Researchers hack into building management system at Google’s Australia office

09 May 2013

If you think you have read enough about security breaches and vulnerabilities related to web sites here is a different kind of a vulnerability but with an ending happily different from stolen data, hacked accounts and the other usual stuff.

Two security researchers recently found that could easily hack the building managements system of internet search company, Google's Wharf 7 office overlooking the water in the Pyrmont section of Sydney, Australia, according to technology news website, Wired.

Google Australia's building management system is built on the Tridium Niagara AX platform, shown to have serious security vulnerabilities and though Tridium had released a patch for the system, the control system at Google was not patched that allowed the researchers to obtain the administrative password for it (''anyonesguess'') and access control panels.

The panels showed buttons marked ''active overrides,'' ''active alarms,'' ''alarm console,'' ''LAN Diagram,'' ''schedule,'' and also a button marked ''BMS key'' for Building Management System key.

There was also a button marked ''AfterHours Button'' with a hammer on it.

The researchers left the buttons and the system untouched, but reported the issue to Google.

According to Billy Rios, a researcher with security firm Cylance, who worked on the project with colleague Terry McCorkle, they did not want to exercise any of the management functionality on the device itself.

The researchers discovered in Australia 653 computer-based building management systems attached to the public internet and according to Rios, they had discovered that hospitals, banks, government buildings in Australia were all vulnerable.

Another exposed system they found was that of the North Shore Private Hospital in Sydney. The rest of the affected buildings comprised hospitals, businesses, universities and government buildings.

Building management systems are used for the control and monitoring of a building's mechanical and electrical equipment using computer software. The system could be used to control and monitor things like ventilation, air conditioning, plumbing, CCTV, doors, lighting, elevators and fire systems within a building.

These systems are now being increasingly connected to the public internet which made them accessible remotely meaning those with malicious intent could always find ways to gain access to them using exploits.

They were usually attached to the internet by the IT firms that managed it to allow them to be accessed or updated remotely, but often they had very lax security and no firewalls for the prevention of unauthorised access.

The security researchers focused their efforts on the Tridium Niagara AX building management platform, which they found had not been updated by many organisations  and older versions which were vulnerable to exploits that could reveal their log-in credentials were in use.