Quoting from http://www.abc.net.au/news/2017-05-06/software-bug-discovered-in-sensitive-government-systems/8501654
Bug discovered in software could 'do a lot of damage' if exploited
Exclusive by the National Reporting Team's Benjamin Sveen and national technology reporter Jake Sturmer
Updated Sat at 2:50pm
RELATED STORY: Emails of senior politicians compromised in Yahoo hack
RELATED STORY: Chinese hackers behind Defence, Austrade security breaches
RELATED STORY: The internet of things has been hacked — including dams and nuclear facilities
A critical vulnerability has been discovered in the software controlling sensitive government facilities, including at the Lucas Heights nuclear plant in Sydney and a Royal Australian Air Force (RAAF) base.
Key points:
- Vulnerability found in software in more than 200 buildings in Australia
- Cyber security company was able to gain administrative access to one of the affected government facilities
- Affected government organisations, including Defence, have taken steps to secure systems
Ed Farrell from security company Mercury ISS said his team identified more than 200 buildings in Australia containing the vulnerability, which, the ABC understands; the software manufacturer is working urgently to patch.
According to Mr Farrell, if the bug was exploited, it would allow hackers to take control over critical functions in what are supposed to be among the nation's most secure buildings.
"If a criminal or foreign intelligence service were to gain unauthorised access to such a facility, they could change settings in heating, ventilation, air conditioning — they could potentially do a lot of damage," he said.
Mercury ISS is a Sydney-based cyber security company which test systems for bugs in order to keep them secure.
"The exploit [that the Mercury ISS team developed] demonstrated that we could go from having no log-ins to this facility to getting administrative access to one of these facilities," Mr Farrell said.
"Depending on the context of the system, we could probably do whatever we wanted."
The Australian Nuclear Science and Technology Organisation (ANSTO) confirmed the vulnerability affects an administrative building connected to the Reactor Beam Hall at its Lucas Heights plant.
"ANSTO worked with the researcher [Mr Farrell] who raised the suggested improvement to the BMS system, and made changes within a matter of days," an ANSTO spokesperson told the ABC.
Control systems could offer attackers easy opening into valuable networks
Vulnerabilities in building management systems (BMS) can also potentially provide hackers access into other systems.
For instance, in November 2013, attackers exploited vulnerabilities in the BMS used by retail giant Target to gain access to their system that processes payments, allowing the hackers to siphon off credit card credentials from unknowing customers.
An ANSTO spokesperson has told the ABC that its building management system is not connected to its corporate network or any reactor facilities.
The ABC has been asked to not identify the location of the RAAF base affected.
Professor Jill Slay from the Australian Defence Force Academy, who is a supporter of Mr Farrell's research, said these types of control systems can potentially offer attackers the easiest opening into valuable corporate networks.
"Sometimes the purpose of doing it is to try and control your building because I want to steal something in your building," Professor Slay said.
"But sometimes, I'll use that weak link in your building to access the part of the network that is really important to me — the plans, the patents, the money, the human resources database, it just depends what my purpose is."
When the Mercury ISS team first discovered the vulnerable ANSTO and RAAF systems, their BMS log-in pages were even accessible over the Internet.
Cyber crime: Why you should care
Mr Farrell said the organisations reacted quickly to the concerns raised and had subsequently isolated the systems.
The Department of Defence has also confirmed they were notified about the problems at the RAAF base by the Australian Cyber Security Centre.
"As soon as Defence became aware of the potential risk, Defence took action by removing the identified system from the internet," a Defence spokesperson said.
However, the patch to fix the vulnerability which Mr Farrell's team exploited is under development and not expected to be available until later this month.
"I would say that the approach they have taken has been quite open, in that they've said, 'Yep, we acknowledge there's an issue, and we're dealing with it quite quickly'," Mr Farrell said.
"They've been really incredible in how they've gone about that."
Australia's software liability laws need change: tech law expert
His latest experience contrasts quite dramatically to a disclosure he previously attempted last year with a different BMS manufacturer, when he was threatened with legal action if he spoke publicly about what he found.
The ABC understands that vulnerability affected federal government buildings of considerable significance to national security.
"My intent really wasn't to be confrontational, or embarrass the vendor, it was just to say, 'Hey, there's risks out there that I think we need to be aware of'," he explains.
Security researchers often face a vexed legal framework in their efforts to expose vulnerabilities with the software companies responsible.
Some technology law experts think the time has come to update Australia's laws around software liability.
"At the moment there's nothing that can compel a company or force them to act," said Dr Alana Maurushat, who is from UNSW's Cyberspace Law and Policy Centre.
"Originally, software was excluded from a lot of different types of liability [for software with inadequate security] in development because it was perceived as a new industry, and often a new industry is shielded from liability provisions until they become a mature industry.
"I think those arguments for the software industry being an immature industry no longer stand in the year 2017."
Dr Maurushat said there are arguments for establishing a register to protect so-called "white hat hackers" like Ed Farrell, who report vulnerabilities rather than sell exploits for financial profit on the black market.
Comments