HVACking: Remotely Exploiting Bugs in Building Control Systems

Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments.

Discovered using the automated software testing technique called “fuzzing,” the point of failure gives an attacker on the network full control of an unpatched system. They would be in a position to manage the various building controls connected to the vulnerable device.

Douglas McKee of McAfee Labs’ Advanced Threat Research team found the flaw in the enteliBUS Manager (eBMGR) from Delta Controls.

“Put simply, this device aims to centralize control for various pieces of hardware often found in corporate or industrial settings, whether it be temperature and humidity controls for a server room, a boiler and its corresponding alarms and sensors in a factory, or access control and lighting in a business”

McKee used a fuzz testing tool called Defensics that can handle the Building Automation Control Network (BACNet) protocol used by the eBMGR industrial control system.

Attack also works remotely

The vulnerability is now tracked as CVE-2019-9569 and is a buffer overflow that leads to remote code execution when properly exploited. Initial attempts resulted in crashes, though, until sufficient information was collected to create a working exploit. Technical details about the entire process are available here.

Although taking control of a building control system is itself an accomplishment, McKee found that attacks can be launched even if the location of the target system on the network is unknown.

For this, the broadcast traffic function is used, which can send a message to every node on the network. This means that all vulnerable system on the network will respond to the message.

To test their successful exploitation, the researcher tried to control all the devices connected to the vulnerable eBMGR. Achieving this involved tracking down the code that initiated the action on a target device; this technique is called a replay attack because it captures the commands code only to be played back at an attacker’s convenience.

This strategy yielded the expected results and enabled the researcher to take full control of the target. According to the researcher, every device supported by eBMGR was pwnd this way.

A video demonstrating the validity of the research is available below. The experiment targeted a programmable logic controller (PLC) that controlled an HVAC system:

Although the tests conducted required physical access, a hacker that knows in advance the IP address of the device can launch them over the internet. More than 1,600 devices were discovered using the Shodan search engine, showing that an attacker could do damage from miles away.

McAfee reported the vulnerability to Delta on December 7, 2018, and the company replied in “just a few weeks” and validated the research. Both parties worked together to create a patch, which became available in late June 2019.

The security company recommends extending the security practices to all network devices: shielding them with a firewall, checking the traffic for abnormal activity, and isolating the building devices from the rest of the network.

Below is a video overview of taking control over an HVAC system by leveraging CVE-2019-9569: