Google"s Building Control System Highly Vulnerable to Hacking

According to the results of an investigation conducted by a pair of leading internet security experts, the building control system for Google’s office complex in Australia is highly vulnerable to online attacks by computer hackers.

Billy Rios and Terry McCorkle of computer security firm Cylance were able to hack into the building management system of Google’s Wharf 7 office, located in the Sydney waterfront suburb of Pyrmont, with relative ease, obtaining access to key passwords and control systems.

In addition to acquiring full control of the building management system, the researchers were also able to access blueprints of floor and roof plans, views of water pipes installed throughout the building, readings on water temperature and the coordinates of a leak in the kitchen.

“We could have taken over the operating system and accessed any other control systems that are on the same network as that one,” said McCorkle.

“We didn’t that because that wasn’t the intent…but that would be the normal path if an attacked was actually looking to do that.”

The researchers reported the huge security vulnerabilities to Google yet refrained from compromising security of the building management system any further by testing out the  control panels.

“We didn’t want to exercise any of the management functionality on the device itself. It’s pretty fragile, and we don’t want to take that thing down, ” Rios said.

Google has its head office at workplace6 at Pyrmont. Source: Business Day

Online computer hacking is far from uncommon in the modern era, but when Google, the doyen of internet corporations, can be successfully infiltrated by a pair of trained experts, serious questions arise about whether existing building control measures are sufficient.

Concern is further heightened by the fact that the building control system employed by Google Australia is based on the Tridium Niagara AX platform, which is employed by millions of organizations globally, including military facilities, government buildings and hospitals, despite the fact that it has previously been proven to suffer from major security flaws.

The system is used for a slew of high security facilities around the world, including a building complex in Chicago which houses offices for the FBI, the Drug Enforcement Agency and the US Marshals office, training facilities of the British Army, the Changi international airport in Singapore and the Four Points Sheraton Hotel in Sydney.

Rios and McCorkle have uncovered vulnerabilities in the Tridium Niagara AX platform in the past and say that Google’s mistake is in the use of a third-party integrator company to set up its building management system. They say the third-party company failed to install proper internet security measures such as patches.

While the Tridium platform is by definition impervious to online hacking when utilized independently, building management systems in the modern era are frequently connected to the internet to facilitate remote usage and control, which makes them highly vulnerable to hacking.

According to Rios and McCorkle, more than 25,000 Tridium systems around the world are currently connected to the internet, many of which have not installed the patches needed to ensure their security.

By Marc Howe

Top Image Source: AP, The New York Times

Google"s Building Control System Highly Vulnerable to Hacking