Royal Courts of Justice HVAC programs had unsecured Wi-Fi AP • The Register
The Justice Department has secured a number of Wi-Fi access points that may allow administrators to access industrial control equipment, according to a tip from The Register.
Four unsecured wireless networks named Boiler Pump 1 through Boiler Pump 4 were freely accessible in the Royal Courts of Justice (RCJ) until The Register informed officials what was going on.
The nets were all visible from the ground floor of the Queen’s Building, an extension of the original 1960s neo-Gothic courthouse. The RCJ is home to the UK’s highest civil courts, including the Court of Appeal.
A source told us that connecting to the passwordless access points exposed a login page for what appeared to be an industrial control system developed by Armstrong Fluid Technology. Armstrong’s website contains PDF copies of equipment manuals with default administrator passwords, which Armstrong calls “Level 2” access.
“Level 1 allows the user to change the operating parameters and reset them to the factory settings, but not save them as the factory settings in the manual, just before we reveal the fairly simple Level 2 password, which we will not reveal here.
A malicious person who connected to the unsecured access point and looked at the branding of the pumps login portal could easily have added two and two and given administrator access to the pumps. Their shutdown could have caused the water pipes to freeze overnight as winter sets in, potentially forcing the building to shut down * and delays in legal proceedings.
Her Majesty’s Courts and Tribunals Service spokesman Jake Conneely told The Register, “The staff has taken immediate action to ensure that these facilities are inaccessible and that security is maintained across the courts.”
We have been informed that the WLAN access points have been deactivated until further notice.
A tech-savvy attacker could use the access to the pumps as a starting point for further network exploitation. Such pivots of harmless devices are routine for ransomware attackers as well as for hostile nation states, as compromises with a focus on digital supply chains have shown in recent years. One such attack was targeted at Accellion’s Internet-connected file transfer devices.
A knowledgeable source from a pentesting company who did not name The Register because they did not speak on behalf of their employer confirmed that HVAC system components typically come with a Wi-Fi access point for local access by maintenance companies . They suggested wiring the boiler pump control into a larger building heating, ventilation, and air conditioning (HVAC) facility that permanent staff can remotely access.
The existence of the vulnerability is surprising: As the largest and most prestigious civil court in the country, the RCJ complex is a public space, which means that those responsible for the RCJ HVAC systems should expect others to be able to use the unsecured wireless access points . They may also have been visible from a public road that runs behind the Queen’s Building.
Airport-style security checkpoints at the main entrance of the RCJ will search anyone who enters. The age-old right of every Briton to enter a courtroom and sit in the public stands to watch the proceedings means that physical access to the Queen’s Building is impossible.
As far as we know, pump access has not been maliciously exploited – but if you’ve had a particularly cold day in court recently, it may be worth asking why. ®
* Or maybe not, as the Evening Standard’s court correspondent said today:
It’s ridiculously cold at Inner London Crown Court this morning where the jury has been told they can keep their hands, coats and gloves on if they want.
If this happened in an office building, or maybe the Justice Department headquarters, people would be angry …
– Tristan Kirk (@kirkkorner) November 22, 2021