A few days ago Swedish national newspaper Dagens Nyheter revealed very disturbing vulnerabilities in the automation systems of Swedish company Kabona. These systems control HVAC systems, climate systems, heating, supermarket freezers and so on, nothing strange there, all these functions you could want to monitor and adjust remotely. The problem is that thousands of installations are accessible via the internet and so jam-packed with bad programming and vulnerabilities that anyone with even very limited skills can get in to the systems and manipulate locked doors, server room temperatures and even ring the bells in the tower of a church in Hedemora.
I can guarantee that these systems never have gone through any kind of penetration testing or security scrutiny. It took me no more than ten minutes to find a flaw to get into the systems, and two fully working exploits within an hour. When you know what to do, you’ll have full access to all of them in mere seconds. I quickly glanced through some of the vulnerable systems, and there are plenty of supermarket freezers to turn off, and temperature controllers to play around with. I don’t doubt that functions and structures important to society could be threatened by these vulnerabilities. There is a possibility to wreak havoc and create a lot of damage, and of course costs and irritation.
With only a few clicks is possible to manipulate heating, ventilation, fire alarms and to open doors in many sensitive locations in Sweden. We have found at least 733 systems that are connected to Kabona’s web central, completely open to the internet. Among them are police stations, train stations, care centers and large office buildings. DAGENS NYHETER (MY TRANSLATION)
My fingers are itching, but of course I can’t tell you any details about the holes and flaws I found, responsible disclosure you know. People across the globe are probably trying to play around with the systems that can be reached and breached, Shodan recent searches hints that much. I don’t want to make matters worse. Swedish security researcher Leif Nixon was the one who reported this, and he will release an advisory in December, at least giving the company a month to get their act together. I’m sure the exploits I found are at the top of his list, and there are probably many more.. The flaws will make it possible to automatically exploit the systems, and I’d be surprised if we don’t see a mass-scan+infection soon. If a car manufacturer released a new model with security flaws, they would pull it off the market immediately. Unsafe toys, same thing. They follow strict rules and regulations, but it seems that it is just plain OK to release software that is more or less completely open to the billions of internet users across the globe. Should there be requirements of penetration testing, etc, at least for systems purchased by governments? The losers in this game are Kabona’s thousands of clients, but as we all know, this is definintely not the last time we see systems that are this horribly broken.