Home Business IT Security Google's Sydney HQ under attack
Google's Pyrmont HQ Google's Pyrmont HQ Featured

A team of US researchers have hacked into the building management system of Google's Sydney headquarters, according to reports today.

The group of researchers from security firm Cylance were able to snatch the password for the control system for Google's Pyrmont office, where they could access controls to alarms and other building services.

This includes things like the heating and air conditioning.

The group also obtained blueprints of the floor and roof plans of the headquarters, along with water pipe maps and the location of a kitchen leak.

It seems they didn't actually do anything with the access, however.

The researchers Billy Rios and Terry McCorkle were seemingly able to carry out the hack due to unpatched security flaws in Tridium Niagara AX, the system Google uses for its buildings.

In a blog post, excerpts below, Mr Rios and Mr McCorkle described the hack as "easy."

A quick interrogation of the Tridium device yields a wealth of information about the specific platform version (a slightly outdated version) and OS specifics (QNX running on an embedded device). Armed with a few pieces of data, we utilized a custom exploit to extract the most sensitive file on a Tridium device, the config.bog file. The config.bog file contains the specific configurations for this particular device, but more importantly, it also contains the usernames and passwords for all the users on the device.

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations.

Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go :-)

If Google can fall victim to an ICS attack, anyone can.

FREE REPORT - IT MONITORING TOOLS COMPARISON

Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.

DOWNLOAD!

David Swan

David Swan is a tech journalist from Melbourne and is iTWire's Associate Editor. Having started off as a games reviewer at the age of 14, he now has a degree in Journalism from RMIT (with Honours) and owns basically every gadget under the sun.

Connect