Talk: Reconnaissance and Reverse Engineering, 12-1 Fri 2/17

We present our security analysis of three cyber-physical systems in UMBC’s new smart Interdisciplinary Life Sciences Building (ILSB): the access control system, the surveillance system, and the atrium's electrical system. Supported by reconnaissance and reverse engineering, we identify potential vulnerabilities, attacks, and risks, and make recommendations. Conducting reconnaissance and reverse engineering activities on academic cyber-physical infrastructure is currently an insufficiently researched area, unlike critical infrastructure such as smart power grids and the Industrial Internet of Things (IIoT). This project identifies how susceptible three cyberphysical systems in ILSB are to cyber attacks, and the significance of each attack to the relevant system. Without completing a full analysis and reconnaissance of the building, the DoIT and facilities manager cannot be sure how the online sensor infrastructure interacts with the physical infrastructure. Typically, academic spaces are more physically accessible than are industry equivalents, primarily due to the public nature of universities, which encourages unfettered access to buildings for the sake of collaboration and student freedom. This level of access, however, also expands the potential attack surface by opening up the university to cyber attacks performed via physical methods. Our group discovered multiple attacks on the three cyber-physical systems, produced recommendations to the university, and identified additional analysis that can be performed to secure the cyber-physical infrastructure further. Our group additionally created mappings of target systems that include interface details and connection types. After creating reconnaissance artifacts, we identified vulnerabilities within the target systems and vulnerabilities within the target system configurations.

Vulnerabilities we found include an authenticated command injection attack, and an unauthenticated denial of service on the webserver that hosts the physical access control system. Both vulnerabilities could be conducted by an adversary with a moderate level of effort and would enable the adversary to control the access control system, approving or denying access outside of normal operations. On the camera system, one attack we found is an incomplete client-side validation.  Exploitation of this vulnerability requires more effort and would allow the adversary to inject arbitrary commands, including deleting camera footage.