Honeywell is a cyber-terror disaster in waiting

Stefan Mileschin · 7th February 2013, 07:25

Honeywell's Niagara control system, which controls buildings' electricity, heating and other systems is vulnerable to internet attacks.

Despite warnings from US officials, it is possible to close down buildings completely using an internet attack.

The Niagara control system from Honeywell International's Tridium division are configured to connect to the web by default. It does not need to do this, but it does it anyway.

Insecurity experts from CyLance Billy Rios and Terry McCorkle told a security conference in San Juan, Puerto Rico that they uncovered vulnerabilities last year.

This prompted the Department of Homeland Security to warn customers to change their settings and resulted in Honeywell releasing a software update that the two researchers previously said had successfully addressed the problems.

But there are apparently more flaws in Tridium's technology that continue to make customers vulnerable to attack.

They showed the conference how they could take control of a Niagara system using a new piece of software they had written.

While they refused to say how they did it, they said that attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices.

In some cases, once the hackers had wrecked the company's physical environment they could use the hack as a gateway to getting into the building's main office computers.

A Honeywell spokesperson said the company is working to address the problems as quickly as possible and will alert customers of the risks.

http://news.techeye.net/security/hon...ter-in-waiting

7th February 2013, 07:25	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 153,514	Honeywell is a cyber-terror disaster in waiting Honeywell's Niagara control system, which controls buildings' electricity, heating and other systems is vulnerable to internet attacks. Despite warnings from US officials, it is possible to close down buildings completely using an internet attack. The Niagara control system from Honeywell International's Tridium division are configured to connect to the web by default. It does not need to do this, but it does it anyway. Insecurity experts from CyLance Billy Rios and Terry McCorkle told a security conference in San Juan, Puerto Rico that they uncovered vulnerabilities last year. This prompted the Department of Homeland Security to warn customers to change their settings and resulted in Honeywell releasing a software update that the two researchers previously said had successfully addressed the problems. But there are apparently more flaws in Tridium's technology that continue to make customers vulnerable to attack. They showed the conference how they could take control of a Niagara system using a new piece of software they had written. While they refused to say how they did it, they said that attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices. In some cases, once the hackers had wrecked the company's physical environment they could use the hack as a gateway to getting into the building's main office computers. A Honeywell spokesperson said the company is working to address the problems as quickly as possible and will alert customers of the risks. http://news.techeye.net/security/hon...ter-in-waiting

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
2K Games Picks Up Carmageddon, Reservoir Dogs & Conflict: Global Terror	jmke	WebNews	0	17th February 2005 16:58