Merry Christmas to the hacker community from LonWorks

According to Wikipedia, as of 2010 more than 90 million devices were installed with LonWorks technology. Manufacturers in a variety of industries have adopted the platform as the basis for their product and service offerings. Statistics as to the number of locations using the LonWorks technology are scarce, but it is known that products and applications built on top of the platform include such diverse functions as:

- embedded machine control,

- municipal and highway/tunnel/street lighting,

- heating and air conditioning systems (HVAC),

- building lighting,

- elevator/escalator controls,

- irrigation,

- stadium lighting and speaker control (is the NFL paying attention for the Super Bowl?)

- security systems,

- fire detection and suppression,

- theater lighting and stage,

- Smart Grid - advanced metering, demand response, and distribution automation,

- liquor dispensing,

- livestock management,

- medical instrumentation,

- office machine automation,

- supermarket checkout,

- patient monitoring,

- highway toll collection,

- restaurant automation,

- slot and vending machine control,

- circuit board diagnostics,

- semiconductor fabrication plants,

- paper manufacture,

- high speed printing,

- asset tracking,

- buses, subways, passenger, and freight rail transportation – propulsion, braking, signage, lighting , and

- newborn location monitoring and alarming.

As of December 23, 2013, the LonWorks Network Communication and Interface Guide, Software Release 6.0 dated January 30, 2013 is available on the Internet. The user guide provides guidance on resetting the security settings to the default condition. Moreover, it provides the default user ID and password.

What more could a hacker wish for?

Joe Weiss

 

 

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • What the author fails to mention is that a physical reset is required on the interface before the default settings can be accessed. Anyone with physical access to hardware has breached more than a firewall.

    The particular product referenced in the guide is not only obsolete, but represents one of thousands of LonWorks based products on the market. There are many suppliers of network interface products to support LonWorks networks. Each supplier uses different forms of security and authentication for their particular products.

    What this article does reinforce is the importance of implementing industry best practices for network security. Default usernames and passwords should never be used, whether the product is installed in a home network or more critical industry control network.

    Reply

  • Joe's comments above refer to a particular network interface product from Echelon, that indeed publishes how to perform a password reset. However, typically in a secured building environment this is not possible.

    Setting hardware back to factory defaults is not uncommon (just Google “resetting cisco router password”). The question is can this be done over the network? Most often not, physical access to the device is needed. Meaning if you lock up the device in a secure cabinet, you need to physically break into the secure environment to perform the reset.

    Furthermore, some of the LonWork applications Joe listed do not depend solely on IP layer access security. Applications that desire a high level of security have multiple layers of security. Before starting my consulting business (Pi Shaped Incorporated), I worked for Echelon for over 20 years as a field application/sales engineer. One of the many curious locations I found myself during my career was (after passing a background check) sitting down with some folks in Los Almos, NM. Without going into inappropriate detail, I can assure you there are some very highly secure LonWorks applications deployed around the world.

    This being said, I believe basic security improvements that can be made to many LonWorks installations. I am still surprised at the number of installations that do not follow some basic security design rules. First create a security plan, a real plan that includes a multi-layered approach, with firewall access control, setting passwords to non-default settings, locking up devices that allow factory resets, use encrypted password storage when possible. As we move from systems that are “unconnected” without Internet access to a connected world we need to deal with security. The analogy I often use is BAS systems came from a time and place comparable to a rural small town in the Midwest (something I have experience with). People left their doors unlocked, garage doors open, and there were no real security issues. One of the (many reasons) was because this was an “unconnected” society, isolated from the rest of the world. When you connect to the Internet, you bring the entire world to your door step, all the good and the bad. So in that situation when you leave your garage door open, are you really surprised when someone takes your lawn mower? Today, you should consider locking you door.

    -Mike

    Reply

  • Following their comments, I talked to the two commentors from LonMark, Barry and Mike, who both agreed there needs to be more attention paid to cyber security. Joe Weiss

    Reply

RSS feed for comments on this page | RSS feed for all comments