HVACking: Remotely Exploiting Bugs In Building Control Systems

By   ISBuzz Team
Writer , Information Security Buzz | Aug 13, 2019 01:39 pm PST

According to this article, https://www.bleepingcomputer.com/news/security/hvacking-remotely-exploiting-bugs-in-building-control-systems/, Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments.

  • Discovered using the automated software testing technique called “fuzzing,” the point of failure gives an attacker on the network full control of an unpatched system. They would be in a position to manage the various building controls connected to the vulnerable device
  • The vulnerability is now tracked as CVE-2019-9569 and is a buffer overflow that leads to remote code execution when properly exploited
  • Attacks can be launched even if the location of the target system on the network is unknown
Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
August 13, 2019 9:42 pm

As we see a rise in smart buildings and smart cities with greater connected smart devices and embedded IoT, the attack surface and exposure becomes much greater. Companies should therefore carefully consider the threats they open themselves up to when having internet-accessible devices. Devices chosen should have security features, such as being able to be updated with patches, allow changing of default passwords, and provide some monitoring capabilities.

Additionally, systems such as HVAC should be isolated from the main network and placed behind firewalls and other network security controls to prevent and detect unauthorised connection attempts.

Last edited 4 years ago by Javvad Malik

Recent Posts

Would love your thoughts, please comment.x