The group of researchers from security firm Cylance were able to snatch the password for the control system for Google's Pyrmont office, where they could access controls to alarms and other building services.
This includes things like the heating and air conditioning.
The group also obtained blueprints of the floor and roof plans of the headquarters, along with water pipe maps and the location of a kitchen leak.
It seems they didn't actually do anything with the access, however.
The researchers Billy Rios and Terry McCorkle were seemingly able to carry out the hack due to unpatched security flaws in Tridium Niagara AX, the system Google uses for its buildings.
In a blog post, excerpts below, Mr Rios and Mr McCorkle described the hack as "easy."
A quick interrogation of the Tridium device yields a wealth of information about the specific platform version (a slightly outdated version) and OS specifics (QNX running on an embedded device). Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device.
We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations.
Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.
If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go :-)
If Google can fall victim to an ICS attack, anyone can.