HVACking: Remotely Exploiting Bugs In Building Control Systems

According to this article, https://www.bleepingcomputer.com/news/security/hvacking-remotely-exploiting-bugs-in-building-control-systems/, Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments.

  • Discovered using the automated software testing technique called “fuzzing,” the point of failure gives an attacker on the network full control of an unpatched system. They would be in a position to manage the various building controls connected to the vulnerable device
  • The vulnerability is now tracked as CVE-2019-9569 and is a buffer overflow that leads to remote code execution when properly exploited
  • Attacks can be launched even if the location of the target system on the network is unknown

Experts Comments

August 13, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
As we see a rise in smart buildings and smart cities with greater connected smart devices and embedded IoT, the attack surface and exposure becomes much greater. Companies should therefore carefully consider the threats they open themselves up to when having internet-accessible devices. Devices chosen should have security features, such as being able to be updated with patches, allow changing of default passwords, and provide some monitoring capabilities. Additionally, systems such as HVAC.....Read More
As we see a rise in smart buildings and smart cities with greater connected smart devices and embedded IoT, the attack surface and exposure becomes much greater. Companies should therefore carefully consider the threats they open themselves up to when having internet-accessible devices. Devices chosen should have security features, such as being able to be updated with patches, allow changing of default passwords, and provide some monitoring capabilities. Additionally, systems such as HVAC should be isolated from the main network and placed behind firewalls and other network security controls to prevent and detect unauthorised connection attempts.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.