Proof-of-Concept malware sneaks into smart buildings’ security loopholes

• Automated environments such as building automation systems(BAS) prone to attacks from modern malware, says research.
• The BAS systems remain exposed to threats due to various kinds of vulnerabilities including hardcoded credentials, buffer overflow, cross-site scripting, and more.

In the past, malware attacks on automated systems were not widespread. This does not mean they were not vulnerable either. Stuxnet virus is the best example. It spread along large industrial control systems(ICS) and gradually targeted a nuclear power plant in Iran. Now, a new research study indicates that malware can also target systems used in smart buildings, known as, building automation systems(BAS).

A recent Forbes article highlighted the work of cybersecurity firm Forescout, whose researchers developed a proof-of-concept (POC) malware to expose smart buildings' vulnerabilities. They ranked the list of vulnerabilities from high to low severity.

Examples for high severity vulnerabilities included an encryption function using a hardcoded secret to store user passwords and a buffer overflow that enabled a remote code execution takeover of the device. On the other hand, low ranked vulnerabilities included cross-site scripting (XSS), path traversal and file deletion along with authentication bypass flaws.

Malware focuses on data centers of smart buildings

Elisa Costante, senior director for industrial and OT technology innovation at ForeScout told the magazine that data centers of smart buildings are the most vulnerable.

Costante elucidates with an example, “They depend on industrial-level heating, ventilation, and air conditioning (HVAC) systems which are often connected to a BAS system. if a hacker is able to identify a vulnerability that grants them access to the HVAC system, they would be able to raise the temperature setpoint in order to disable the air conditioning.”

As IoT-based systems such as BAS become more prevalent, malware developed for these systems can attack various endpoints present in the network. Thus, software inside the system needs to be updated regularly with security patches to avoid disasters.