Incident: Critical Vulnerability in Tridium Niagara AX Framework Allows Remote Control

Published Date: 2013-02-06

Postmortem Analysis
Timeline 1. The software failure incident involving a critical vulnerability in the Tridium Niagara AX Framework happened in December, as the researchers notified the company about the vulnerability last December [17030]. 2. Published on 2013-02-06 3. The software failure incident occurred in December 2012.
System 1. Tridium Niagara AX Framework [17030]
Responsible Organization 1. Security researchers Billy Rios and Terry McCorkle from Cylance were responsible for causing the software failure incident by discovering and exploiting the critical vulnerability in the Tridium Niagara AX Framework [17030].
Impacted Organization 1. Military 2. Hospitals 3. Government office complex in Chicago 4. British Army training facility 5. Boeing's manufacturing facilities in Renton, Washington 6. Changi airport in Singapore 7. Four Points Sheraton hotel in Sydney, Australia 8. Long Building Technologies [17030]
Software Causes 1. The software causes of the failure incident were a critical vulnerability in the Tridium Niagara AX Framework that allowed attackers to remotely control various critical building facilities [17030].
Non-software Causes 1. Lack of proper physical security measures: The vulnerability allowed attackers to remotely control critical building facilities like electronic door locks, lighting systems, elevators, and surveillance cameras, indicating a lack of physical security measures [17030]. 2. Insufficient network security practices: The Tridium systems were found to be visible over the internet, with some 21,000 systems identified through a search engine, suggesting inadequate network security practices [17030]. 3. Default username and password usage: The device purchased on eBay came with documentation providing the default username and password for platform administration, indicating poor password management practices [17030].
Impacts 1. The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely control critical building facilities such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms, and other systems managed by the framework [17030]. 2. The attackers were able to remotely access the system's config.bog file, which contained all the system's configuration data, including usernames and passwords to log in to operator workstations and control the systems [17030]. 3. The attack exploited a remote, pre-authenticated vulnerability combined with a privilege-escalation bug, giving the attackers root access to the system's platform and all embedded software [17030]. 4. The researchers developed a backdoor module to maintain access to the system once they had gained initial access, potentially allowing for continued unauthorized control and monitoring of the affected systems [17030]. 5. The incident highlighted the risk posed by the widespread use of the Tridium Niagara Framework in critical infrastructure systems, including military, hospitals, government offices, manufacturing facilities, airports, and hotels around the world [17030]. 6. The discovery of the vulnerability raised concerns about the security of millions of control systems sold by Tridium worldwide, with potential implications for the security and safety of various facilities and operations relying on these systems [17030].
Preventions 1. Implementing proper access controls and authentication mechanisms to prevent unauthorized access to critical system files and configurations could have prevented the software failure incident [17030]. 2. Regularly updating and patching software systems to address known vulnerabilities and zero-day exploits could have prevented the software failure incident [17030]. 3. Following best practices for network security, such as isolating critical systems behind firewalls and VPNs, could have prevented the software failure incident [17030]. 4. Avoiding the exposure of sensitive systems to the internet or ensuring robust security measures for systems accessible remotely could have prevented the software failure incident [17030].
Fixes 1. Implement the security patch provided by Tridium to fix the vulnerability in the Tridium Niagara AX Framework [17030].
References 1. Security researchers Billy Rios and Terry McCorkle from Cylance [17030] 2. Tridium spokesman Mark Hamel [17030] 3. Shodan search engine [17030] 4. Tridium's website and published case studies [17030] 5. Long Building Technologies [17030]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to a critical vulnerability in the Tridium Niagara AX Framework has happened again within the same organization or with its products and services. Security researchers Billy Rios and Terry McCorkle, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years, demonstrated a zero-day attack on the system at the Kaspersky Security Analyst Summit [17030]. This indicates that the organization has faced similar security vulnerabilities in the past. (b) The software failure incident related to the Tridium Niagara AX Framework vulnerability has also affected multiple organizations. The vulnerability allows attackers to remotely control various critical building facilities managed by the system, such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, and alarms [17030]. The Tridium systems are used in various facilities worldwide, including a government office complex in Chicago, a British Army training facility, Boeing's manufacturing facilities, Changi airport in Singapore, and the Four Points Sheraton hotel in Sydney, among others. Additionally, security researchers found around 21,000 Tridium systems visible over the internet, indicating a widespread impact on multiple organizations [17030].
Phase (Design/Operation) design, operation (a) The software failure incident in the article is related to the design phase. The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely control critical building facilities by exploiting a zero-day attack on the system. Security researchers Billy Rios and Terry McCorkle demonstrated a remote, pre-authenticated vulnerability that, combined with a privilege-escalation bug, gave them root access to the system's platform [17030]. This indicates that the failure was due to contributing factors introduced during the system development phase. (b) The software failure incident is also related to the operation phase. The vulnerability allowed attackers to remotely access the system's configuration data, including usernames and passwords to log in to operator workstations and control the systems managed by them. This means that the failure was also influenced by the operation or misuse of the system, as attackers were able to exploit the system's features to gain unauthorized access and control over critical building facilities [17030].
Boundary (Internal/External) within_system (a) The software failure incident described in the articles is primarily within_system. The vulnerability in the Tridium Niagara AX Framework, which allowed attackers to remotely control critical building facilities, was due to a flaw within the system itself. Security researchers Billy Rios and Terry McCorkle demonstrated a zero-day attack on the system, exploiting a remote, pre-authenticated vulnerability and a privilege-escalation bug to gain root access on the system's platform [17030]. The incident was a result of vulnerabilities present in the software system rather than external factors.
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case was primarily due to non-human actions, specifically a critical vulnerability discovered in the Tridium Niagara AX Framework that allowed attackers to remotely control various building facilities without human participation [17030].
Dimension (Hardware/Software) hardware, software (a) The software failure incident in the Tridium Niagara AX Framework was primarily due to hardware-related vulnerabilities. Security researchers Billy Rios and Terry McCorkle discovered a critical vulnerability in the industrial control system that allowed attackers to remotely control various building facilities such as electronic door locks, lighting systems, elevators, and more [17030]. The vulnerability in the Tridium system's platform, which is written in Java, allowed the researchers to exploit a remote, pre-authenticated vulnerability and a privilege-escalation bug to gain root access on the system's platform [17030]. This hardware-related vulnerability in the system's platform enabled the attackers to access sensitive configuration data and control the managed systems. (b) The software failure incident also had contributing factors originating in software. The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely access the system's config.bog file, which contained all the system's configuration data, including usernames and passwords for operator workstations [17030]. The attack exploited a zero-day vulnerability in the system, demonstrating a flaw in the software's design that allowed unauthorized access and control over critical building facilities [17030]. The software flaw in the Tridium system's platform, combined with the privilege-escalation bug, facilitated the attackers in gaining unauthorized access and control over the system.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. Security researchers Billy Rios and Terry McCorkle discovered a critical vulnerability in the Tridium Niagara AX Framework that would allow attackers to remotely control various critical building facilities, such as electronic door locks, lighting systems, elevators, and surveillance cameras [17030]. They demonstrated a zero-day attack on the system, exploiting a remote, pre-authenticated vulnerability that gave them root access to the system's platform [17030]. Additionally, they developed a backdoor module to maintain access to the system once compromised [17030]. This incident highlights how the vulnerability could be exploited by malicious actors to gain unauthorized control over essential building systems.
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions. The vulnerability in the Tridium Niagara AX Framework that allowed attackers to remotely control critical building facilities was exploited by security researchers Billy Rios and Terry McCorkle, who demonstrated a zero-day attack on the system at the Kaspersky Security Analyst Summit [17030]. The researchers notified the company about the vulnerability, and Tridium has been working on a patch to fix the issue [17030]. (b) The software failure incident was not due to accidental decisions. The vulnerability in the Tridium Niagara AX Framework was exploited by the security researchers through a zero-day attack, indicating a deliberate attempt to demonstrate the vulnerability and potential risks associated with it [17030].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in this case can be attributed to development incompetence. The vulnerability in the Tridium Niagara AX Framework was discovered by security researchers Billy Rios and Terry McCorkle, who have found numerous vulnerabilities in the Tridium system and other industrial control systems in the last two years [17030]. The attack exploited a remote, pre-authenticated vulnerability combined with a privilege-escalation bug, allowing the researchers to gain root access on the system's platform [17030]. The incident highlights the importance of professional competence in software development to prevent such vulnerabilities. (b) The software failure incident can also be considered accidental. The vulnerability in the Tridium Niagara AX Framework was not intentionally created but was discovered by the security researchers during their analysis of the system [17030]. The researchers notified the company about the vulnerability, and Tridium has been working on a patch to fix the issue, which they planned to release in response to the incident [17030]. This accidental discovery of the vulnerability underscores the importance of thorough security testing and continuous monitoring to identify and address potential weaknesses in software systems.
Duration temporary The software failure incident described in the article is more likely to be temporary rather than permanent. This is because the vulnerability in the Tridium Niagara AX Framework was discovered by security researchers Billy Rios and Terry McCorkle, who then notified the company about the vulnerability in December and Tridium has been working on a patch to fix the vulnerability, which they expected to release by February 13 [17030]. This indicates that the failure was due to specific circumstances (the vulnerability) and efforts were being made to address and rectify the issue, making it a temporary failure.
Behaviour other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, the vulnerability in the Tridium Niagara AX Framework allows attackers to remotely control various critical building facilities [17030]. (b) omission: The software failure incident does not involve omission where the system omits to perform its intended functions at an instance(s). The vulnerability allows attackers to remotely access the system's configuration data, including usernames and passwords, and control the systems managed by the operator workstations [17030]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions correctly but too late or too early. The vulnerability allows attackers to remotely control electronic door locks, lighting systems, elevators, and other critical building facilities [17030]. (d) value: The software failure incident does not involve a failure where the system performs its intended functions incorrectly. Instead, the vulnerability in the Tridium Niagara AX Framework allows attackers to gain unauthorized access and control over critical building systems [17030]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The vulnerability allows attackers to exploit a remote, pre-authenticated vulnerability to gain root access on the system's platform [17030]. (f) other: The software failure incident involves a security vulnerability that allows attackers to remotely access and control various critical building facilities through the exploitation of the Tridium Niagara AX Framework. The incident highlights a significant security flaw in the system that could have serious implications for the security of military, hospital, and other facilities using the affected industrial control system [17030].

IoT System Layer

Layer Option Rationale
Perception embedded_software (a) The failure in the Tridium Niagara AX Framework was related to the embedded software layer of the cyber physical system. Security researchers Billy Rios and Terry McCorkle discovered a critical vulnerability in the Tridium system that allowed attackers to remotely control various building facilities by exploiting a vulnerability in the system's configuration file [17030]. The vulnerability in the embedded software of the Tridium system enabled attackers to access the system's configuration data, including usernames and passwords, and gain control over the system's platform and embedded software [17030].
Communication connectivity_level The software failure incident described in the article [17030] was related to the communication layer of the cyber physical system that failed at the connectivity_level. The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely access the system's configuration data, including usernames and passwords, through a remote, pre-authenticated vulnerability. This vulnerability exploited the network or transport layer of the system, enabling unauthorized access and control of critical building facilities such as door locks, lighting systems, elevators, and surveillance cameras. The attack demonstrated by security researchers Billy Rios and Terry McCorkle highlighted the risks posed by such vulnerabilities in the system's connectivity layer, potentially compromising the security and integrity of the controlled systems.
Application TRUE The software failure incident described in the article [17030] was related to the application layer of the cyber physical system. The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely access the system's configuration data, including usernames and passwords, and control critical building facilities such as electronic door locks, lighting systems, elevators, and more. This vulnerability was exploited through a zero-day attack that targeted the application layer of the system, specifically the platform written in Java. The attackers were able to gain root access on the system's platform, which underlies the devices, by exploiting a remote, pre-authenticated vulnerability combined with a privilege-escalation bug. Additionally, the researchers developed a backdoor module to maintain access to the system once compromised, highlighting the severity of the application layer vulnerability in the cyber physical system.

Other Details

Category Option Rationale
Consequence harm, property, non-human, theoretical_consequence (b) harm: People were physically harmed due to the software failure - The vulnerability in the Tridium Niagara AX Framework allowed attackers to remotely control critical building facilities such as electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms, and more [17030]. - The potential harm from this vulnerability was demonstrated by security researchers who were able to exploit the system, gaining root access and control over various devices and embedded software [17030]. - Tridium systems are used in various critical environments such as federal office buildings, hospitals, and military facilities, indicating the potential physical harm that could result from unauthorized access and control of these systems [17030].
Domain utilities The software failure incident reported in the articles is related to the industry of utilities (g). The Tridium Niagara AX Framework, which had a critical vulnerability allowing attackers to remotely control various building facilities, is widely used in military, hospitals, and other critical infrastructure settings such as electricity and boiler systems, video surveillance cameras, and alarms [Article 17030]. This incident highlights the potential risks associated with vulnerabilities in systems that manage power, gas, water, and other essential services.

Sources

Back to List