems (2018). https://static4.arrow.com/-/media/arrow/files/pdf/c/connectivityprotocolsforsmartlighting_final.pdf. Accessed 16 Mar 2020
Wang, J.: Zigbee light link and its applicationss. IEEE Wirel. Commun. 20(4), 6–7 (2013). https://doi.org/10.1109/MWC.2013.6590043
Gasser, O., Scheitle, Q., Denis, C., Schricker, N., Carle, C.: Security implications of publicly reachable building automation systems (2017). In: Proceedings of the IEEE Security & Privacy Workshops
Burgess, M.: Could hackers really take over a hotel? WIRED explains, WIRED (2017). http://www.wired.co.uk/article/austria-hotel-ransomware-true-doors-lock-hackers. Accessed 16 Mar 2020
Ashok, I.: Hackers leave Finnish residents cold after DDoS attack knocks out heating systems. International Business Times (2016). http://www.ibtimes.co.uk/hackers-leave-finnish-residents-cold-after-ddos-attack-knocks-out-heating-systems-1590639. Accessed 16 Mar 2020
Wendzel, S., Tonejc, J., Kaur, J., Kobekova, A.: Cyber Security of Smart Buildings, Chapter 16, pp. 327–351. Wiley, New York (2017)
De Telegraaf, Hack met medicijnen: Hoe haal je het in je hoofd? (2018)! https://www.telegraaf.nl/nieuws/2841336/hack-met-medicijnen-hoe-haal-je-het-in-je-hoofd. Accessed 16 Mar 2020
Bowers, B.: How To Own a Building: Controlling the Physical World with BacNET Attack Framework (2013). https://www.youtube.com/watch?v=d3jtmv6Y9uk. Accessed 16 Mar 2020
Brandstetter, T.: (in)Security in Building Automation: How to Create Dark Buildings with Light Speed (2017). https://www.youtube.com/watch?v=PyOhwYgpGfM. Accessed 16 Mar 2020
Rios, B.: Owning a Building: Exploiting Access Control and Facility Management Systems (2014). https://www.youtube.com/watch?v=wvO3puWSGgQ. Accessed 16 Mar 2020
Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, GI Sicherheit (2014)
Mirsky, Y., Guri, M., Elovici, Y.: HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System, arXiv:1901.05837 [cs.CR] (2017)
ActivePower, Data Center Thermal Runaway (2015). http://powertechniquesinc.com/wp-content/uploads/2015/08/Active-Power-WP-105-Data-Center-Thermal-Runaway.pdf. Accessed 16 Mar 2020
Fauri, D., Kapsalakis, M., dos Santos, D.R., Costante, E., den Hartog, J., Etalle, S.: Leveraging semantics for actionable instruction detection in building automation systems (2018). In: Proceedings of the 13th International Conference on Critical Information Infrastructures Security (CRITIS)
VDOO, Major Vulnerabilities in Foscam Cameras (2018), https://blog.vdoo.com/2018/06/06/vdoo-has-found-major-vulnerabilities-in-foscam-cameras/. Accessed 16 Mar 2020
Peles, O.: Significant Vulnerabilities in Axis Cameras, VDOO (2018). https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/. Accessed 16 Mar 2020
VDOO: Significant Vulnerability in Hikvision Cameras (2018). https://blog.vdoo.com/2018/11/13/significant-vulnerability-in-hikvision-cameras/. Accessed 16 Mar 2020
Tenable Research: Peekaboo: Don’t Be Surprised by These Not So Candid Cameras (2018). https://www.tenable.com/blog/peekaboo. Accessed 16 Mar 2020
Heffner, C.: Exploiting Network Surveillance Cameras Like a Hollywood Hacker, Black Hat Briefings (2013). https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-WP.pdf. Accessed 16 Mar 2020
PenTestPartners: Hijacking Philips Hue (2013). https://www.pentestpartners.com/security-blog/hijacking-philips-hue/. Accessed 16 Mar 2020
Akamai Threat Research: MQTT-PWN (2019). https://github.com/akamai-threat-research/mqtt-pwn. Accessed 16 Mar 2020
Jakhar, A.: Expliot—Internet of Things Exploitation Framework (2019). https://gitlab.com/expliot_framework/expliot. Accessed 16 Mar 2020
PTES: The penetration testing execution standard (2014). http://www.pentest-standard.org. Accessed 16 Mar 2020
ISECOM, Open Source Security Testing Methodology Manual (OSSTMM) (2019), http://www.isecom.org/research/. Accessed 16 Mar 2020
Perelman, B.: The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical, Security Week (2018). https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical. Accessed 16 Mar 2020
Stoler, N.: Anatomy of the Triton Malware Attack, CyberArk (2018). https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/. Accessed 16 Mar 2020
Cherepanov, A.: GreyEnergy: A Successor to BlackEnergy, ESET WeLiveSecurity (2018). https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf. Accessed 16 Mar 2020
Osborne, C.: Researchers discover over 170 million exposed IoT devices in major US cities (2017). https://www.zdnet.com/article/researchers-expose-vulnerable-iot-devices-in-major-us-cities/. Accessed 16 Mar 2020
Krotofil, M., Wetzels, J.: Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems (2018). https://www.youtube.com/watch?v=3x4MukvjEm8. Accessed 16 Mar 2020
Green, B., Krotofil, M., Abbasi, A.: On the significance of process comprehension for conducting targeted ICS attacks. In: Proceedings of the Workshop on Cyber-Physical Systems Security and Privacy (2017)
Oberhumer, M., Molnár, L., Reiser, J.F.: UPX: the Ultimate Packer for eXecutables. https://upx.github.io/. Accessed 16 Mar 2020
Microsoft: xp\_cmdshell Server Configuration Option. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option. Accessed 16 Mar 2020
Rapid7: QNX qconn Command Execution. https://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec. Accessed 16 Mar 2020
Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21–23 May 2018, San Francisco, CA, USA, pp. 161–175 (2018)
MITRE Corporation: Persistence. https://attack.mitre.org/tactics/TA0003. Accessed 16 Mar 2020
MITRE Corporation: Local Job Scheduling. https://attack.mitre.org/techniques/T1168/. Accessed 16 Mar 2020
MITRE Corporation: Modify OS Kernel or Boot Partition. https://attack.mitre.org/techniques/T1398/. Accessed 16 Mar 2020
MITRE Corporation: bash\_profile and .bashrc. https://attack.mitre.org/techniques/T1156/. Accessed 16 Mar 2020
MITRE Corporation: Path Interception. https://attack.mitre.org/techniques/T1034/. Accessed 16 Mar 2020
Ducklin, P.: VPNFilter—is a malware timebomb lurking on your router (2018)? https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/. Accessed 16 Mar 2020
Fuentes, M.R., Huq, N.: Securing Connected Hospitals (2018). https://documents.trendmicro.com/assets/rpt/rpt-securing-connected-hospitals.pdf. Accessed 16 Mar 2020
Microsoft: Microsoft Security Bulletin MS17-010—Critical (2017). https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. Accessed 16 Mar 2020
Cimpanu, C.: One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (2018). https://www.bleepingcomputer.com/news/security/one-year-after-wannacry-eternalblue-exploit-is-bigger-than-ever/. Accessed 16 Mar 2020
Luiijf, E.: Threats in Industrial Control Systems, pp. 69–93. Springer, Cham (2016)
Acknowledgements
The authors would like to thank: Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability; Clément Speybrouck, Michael Yeh, and Martin Perez-Rodriguez for their help in implementing some of the other attacks.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
dos Santos, D.R., Dagrada, M. & Costante, E. Leveraging operational technology and the Internet of things to attack smart buildings. J Comput Virol Hack Tech 17, 1–20 (2021). https://doi.org/10.1007/s11416-020-00358-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-020-00358-8