Menu
Target attack shows danger of remotely accessible HVAC systems

Target attack shows danger of remotely accessible HVAC systems

Qualys says about 55,000 Internet-connected heating systems, including one at the Sochi Olympic arena, lack adequate security

The massive Target breach led to revelations that many companies use Internet-connected heating, ventilation, and air conditioning (HVAC) systems without adequate security, giving hackers a potential gateway to key corporate systems, a security firm warned Thursday.

Cloud security service provider Qualys said that its researchers have discovered that most of about 55,000 HVAC systems connected to the Internet over the past two years have flaws that can be easily exploited by hackers. Such a flaw was used by hackers in the Target breach.

HVAC systems connect to networks at various retail companies, government buildings and even hospitals, according to the security firm. HVAC vendors and other third parties often have remote access right to these systems for administrative and support purposes.

Hackers can exploit these systems to gain access to enterprise networks and leapfrog onto other corporate systems, Qualys said.

The recent breach at Target, which resulted in the theft of data on 40-million credit and debit cards, is believed to have occurred in this way. According to security blogger Brian Krebs, who first reported the massive breach, hackers gained access to the Target network using login credentials stolen from a company that provides HVAC services to the retailer.

The HVAC firm apparently had access rights to Target's network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores. The Target data thieves used the remote access rights to gain a foothold on the retailer's network and subsequently leapfrog onto the company's payment systems.

Most companies have no idea HVAC systems are connected to the Internet and can serve as gateways into the corporate network and sensitive data, said Billy Rios director of intelligence at Qualys, in an email.

"This breach doesn't just affect Target. There are many other control systems for other companies that are exposed," Rios said.

After the disclosure about how attackers accessed the Target network, Qualys did some network scanning and found that that the HVAC system at Target's headquarters is still visible online. So too is the HVAC and energy management systems at the Sochi Olympics arena, he said.

"The Sochi system doesn't even require a password, so if you know the IP address, you're in. We've contacted the integrator to warn them of this problem," Rios noted.

Often, the companies that have remote access to HVAC systems fail to realize that the systems can be used as a gateway to sensitive corporate networks. So they typically tend to have lax security measures, he said. For instance, many HVAC management companies use the same password to access systems belonging to multiple customers, he said.

Qualys has been working with the DHS on this issue for three years, so the threat is not unknown to all, Rios said. "Most people just don't know about it yet," he added.

Boatner Blankenstein, senior director of solutions engineering at Bomgar, a company that provides tools for securing remote access, said the Target breach shows why companies need to implement measures for controlling what third-parties can do on their networks.

Large enterprises often grant remote access rights to software, hardware, and numerous other vendors and external third parties. But few have measures in place for ensuring that the access is properly authenticated and secured.

While many companies might routinely log remote access sessions, few have capabilities to audit the access from a security standpoint, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags TargetCybercrime and HackingsecurityMalware and Vulnerabilitiesqualys

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments