S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.
Security researcher Elisa Costante and her team at ForeScout last summer created the test malware, a modular design that includes a worm that spreads itself among BAS devices, using intelligence they gathered over the past three years while testing popular BAS systems such as protocol gateways and PLCs for HVACS and access control, for vulnerabilities. During that period, they uncovered ten security flaws, half of which were cross-site scripting (XSS) bugs in their associated Web application interfaces, as well as privilege escalation and buffer overflow vulnerabilities.
Leave a reply
