Australian Google office building hacked

The building control panel shows layout of water pipes in Google’s Wharf 7 office. Photo: Screenshot by Cylance

 The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

Inside Google's Wharf 7 office in Pyrmont, Sydney. Photo: Supplied

A number of Google staff moved into Wharf 7 last year after the internet giant took up office space in the building to cope with its expanding workforce. It is understood Google will also soon move into one of Fairfax Media's Pyrmont office floors, as reported by Mumbrella.

Technology news website Wired first reported the hacking news on Monday night. The security firm also posted about it on its blog. Wired said the researchers were able to gain access to the Wharf 7 control system — which uses the Tridium Niagara AX platform — by using the default password "anyonesguess".

Once logged in, the researchers were able to see on their screen access panels which showed buttons marked "active overrides", "active alarms", "alarm console", "LAN Diagram", "schedule", and a button marked "BMS key" for Building Management System key, Wired reported.

The building control panel showing the roof blueprint. Photo: Cylance

 It said there was also a button marked "AfterHours Button" with a hammer on it.

The researchers also accessed a control panel showing blueprints of the floor and roof plans, "as well as a clear view of water pipes snaked throughout the building and notations indicating the temperature of water in the pipes and the location of a kitchen leak", it said.

Despite this, Google Australia said only its Wharf 7 heating and air conditioning units could be controlled via the system. "We're grateful when researchers report their findings to us," Google Australia said in a statement to Fairfax. "We took appropriate action to resolve this issue."

Dubbed in an article by CNN as "the scariest search engine on the internet", Shodan, the search engine the researchers found the Google system on, is primarily used by IT security researchers to discover vulnerabilities in devices which are connected to the public internet. Search terms like "webcam" can be entered into Shodan, as well as a location, to find vulnerable devices online.

Speaking to Fairfax Media late on Monday night, Rios said Cylance had discovered thousands of building control system on the internet which were exploitable, 100 of which were in Sydney.

"We've discovered hospitals, banks, government buildings... all of them are vulnerable," he said.

To prove this, Rios provided Fairfax Media with five URLs to publicly accessible web pages that appeared to host the building management control systems of major Sydney organisations.

Australian IT security researcher Troy Hunt told Fairfax that the management of a building control system was generally outsourced to a third-party, and that in Google's case that third-party appeared to have "dropped the ball" in keeping the system secure.

"I would imagine that the whole thing is probably run by some outsourcing group who is responsible for managing the building," Hunt said. "They're responsible for the software, they've probably got some entry points for Google staff to be able to perform essential tasks and that's probably about the extent of the Google relationship I would say."