Google goes to a lot of effort to keep its customers private information private. But it seems it doesn't have quite the same level of focus when it comes to keeping its own building systems secure.
Researchers from security firm Cylance found that the Building Control System for Google's Wharf 7 offices in Sydney were vulnerable for attack following a search on Shodan.
The building, which used an unpatched version of the Tridium Niagara AX platform for its building controls, was compromised when the researchers managed to gain access to an administrator's password to the system and access control panels.
Fortunately for Google Australia, the researchers didn't decide to start playing games with the building's alarms or lights, but instead notified Google of the security flaw, allowing the search giant to fix the problem.
From unsecure beginnings
The Cylance researchers also managed to gain copies of Blueprints for the building, including floorplans and roof plans, plus locations of water pipes.
The break in to the system also offered the duo the opportunity to spread mischief. Terry McCorkle, one of the two researchers from Cylance, told Wired, ""From that point we could have actually installed a rootkit. We could have taken over the operating system and accessed any other control systems that are on the same network as that one. We didn't do that because that wasn't the intent…. But that would be the normal path if an attacker was actually looking to do that."
While Google has patched the security hole and the Cylance researchers weren't pursuing nefarious ends, the researchers have stated that there's probably a good percentage of the 25,000 buildings using the same Tridium Niagara AX platform that haven't patched the security hole, making them vulnerable to attack.