An ex Google employee has found that his former employer had some serious security holes at its new office in Sydney, Australia.
Billy Rios, who now works at insecurity outfit Cylance, was working on a project to identify vulnerable internet facing Industrial Control Systems (ICS).
Writing in his blog, he said that the project is far from complete, but it did net one high profile customer while looking through the scan results.
The scan turned up a Tridium Niagara device on the internet run by Google is using Tridium Niagara for various Building Management Systems (BMS) in the Google Wharf 7 building.
Rios conducted a quick interrogation of the Tridium device, yielding a wealth of information about the specific platform version. Apparently Google was running a slightly outdated version and the QNX operating system running on an embedded device.
Armed with a few pieces of data, Rios used a custom exploit to extract the onfig.bog file which contained the specific configurations for this particular device and usernames and passwords for all the users on the device. This could then be decoded and the building was owned.
Rios rang his mates at Google who gave him no end of hassling, but they did pull the system offline.
He said that it was important that people realise how pervasive these sorts of hacks are. Rios estimates that there are tens of thousands of devices on the internet and thousands of different organisations which could be taken out by hackers.
Rios said that his company has discovered over 25,000 of these systems facing the internet and if Google can fall victim to an ICS attack, anyone can.