Homeland Security warns: Hackers targeting popular Niagara software

Millions of machines and devices over the Internet are managed through Niagara Framework. Now, the Department of Homeland Security is alerting organizations around the world that the software is vulnerable to hacker attacks.

Whether you are a business, a military organization or healthcare provider using Niagara to remotely control or monitor your medical devices, elevators, video cameras and security systems, you should immediately prohibit guest users, bolster passwords and cut off direct access to the Internet. These steps may prevent hackers from exploiting your configuration and software flaws, cybersecurity officials warned on Friday, according to the Washington Post.The alert comes hot on the heels of Thursday’s report by the same newspaper describing the vulnerabilities of the Niagara software that were discovered by two security specialists, Billy Rios and Terry McCorkle. According to the report, potential intruders could access files containing user names and passwords using a common hacker technique known as “directory traversal attack.”In a private alert, Niagara’s maker, the Richmond-based company Tridium, warned its customers last week about these potential security issues. It was only last Thursday that it first came up with a public alert – months after it was first notified of the potential problem.Tridium’s parent company, Honeywell, issued its own statement on Friday in response to the alert.“We’ve released a security alert guiding our customers how to verify that their system is properly configured to protect against directory traversal. In addition, we will soon be providing a software update that hardens those settings against inadvertent user changes,” says the statement.In a blog post cited in the department’s cyberalert, Rios praised the DHS for its efforts but criticized Tridium for the delay. DHS officials explained, however, that they had delayed the warning to allow Tridium to work on fixing the problems.