Researchers warn of cyber flaws in Honeywell control systems
By Joseph Menn
SAN JUAN, Puerto Rico (Reuters) - A widely used system for controlling electricity, heating and other systems inside buildings remains vulnerable to attacks over the Internet, despite warnings from U.S. officials, researchers said on Tuesday.
The Niagara control system from Honeywell International Inc's Tridium division are configured to connect to the Internet by default, even though that is not necessary for them to function, two researchers from security firm CyLance said at a security conference in San Juan, Puerto Rico.
The pair, Billy Rios and Terry McCorkle, uncovered vulnerabilities last year that prompted the Department of Homeland Security to warn customers to change their settings and resulted in Honeywell releasing a software update that the two researchers previously said had successfully addressed the problems.
Yet they revealed on Tuesday they have since uncovered new flaws in Tridium's technology that continue to make customers vulnerable to attack via the Internet.
They showed they could take control of a Niagara system using a new piece of software they had written to demonstrate the vulnerabilities in the system.
They declined to explain their techniques out of concern that malicious hackers might try to copy their methods. They said attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices.
Once inside, hackers could wreak havoc with the physical environment and in many cases could also jump to a building's main office computers, McCorkle said.
"It's a little worrisome," McCorkle said. "Don't put it on the net." Continued...