[go: up one dir, main page]
Skip to main content
SpringerLink
Log in

Leveraging operational technology and the Internet of things to attack smart buildings

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In recent years, the buildings where we spend most part of our life are rapidly evolving. They are becoming fully automated environments where energy consumption, access control, heating and many other subsystems are all integrated within a single system commonly referred to as smart building (SB). To support the growing complexity of building operations, building automation systems (BAS) powering SBs are integrating consumer range Internet of things (IoT) devices such as IP cameras alongside with operational technology (OT) controllers and actuators. However, these changes pose important cybersecurity concerns since the attack surface is larger, attack vectors are increasing and attacks can potentially harm building occupants. In this paper, we analyze the threat landscape of BASs by focusing on subsystems which are strongly affected by the advent of IoT devices such as video surveillance systems and smart lightining. We demonstrate how BAS operation can be disrupted by simple attacks to widely used network protocols. Furthermore, using both known and 0-day vulnerabilities reported in the paper and previously disclosed, we present the first (at our knowledge) BAS-specific malware which is able to persist within the BAS network by leveraging both OT and IoT devices connected to the BAS. Our research highlights how BAS networks can be considered as critical as industrial control systems and security concerns in BASs deserve more attention from both industrial and scientific communities. Even within a simulated environment, our proof-of-concept attacks were carried out with relative ease and a limited amount of budget and resources. Therefore, we believe that well-funded attack groups will increasingly shift their focus towards BASs with the potential of impacting the live of thousands of people.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. https://www2.meethue.com/en-us.

  2. https://nmap.org/.

  3. https://portswigger.net/burp.

  4. https://github.com/ReFirmLabs/binwalk.

  5. https://www.hex-rays.com/products/ida/.

  6. https://github.com/jtpereyda/boofuzz.

  7. https://www.shodan.io/.

  8. https://www.censys.io/.

  9. https://attack.mitre.org/.

  10. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

  11. http://blackberry.qnx.com/.

  12. https://nvd.nist.gov/vuln/detail/CVE-2018-10660.

  13. https://nvd.nist.gov/vuln/detail/CVE-2018-10661.

  14. https://nvd.nist.gov/vuln/detail/CVE-2018-10662.

  15. https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.

  16. https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool.

  17. http://www.qnx.com/developers/docs/6.5.0SP1.update/com.qnx.doc.neutrino_utilities/q/qconn.html.

  18. https://github.com/adamcaudill/EquationGroupLeak.

  19. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.

  20. https://github.com/gentilkiwi/mimikatz.

References

  1. Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014). https://doi.org/10.1109/JIOT.2014.2306328

    Article  Google Scholar 

  2. Barcena, M., Wueest, C.: Insecurity in the Internet of Things, Symantec Corporation (2015). https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/insecurity-in-the-internet-of-things-15-en.pdf. Accessed 16 Mar 2020

  3. Mahmoud, R., Yousuf, T., Aloul, F., Zualkernan, I.: Internet of things (IOT) security: Current status, challenges and prospective measures. In: 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 336–341 (2015). https://doi.org/10.1109/ICITST.2015.7412116

  4. Hilt, S., Huq, N., Rösler, M., Urano, A.: Securing Smart Homes and Buildings: Threats and Risks to Complex IoT Environments, Trend Micro Inc. (2019). https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/threats-and-risks-to-complex-iot-environments. Accessed 16 Mar 2020

  5. BitDefender: The IoT Threat Landscape and Top Smart Home Vulnerabilities in 2018 (2018). https://www.bitdefender.com/files/News/CaseStudies/study/229/Bitdefender-Whitepaper-The-IoT-Threat-Landscape-and-Top-Smart-Home-Vulnerabilities-in-2018.pdf. Accessed 16 Mar 2020

  6. Sadeghi, A., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: Proceedings of the 52nd ACM/EDAC/IEEE Design Automation Conference (2015)

  7. Maggi, F., Vosseler, R., Quarta, D.: The Fragility of Industrial IoT’s Data Backbone, Trend Micro Inc. (2018). https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols. Accessed 16 Mar 2020

  8. Mundt, T., Wickboldt, P.: Security in building automation systems—a first analysis. In: International Conference On Cyber Security And Protection Of Digital Services (Cyber Security), Vol. 2016, 1–8 (2016). https://doi.org/10.1109/CyberSecPODS.2016.7502336

  9. Ciholas, P., Lennie, A., Sadigova, P., Such, J.M.: The Security of Smart Buildings: A Systematic Literature Review, arXiv:1901.05837 [cs.CR] (2019)

  10. Hersent, O., Boswarthick, D., Elloumi, O.: The Internet of Things: Key Applications and Protocols. Wiley, New York (2012)

    Google Scholar 

  11. Walker, K.: The impact of the internet of things on buildings. (2018) http://www.smartbuildingsmagazine.com/features/the-impact-of-the-internet-of-things-on-buildings . Accessed 16 Mar 2020

  12. Eclipse IoT Working Group: IoT Developer Survey 2018 (2018). https://iot.eclipse.org/resources/iot-developer-survey/iot-developer-survey-2018.pdf. Accessed 16 Mar 2020

  13. Banks, A., Briggs, E., Borgendale, K., Gupta, R.: MQTT Version 5.0, OASIS Standard (2019). https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html. Accessed 16 Mar 2020

  14. Tridium: Niagara MQTT Architecture (2016). https://www.tridium.com/~/media/tridium/library/documents/software/niagara%204/mqtt%20architecture.ashx. Accessed 16 Mar 2020

  15. Systec Electronic: Industrial control in special applications (2018). https://www.systec-electronic.com/en/solutions/smart-buildings-industrial-building-automation/. Accessed 16 Mar 2020

  16. Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.M.: Communication systems for building automation and control. Proc. IEEE 93(6), 1178–1203 (2005). https://doi.org/10.1109/JPROC.2005.849726

    Article  Google Scholar 

  17. Minoli, D., Sohraby, K., Occhiogrosso, B.: Iot considerations, requirements, and architectures for smart buildings–energy optimization and next-generation building management systems. IEEE Internet Things J. 4(1), 269–283 (2017). https://doi.org/10.1109/JIOT.2017.2647881

    Article  Google Scholar 

  18. Bugeja, J., Jacobsson, A., Davidsson, P.: An empirical analysis of smart connected home data. In: International Conference on Internet of Things (2018)

  19. Guo, H., Heidemann, J.: Detecting IoT Devices in the Internet (Extended). USC/Information Sciences Institute (2018)

  20. IETF: RFC 1889—-RTP: A Transport Protocol for Real-Time Applications (1996). https://tools.ietf.org/html/rfc1889. Accessed 16 Mar 2020

  21. IETF: RFC 3550—RTP: A Transport Protocol for Real-Time Applications (2003). https://tools.ietf.org/html/rfc3550. Accessed 16 Mar 2020

  22. IETF: RFC 3711—The Secure Real-time Transport Protocol (SRTP) (2004). https://tools.ietf.org/html/rfc3711. Accessed 16 Mar 2020

  23. IETF: RFC 2326—Real-Time Streaming Protocol (1998). https://tools.ietf.org/html/rfc2326. Accessed 16 Mar 2020

  24. IETF: RFC 7826—Real-Time Streaming Protocol Version 2.0 (2016). https://tools.ietf.org/html/rfc7826. Accessed 16 Mar 2020

  25. Tratz-Ryan, B., Finnerty, B.: Hype Cycle for Smart City Technologies and Solutions. Gartner, New York (2018)

    Google Scholar 

  26. Arrow Intelligent Systems: Connectivity Protocols for Smart Lighting Systems (2018). https://static4.arrow.com/-/media/arrow/files/pdf/c/connectivityprotocolsforsmartlighting_final.pdf. Accessed 16 Mar 2020

  27. Wang, J.: Zigbee light link and its applicationss. IEEE Wirel. Commun. 20(4), 6–7 (2013). https://doi.org/10.1109/MWC.2013.6590043

    Article  Google Scholar 

  28. Gasser, O., Scheitle, Q., Denis, C., Schricker, N., Carle, C.: Security implications of publicly reachable building automation systems (2017). In: Proceedings of the IEEE Security & Privacy Workshops

  29. Burgess, M.: Could hackers really take over a hotel? WIRED explains, WIRED (2017). http://www.wired.co.uk/article/austria-hotel-ransomware-true-doors-lock-hackers. Accessed 16 Mar 2020

  30. Ashok, I.: Hackers leave Finnish residents cold after DDoS attack knocks out heating systems. International Business Times (2016). http://www.ibtimes.co.uk/hackers-leave-finnish-residents-cold-after-ddos-attack-knocks-out-heating-systems-1590639. Accessed 16 Mar 2020

  31. Wendzel, S., Tonejc, J., Kaur, J., Kobekova, A.: Cyber Security of Smart Buildings, Chapter 16, pp. 327–351. Wiley, New York (2017)

  32. De Telegraaf, Hack met medicijnen: Hoe haal je het in je hoofd? (2018)! https://www.telegraaf.nl/nieuws/2841336/hack-met-medicijnen-hoe-haal-je-het-in-je-hoofd. Accessed 16 Mar 2020

  33. Bowers, B.: How To Own a Building: Controlling the Physical World with BacNET Attack Framework (2013). https://www.youtube.com/watch?v=d3jtmv6Y9uk. Accessed 16 Mar 2020

  34. Brandstetter, T.: (in)Security in Building Automation: How to Create Dark Buildings with Light Speed (2017). https://www.youtube.com/watch?v=PyOhwYgpGfM. Accessed 16 Mar 2020

  35. Rios, B.: Owning a Building: Exploiting Access Control and Facility Management Systems (2014). https://www.youtube.com/watch?v=wvO3puWSGgQ. Accessed 16 Mar 2020

  36. Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, GI Sicherheit (2014)

  37. Mirsky, Y., Guri, M., Elovici, Y.: HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System, arXiv:1901.05837 [cs.CR] (2017)

  38. ActivePower, Data Center Thermal Runaway (2015). http://powertechniquesinc.com/wp-content/uploads/2015/08/Active-Power-WP-105-Data-Center-Thermal-Runaway.pdf. Accessed 16 Mar 2020

  39. Fauri, D., Kapsalakis, M., dos Santos, D.R., Costante, E., den Hartog, J., Etalle, S.: Leveraging semantics for actionable instruction detection in building automation systems (2018). In: Proceedings of the 13th International Conference on Critical Information Infrastructures Security (CRITIS)

  40. VDOO, Major Vulnerabilities in Foscam Cameras (2018), https://blog.vdoo.com/2018/06/06/vdoo-has-found-major-vulnerabilities-in-foscam-cameras/. Accessed 16 Mar 2020

  41. Peles, O.: Significant Vulnerabilities in Axis Cameras, VDOO (2018). https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/. Accessed 16 Mar 2020

  42. VDOO: Significant Vulnerability in Hikvision Cameras (2018). https://blog.vdoo.com/2018/11/13/significant-vulnerability-in-hikvision-cameras/. Accessed 16 Mar 2020

  43. Tenable Research: Peekaboo: Don’t Be Surprised by These Not So Candid Cameras (2018). https://www.tenable.com/blog/peekaboo. Accessed 16 Mar 2020

  44. Heffner, C.: Exploiting Network Surveillance Cameras Like a Hollywood Hacker, Black Hat Briefings (2013). https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-WP.pdf. Accessed 16 Mar 2020

  45. PenTestPartners: Hijacking Philips Hue (2013). https://www.pentestpartners.com/security-blog/hijacking-philips-hue/. Accessed 16 Mar 2020

  46. Akamai Threat Research: MQTT-PWN (2019). https://github.com/akamai-threat-research/mqtt-pwn. Accessed 16 Mar 2020

  47. Jakhar, A.: Expliot—Internet of Things Exploitation Framework (2019). https://gitlab.com/expliot_framework/expliot. Accessed 16 Mar 2020

  48. PTES: The penetration testing execution standard (2014). http://www.pentest-standard.org. Accessed 16 Mar 2020

  49. ISECOM, Open Source Security Testing Methodology Manual (OSSTMM) (2019), http://www.isecom.org/research/. Accessed 16 Mar 2020

  50. Perelman, B.: The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical, Security Week (2018). https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical. Accessed 16 Mar 2020

  51. Stoler, N.: Anatomy of the Triton Malware Attack, CyberArk (2018). https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/. Accessed 16 Mar 2020

  52. Cherepanov, A.: GreyEnergy: A Successor to BlackEnergy, ESET WeLiveSecurity (2018). https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf. Accessed 16 Mar 2020

  53. Osborne, C.: Researchers discover over 170 million exposed IoT devices in major US cities (2017). https://www.zdnet.com/article/researchers-expose-vulnerable-iot-devices-in-major-us-cities/. Accessed 16 Mar 2020

  54. Krotofil, M., Wetzels, J.: Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems (2018). https://www.youtube.com/watch?v=3x4MukvjEm8. Accessed 16 Mar 2020

  55. Green, B., Krotofil, M., Abbasi, A.: On the significance of process comprehension for conducting targeted ICS attacks. In: Proceedings of the Workshop on Cyber-Physical Systems Security and Privacy (2017)

  56. Oberhumer, M., Molnár, L., Reiser, J.F.: UPX: the Ultimate Packer for eXecutables. https://upx.github.io/. Accessed 16 Mar 2020

  57. Microsoft: xp\_cmdshell Server Configuration Option. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option. Accessed 16 Mar 2020

  58. Rapid7: QNX qconn Command Execution. https://www.rapid7.com/db/modules/exploit/unix/misc/qnx_qconn_exec. Accessed 16 Mar 2020

  59. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21–23 May 2018, San Francisco, CA, USA, pp. 161–175 (2018)

  60. MITRE Corporation: Persistence. https://attack.mitre.org/tactics/TA0003. Accessed 16 Mar 2020

  61. MITRE Corporation: Local Job Scheduling. https://attack.mitre.org/techniques/T1168/. Accessed 16 Mar 2020

  62. MITRE Corporation: Modify OS Kernel or Boot Partition. https://attack.mitre.org/techniques/T1398/. Accessed 16 Mar 2020

  63. MITRE Corporation: bash\_profile and .bashrc. https://attack.mitre.org/techniques/T1156/. Accessed 16 Mar 2020

  64. MITRE Corporation: Path Interception. https://attack.mitre.org/techniques/T1034/. Accessed 16 Mar 2020

  65. Ducklin, P.: VPNFilter—is a malware timebomb lurking on your router (2018)? https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/. Accessed 16 Mar 2020

  66. Fuentes, M.R., Huq, N.: Securing Connected Hospitals (2018). https://documents.trendmicro.com/assets/rpt/rpt-securing-connected-hospitals.pdf. Accessed 16 Mar 2020

  67. Microsoft: Microsoft Security Bulletin MS17-010—Critical (2017). https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. Accessed 16 Mar 2020

  68. Cimpanu, C.: One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (2018). https://www.bleepingcomputer.com/news/security/one-year-after-wannacry-eternalblue-exploit-is-bigger-than-ever/. Accessed 16 Mar 2020

  69. Luiijf, E.: Threats in Industrial Control Systems, pp. 69–93. Springer, Cham (2016)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank: Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability; Clément Speybrouck, Michael Yeh, and Martin Perez-Rodriguez for their help in implementing some of the other attacks.

Author information

Authors and Affiliations

  1. Forescout Technologies, John F. Kennedylaan 2, 5612 AB, Eindhoven, The Netherlands

    Daniel Ricardo dos Santos, Mario Dagrada & Elisa Costante

Authors
  1. Daniel Ricardo dos Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mario Dagrada
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elisa Costante
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Ricardo dos Santos.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

dos Santos, D.R., Dagrada, M. & Costante, E. Leveraging operational technology and the Internet of things to attack smart buildings. J Comput Virol Hack Tech 17, 1–20 (2021). https://doi.org/10.1007/s11416-020-00358-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-020-00358-8

Keywords

Search

Navigation