Sometime last summer, hackers invaded a New Jersey company’s web-accessible heating and air-conditioning systems using a gaping security hole in the system’s supervisory control and data acquisition (SCADA) software.
Ars Technica reports that an IT contractor who works with the business informed F.B.I. agents investigating the breach that controls for the HVAC system were “directly connected to the Internet” and there was no “interposing firewall.”
The backdoor into the controls is found in some versions of the Niagara AX Framework, software that controls similar systems at the Pentagon and the Federal Bureau of Investigation. An F.B.I. memo issued in July said any hacker who found their way into the nameless New Jersey company’s Niagara controls would have been able to learn the same information available to a systems administrator, such as “a floor plan layout of the office, with control fields and feedback for each office and shop area.” The web interface wasn’t even password-protected.
Information about these flaws in Niagara systems has been public knowledge among hackers for some time. In a blog post published in an Anonymous-associated blog on January 19, 2012, a hacker using the name @ntisec listed vulnerable Niagara web servers all over the world.
The hacker prefaced the list by explaining that he or she had learned of the vulnerability from a Dutch technology site and then found vulnerable pages with simple searches using Google and ShodanHQ, a site that helps “expose online devices.”
@ntisec insisted his or her purpose was to make sure these gaps were closed, because “Most scada systems dont (sic) have the need to be webfaced.”
Ars Technica notes that in 2009 a security guard in a Texas hospital learned of that facility’s weak SCADA security and posted screen captures online that demonstrated he could take control of parts of the system used to control operating room temperatures. The guard ended up federal prison.
Given the large number of Niagara servers listed by @ntisec last January, we’ll probably hear about several other intrusions before the holes are filled. Once that happens, maybe they’ll just come for our smart TVs.