According to this article, https://www.bleepingcomputer.
com/news/security/hvacking- remotely-exploiting-bugs-in- building-control-systems/, Security researchers have found a zero-day vulnerability in a popular building controller used for managing various systems, including HVAC (heating, ventilation, and air conditioning), alarms, or pressure level in controlled environments.
- Discovered using the automated software testing technique called “fuzzing,” the point of failure gives an attacker on the network full control of an unpatched system. They would be in a position to manage the various building controls connected to the vulnerable device
- The vulnerability is now tracked as CVE-2019-9569 and is a buffer overflow that leads to remote code execution when properly exploited
- Attacks can be launched even if the location of the target system on the network is unknown
As we see a rise in smart buildings and smart cities with greater connected smart devices and embedded IoT, the attack surface and exposure becomes much greater. Companies should therefore carefully consider the threats they open themselves up to when having internet-accessible devices. Devices chosen should have security features, such as being able to be updated with patches, allow changing of default passwords, and provide some monitoring capabilities.
Additionally, systems such as HVAC should be isolated from the main network and placed behind firewalls and other network security controls to prevent and detect unauthorised connection attempts.