Stumbling upon Security Issues

Filed under Vulnerabilities

Seriously…I don’t go looking for web site security issues or vulnerabilities but sometimes you do “stumble” upon them. :-P

Several weeks ago I was looking for an online schedule of events at one of the local community centers where I live so I did what anyone would do and typed in the URL of the city’s web site into my browser, but without typing “www” first. The actual URL starts with “www” but many times just by typing the URL without “www” will take you to the web site. So to my surprise instead of getting the main index page of the city’s web site I get a web form prompting for login credentials to what looked like an HVAC system attached to the Internet! The header of the page had some information about a system version so I did what any other security guy would do and launched a Google search to find out more details about this system. Yep, it was an HVAC system alright. So I thought no big deal right….out of curiosity I hit the ‘enter’ key thinking that there was no way that there was an anonymous login on this baby…low and behold, it logged me in! I was able to view the HVAC system configuration and potentially manage the HVAC for not only the community center but the city hall and other facilities. Looked like I could have caused some mischievous outages like changing the temperatures and even shutting down the HVAC system. At this point many scenarios entered my head, including why someone would put an HVAC system that should be on the company “Intranet” on the “Internet” with an anonymous administrator level account…nahh…I’m a pen tester so this isn’t shocking to me at all!

Being the ethical person that I am I emailed the city that manages this domain letting them know of the issue…today a received an email that said they were looking into the issue and it should be resolved shortly. So here are the questions. What would you have done (put your non-evil hat on please…yes, methodically messing with the temperature in the mayors office would be a blast…)? Do you just forget that you stumbled upon this vulnerability or do you believe in more of a full disclosure policy to the people running the web site? In talking to some others…attempting to contact the site owners is the best option (which I agree with) yet some others may take a different approach. Some “grey-hat” hackers might even resort to causing havoc with the HVAC system just to prove a point, then disclose the vulnerability the right way. Thoughts from the community?

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

5 Comments

  1. Tarek says:

    It depends, I sometimes prefer to put a Black Hat when I am in the Evil and Wanna-Have-Some Phun mood, but I guess most of the time I will prefer putting a White Hat on instead

  2. Quzart says:

    Hmmm, I think I would ‘leave a present’, like putting a textfile on the server, or changing something that doesn’t mess up the whole system. Then I would email them that something isn’t right and let them know what I changed so they know it is serious.

  3. Matt says:

    Sadly I have seen a couple HVAC systems connected to the Internet, in most cases the manufacture or vendor required the company to do this so they could "remotely administer the system."

    Systems like this are the primary reason I still recommend people war dial their exchanges. More often than not when war dialing a large company I will discover an HVAC or elevator control system connect to a modem. Tip – If you come across a modem set to 300, 1200 or 2400 baud it is probably a control system of some sort. And of course it goes without saying you should only wardail ranges you are authorized to scan.

    What would I of done in the scenario above? Probably the same actions you took and try to contact the site administrator.

  4. Tom says:

    Thanks for the comments. Yes, war dialing sometimes gets overlooked…and can still be the easy way in to a network. Seems like most new HVAC installations are Internet enabled with the default security settings of "no security". ;-)

  5. Tyler says:

    The same as you I would have done the same thing – reporting it to the owners. It always surprises me of this when I hear about them even though it shouldn’t. Good find…hopefully they’ll fix it.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*