Help needed — who owns these building automation appliances?
“Hi! This is Kari from Remod. It seems that you have several building automation systems open to the Internet. Anyone could control your buildings.”
“Haha… sorry…. what?”
“Yeah, it would be nice to take these off the net.”
The National Broadcasting Company of Finland, Yle, aired a documentary (english subtitles available) called Team Whack at the beginning of March. The gist was that a team of white hat hackers showed that a lot of things are open in the public internet that shouldn’t. Particularly building automation devices made by Fidelix that were vulnerable and exposed caused a real concern. These are very popular in Finland and we found out that everything from Finnish housing associations through ice hokey rings to elderly care homes had these devices in use and exposed. We set out a bit to do our part and reduce the amount of vulnerabilities on the open internet as ethically as possible.
We trawled through a list of apparently open IP addresses with shodan.io, an search engine for the internet of things, to find what was open to the public internet. If and when a Fidelix device or its interfaces were open to the internet, we tried a web search to find a possible owner. Then we checked the Finnish Business Information System for what housing company, estate service or owner was in charge of the device we found. If and when we found an owner, we looked for contact information (preferably a phone number) and called them to ask if they were aware that they had an Fidelix device open to the public web.
How we did it
In pure numeric data, we found 262 Fidelix device IPs. We chose 94 target devices that were owned by a total of 27 identifiable owners. Out of these 27 we found a contact for all but two, and were not able to reach eight of the identified contacts. Of the 17 who we reached, only four were already aware of the issue, which means that most of the owners of still reachable Fidelix devices were in no way aware of the issue before we called them. Of the four that knew already, only one owner was already in the process of fixing the issue.
Often though, when we reached a switchboard operator or a customer service rep, the call escalated high and fast when we explained why we were calling. This is a good sign, because it shows that people are at least aware of the possible implications of these issues.
When we got a hold of someone, we would let them know that we’ve found a Fidelix device accessible on the public internet that seems to belong to them, and if we confirmed it was theirs, that they should either protect it through firewalls or VPN, or by taking it off the public web entirely.
Who we helped
“We had to fix these fast.”, Veli-Pekka Leppänen from Nanocomp Oy comments on Fidelix building automation vulnerabilities. “Kari from Remod Oy even called us back to confirm that our fix was ok. Kari had warned tens of parties and we were glad to hear that we were fastest to act. It is good that there is a community effort to reach owners of the vulnerable appliances, as not everyone is aware of the risks yet.”
As the Fidelix devices are often found in housing companies and are used to control automation in modern living environments, a lot of the people contacted were understandably perturbed and jumped right on it. An example of a phone call we made would go along the lines of:
Us: (after introductions) ”You seem to have a Fidelix device open to the public internet, which means anyone can theoretically control your housing automation system.”
CEO of a contacted company: ”Everything we have should be firewalled, are you sure you’re not mistaken?”
Us: ”We’re pretty certain, since your company name is in the address field and you seem to be the only company with this name in Finland.
CEO: ”I see. Thank you for letting us know, we’ll check this.”
And then in a day or two the device would be gone from the web. Mostly everyone was thankful for getting the information, some wished for more help with blocking traffic to the vulnerable device, and one person in charge of the automation even asked if we could come hold a seminar on cybersecurity and what it means for them.
What’s next
The effort we did was made in tandem by Badrap and Remod. Badrap is a company focused on securing companies against data breaches and vulnerabilities by both technical means and teaching people how to work and operate better. Remod is a consulting company with a focus on security and innovation. We were motivated by the possibility of creating a fast and lasting impact through a simple contact campaign.
We found a lot of devices, contacted everyone we could and many of the devices are now gone from the open internet, but a lot of devices we simply couldn’t find the owners, location or person in charge of. So while we got a lot done, there’s still work to do. Even at the moment, anyone can get this list from shodan.io. We provide the list of remaining IPs here on GitHub so that people can help to get these out of the Internet. Please help the owners before they become victims. If you know or can find out any of the owners of those devices, let them know that they have an unprotected Fidelix device open on the internet, and how to fix it. Do not try to break into these devices, or you might be at odds with the law enforcement. Let’s get these off the Internet together, so that others will not be able to either.
