Honeywell’s Niagara control system, which controls buildings’ electricity, heating and other systems is vulnerable to internet attacks.
Despite warnings from US officials, it is possible to close down buildings completely using an internet attack.
The Niagara control system from Honeywell International’s Tridium division are configured to connect to the web by default. It does not need to do this, but it does it anyway.
Insecurity experts from CyLance Billy Rios and Terry McCorkle told a security conference in San Juan, Puerto Rico that they uncovered vulnerabilities last year.
This prompted the Department of Homeland Security to warn customers to change their settings and resulted in Honeywell releasing a software update that the two researchers previously said had successfully addressed the problems.
But there are apparently more flaws in Tridium’s technology that continue to make customers vulnerable to attack.
They showed the conference how they could take control of a Niagara system using a new piece of software they had written.
While they refused to say how they did it, they said that attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices.
In some cases, once the hackers had wrecked the company’s physical environment they could use the hack as a gateway to getting into the building’s main office computers.
A Honeywell spokesperson said the company is working to address the problems as quickly as possible and will alert customers of the risks.