Bradley Barth Senior Reporter
Researchers have developed proof-of-concept malware capable of compromising Building Automation Systems after discovering two critical bugs in a BAS programmable logic controller (PLC).
Created by experts at ForeScout, the malware exploits both vulnerabilities in combination with several older flaws that were previously known to the public, according to a ForeScout white paper released today in conjunction with a presentation by CTO Elisa Costante at the S4x19 industrial controls systems cybersecurity conference.
In the white paper, ForeScout warns that the attack surface of BAS systems is markedly increasing due to the proliferation of IoT devices within these systems. Consequently, malicious actors could potentially take advantage, launching attacks that could, for instance, sabotage HVAC devices to overheat data centers or compromise physical access control systems in order to gain unauthorized entry to sensitive locations.
In a separate, corporate blog post, ForeScout says that company researchers last year discovered the two critical flaws in a June 2013 version of the PLC. Reportedly, the vendor was already aware of the vulnerabilities at the time of private disclosure and had patched them in an update of the device. Regardless, ForeScout insists that the problem remains serious because the issue was never reported to the public, and many organizations are still using unpatched, versions of the product. ForeScout has chosen to maintain the anonymity of the vendor.
Forescout described the first of the two critical flaws as the use of a hard-coded secret while encrypting stored user passwords. “This weakness allows an attacker to obtain the credentials of valid users of the device,” the blog post states. The second problem is a buffer overflow that can result in remote code execution on the PLC.