Home Business IT Security Google's Sydney HQ under attack

Google's Pyrmont HQ Google's Pyrmont HQ Featured
Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


A team of US researchers have hacked into the building management system of Google's Sydney headquarters, according to reports today.

The group of researchers from security firm Cylance were able to snatch the password for the control system for Google's Pyrmont office, where they could access controls to alarms and other building services.

This includes things like the heating and air conditioning.

The group also obtained blueprints of the floor and roof plans of the headquarters, along with water pipe maps and the location of a kitchen leak.

It seems they didn't actually do anything with the access, however.

The researchers Billy Rios and Terry McCorkle were seemingly able to carry out the hack due to unpatched security flaws in Tridium Niagara AX, the system Google uses for its buildings.

In a blog post, excerpts below, Mr Rios and Mr McCorkle described the hack as "easy."

A quick interrogation of the Tridium device yields a wealth of information about the specific platform version (a slightly outdated version) and OS specifics (QNX running on an embedded device). Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device.

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations.

Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go :-)

If Google can fall victim to an ICS attack, anyone can.

ITWIRE SERIES - REVENUE-CRITICAL APPS UNDERPERFORMING?

Avoid War Room Scenarios and improve handling of critical application problems:

• Track all transactions, end-to-end, all the time and know what your users experience 24/7

• View code level details with context and repair problems quickly

• Fix problems in minutes before they wreak havoc

• Optimize your most important applications, Java, .NET, PHP, C/C++ and many more

Start your free trial today!

CLICK FOR FREE TRIAL!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

David Swan

joomla statistics

David Swan is a tech journalist from Melbourne and is iTWire's Associate Editor. Having started off as a games reviewer at the tender age of 14, he now has a degree in Journalism from RMIT (with Honours) and owns basically every gadget under the sun. You can email him at david.swan@itwire.com or follow him at twitter.com/mrdavidswan

Connect