**If you’ve been contacted by me, it is because your device is on the internet and may be vulnerable to the vulnerabilities identified below. Please read through this and contact me if you have questions. Thanks**
What is Tridium Niagara?
Tridium is the developer of Niagara Framework. The Niagara Framework is a universal software infrastructure that allows building controls integrators, HVAC and mechanical contractors, to build custom web-enabled applications for accessing, automating and controlling smart devices in real-time via a local network or over the Internet.https://en.wikipedia.org/wiki/Tridium
Learn more about Tridium here.
How Many Are on the Internet?
According to Shodan.io there are over 67,000 devices listening on port 1911, which is known as the Fox protocol developed by Tridium. This port leaks the version number, internal IP address, and hostname of the Niagara system.
In 2012, Billy Rios and Terry McCorkle, who were working at Cylance at the time, found multiple vulnerabilities in Niagara systems. At least two of those vulnerabilities could be taken advantage of remotely, to take complete control of the device. One being a directory traversal and one being weak credential storage. When those vulnerabilities are used together, one is able to recover the admin account password to log into the system.
Rios and McCorkle purchased a device off Ebay and then reverse engineered it to see how the device worked. They presented the information they found at a conference in 2013 which can be read about here.
We did not take the time to check what percentage of the devices found on Shodan were vulnerable but after looking at a small sample we would say that at least 50% of the devices are vulnerable to the two vulnerabilities mentioned above.
Here are a few examples of vulnerable systems:
- Municipal Lighting Plant in Massachusetts
- Energy Company in Tennessee
- City in Missouri
- School in North Dakota
- Education Council in Ohio
- etc etc etc
There are plenty of systems around the world that are vulnerable to these vulnerabilities.
ICS-CERT has put out multiple notifications about these vulnerabilities such as here and here since the announcement. At least one manufacture has also put out notices such as Vykon. We haven’t seen much communication from the vendors in this space as most of them point to ICS-CERT. Johnson Controls has a website for Security Advisories, but does not have these vulnerabilities on it. We also haven’t seen anything for Honeywell. We are sure the notification is out there, somewhere, but were unable to locate it. If you have a link to the notifications please let us know and we will update the above.
If you do not have the following versions or higher, you need to upgrade because you are vulnerable:
- Niagara AX v3.8: 3.8.401
- Niagara 4 Framework v4.4: 220.127.116.11.1
Here’s an example of a vulnerable version and the information you can glean from it.
In order to get the version number of the particular device you can use this nmap script. You can also use Shodan.io or Censys.io to get that information. We won’t go into too much detail here but the exploit is very easy to accomplish. All you need is access to a login page and then you are able to browse to a file that contains the admin password. From there you could change heating, cooling, ventilation, water, pumps etc. This is scary in-itself, let alone the thought that the attacker may move laterally through the environment to steal information or install ransomware. Imagine ransomware taking down your city’s water or power, this is serious stuff. This vulnerability is simple to exploit and has been in the public realm for quite some time, so the vulnerabilities should be remediated ASAP.
Is your Niagara Tridium device on the internet? (If no, skip to next paragraph. Not sure? Use the Contact Me page) If yes, the first step is to take the device off the internet.
These ports should not be accessible from the internet:
If you need remote access to the device(s), put it behind a VPN with two factor authentication. Here is a list of VPN vendors for reference.
After this you will want to look around your network for signs of attackers. Check the authentication logs for abnormal logins. Look for odd changes in settings or configurations turned on/off when they shouldn’t be. If needed, bring in a professional company to check things out to make sure you were not previously hacked. This is very important and we would encourage you to do so if you see anything suspicious.
The next step is to change all passwords and then upgrade the device to the most current version. You will want to contact your service provider or the company who built the device such as Vykon, Honeywell, or Johnson Controls to get the latest version.
We recommend following the Tridium Niagara 4 or AX Hardening Guide. This will provide a list of best practices to secure these devices such as changing default passwords, use of VPN and enabling SSL/TLS. This hardening guide mixed with continual patching and removing the device from the internet should provide a good level of security for these devices.
Here are a list of recommendations for Niagara Tridium devices from ICS-CERT:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Change default credentials
- Disable the “guest” and “demo” user accounts if enabled.
- Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
- Use strong passwords.
These vulnerabilities have been out there for years and need to be remediated ASAP. If you think you might have been hacked or are hacked, reach out to an Incident Response company to comb through the environment. If your company is having these devices installed ask the installer what their security requirements are; show them the hardening guide on how it’s supposed to be done. We need to change the mindset of these companies and installers, to think about the security impact of these devices. Together change happens.
We’ve reached out to counties, cities, school systems, universities, power companies, etc. in hopes that they patch the device and remove it from the internet. If this information stops one attack before it happens, this blog post and outreach were worth it.
Still Confused or Need Help?
Message me on the Contact Me page if you have any questions. Thanks for reading!