If you’re indoors and breathing, chances are there’s a heating, ventilating, and air conditioning (HVAC) machine outside. HVAC units keep buildings warm through the winter, cool in the summer, and us breathing fresh oxygen year round. The units are meant to provide comfort, not to endanger us.
A couple of years ago, however, hackers exploited a near invisible vulnerability in an HVAC system to break into the internal networks of a major retailer. Using infectious malware, they boosted network credentials from the HVAC systems vendor that kept the retailer’s building circulated with air. With those credentials on file, they had their way in—a license to steal, using nothing but keystrokes and code.
Install malware to steal credentials. Exploit web application vulnerability. Search relevant targets for propagation. Steal access token. Create new admin credentials. Propagate to relevant computers. Install malware. Steal PII. Install malware. Steal 40 million credit cards. Mission accomplished. [0101] <G:\blackhat\goal: accomplished>
Meet the 21st-century bank robber.