The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

On Trend - Can Hackers Turn The Heat Off?

15 December 2017 | Updated 01 January 1970

Ken Munro of Pan Test Partners has written a blog - the original of which and more pictures can be accessed if you Click Here 

Munro says he has found weaknesses in a number of BMS modules that will allow hackers to turn the heat off...or get up to even more mischief if they wish.

The blog is reproduced here with minor edits, reordering and redactions. ThisWeekinFM does not approve, corroborate or endorse Munro's statements.


It’s cold out there today isn’t it? Good job offices and schools are lovely and toasty thanks to well maintained heating systems. I mean, if someone were to find a way to hack them, over the internet and turn them off it could cause mild chaos. Which reminded me…

Way back in 2006, I was given a Trend IQ3 Building Management System (BMS) controller. My interest was piqued as these devices were being installed in Heathrow’s Terminal 5, according to the manufacturers press release.

Smart building controllers manage door access control, heating, ventilation and air conditioning and much more. Remember the Target breach in the US? The ingress point was believed to be their HVAC management company.

I’ve just taken delivery of a used 2013 model of the same controller and a brand new 2017 controller from the same vendor. So, has anything improved?

Yes and no. The controller security has improved some but we’ve found large numbers installed on the public internet, unprotected, with complete authentication bypass in some cases!

We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations.

We also found some that had already been compromised to a point by malware. Further compromise would be trivial.


It’s about lax installers NOT vendors

Most of these issues have been caused by HVAC & BMS installers, rather than the vendor. The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though.

I tried to disclose responsibly at the time but got nowhere with the vendor. The story had a little coverage in the press – smart buildings weren’t a big thing at the time.

I presented the findings to GCHQ and the industry at the old CHECKCON conference too.


The vulnerabilities we found

The 2006 IQ3 Excite building management controller. This one is running firmware version, here’s a list of what we found:

Plaintext authentication - authentication bypass for embedded web server (see below). Reflected XSS on various parameters (reported again in 2013 by Darius Freamon, 7 years after it was first found). Trivial session hijacking through incremental session IDs (e.g., simply incrementing with every request)

And a really fun memory leak in to broadcast UDP packets – ‘test1’ was the password set.

Trivial fuzzing causes a DoS & possibly a buffer overflow. When fuzzed over FTP with APPE $P at size 513, the FTP server crashes. But even more amusingly, $P is then found being broadcast over the network from the controller, which is clearly operating in a very odd state.


Manufacturer security advice

Trend Controls, the manufacturer, offers some reasonable advice for installers. They make the point that these devices should be on isolated subnets and never exposed to the internet.

That’s good advice, though what efforts have Trend Controls made to ensure and audit their installers to ensure they aren’t installing insecurely? It took me less than 10 seconds to find >1000 exposed, vulnerable Trend controllers.

This advice also assumes that the threat is only from an attacker on the public internet. These controllers are found in quiet areas of buildings, hopefully in locked plant rooms and electrical panels. Ideal for the social engineer. Also, compromise the guy who manages the building, pop his PC and you can potentially unlock doors to order.


IQ3 Excite 2013 model, used

I bought this used from eBay. The firmware version was more recent and most of the significant flaws had been fixed. Authentication bypass was still possible in default configuration.


IQ412 Excite, latest 2017 model, new and unused

The XSS from 2006 has now been fixed, though we think there’s still a convoluted XSS present. There’s also plenty of opportunity for CSRF. Auth bypass was still present. If the ‘guest’ user has not been created, anyone can add it.


Shodan searches couldn’t be better suited to finding these controllers. Installers helpfully name the controllers right at the top of the embedded web server home page. With a search for the names of a couple of types of controller I got greater than 1,000 hits without trying hard.


Compromised controllers, serving malware?

Many of these controllers also have FTP enabled, often with simple, default or blank credentials. Whilst clicking through the web UI of a BMS controller, anti-virus popped up. On poking around further, it appears that a number of these controllers have been compromised over FTP by a crypto mining worm: Win32/Crytes.

We don’t think that the worm can actually execute on the controller but it has successfully dropped an infection marker in to the web page covering network config (modules | networks). We found the same marker on multiple controllers on the internet. Whilst on this occasion the vendor/installer/clients have dodged a bullet, it would not be difficult to write malware that did successfully infect these controllers.


Searching for other BMS controller brands

Trend Controls aren’t the only BMS controllers we’ve found available on the public internet. Useful Shodan searches include:

“G50” – the Mitsubishi G50 BMS

“Saia PCD BMS Web Server” – this features plaintext login. There’s no username, just a password!

Conquest BACnet Controller” – default creds of admin/admin are common

“BACnet Communication Module”

“ACP BACnet”

“Distech Controls BACnet Router Configuration”

“Server: BACnet4Linux”

“SIP Modbus Trend”

Not really a BMS, but searching for “webrelay” will find you very simple, insecure online relays. Amusingly, we’ve found that the relays will actually trigger if you port scan them hard! We achieved this consistently on two we bought for testing.



Building management systems are often installed by electricians and HVAC engineers who simply don’t understand security.

Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. Whilst you’re there, ask about your door controllers and your IP alarm systems.

BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible.

Picture: Main - for illustration. Below - Ken Munro’s 'hacked' BMS controllers


Article written by Ken Munro of Pan Test Partners | Published 15 December 2017


Related Articles

Oh So Connected

Friday October 14 saw Asset Mapping connect a secure Internet of Things gateway to the BMS of Citylabs. Since then, it has been receiving a constant stream of live data...

 Read Full Article
Andromeda Strained - International Cyber Op Dismantles Botnet

On November 29, the Federal Bureau of Investigation, in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s...

 Read Full Article
NHS Seeks Friendly Fire Power In Cyber War

NHS Digital has announced (Nov 28) a £20m project to boost its ability to support the NHS with its data security - including making funds available to encourage...

 Read Full Article
If Dolly Can Be Hacked, What About The Hand Dryer?

  Connected toys with Bluetooth, wi-fi and mobile apps may seem like the perfect gift for Christmas. But Which? has found that, without appropriate safety...

 Read Full Article
WannaCry - Don't...Just Learn the Lessons

Earlier this year, ransomware took centre stage in one of the largest outbreaks ever, hitting a huge number of companies across the globe, writes Ravid Circus. There...

 Read Full Article
Phishing Docs and the Digital Signature?

Protecting digital documents and being able to verify that the sender of a file is, in fact, who they say they are, is fast becoming a major concern for many...

 Read Full Article
Ransomware - the Protection Racket

ThisWeekinFM has been making a racket about Cyber Security because vulnerabilities are exploited at a personnel and personal level - where FM's should have some...

 Read Full Article
Who's Taking on the Cyber Men?

One in five businesses have fallen victim to cyber attacks in the past year, according to the results of a survey released this week ending April 21 by the British...

 Read Full Article
Phishing, Crashing and Nicking - a Security Digest

The City of London Police’s National Fraud Intelligence Bureau (NFIB) is urging university staff to take preventative action following more than 100 reports from...

 Read Full Article
Earth Calling on Mobile Upgrades

Smartphones are leaving a disastrous environmental footprint, warns new Greenpeace report released in Barcelona on the eve of Mobile World Congress Feb 27. Smartphone...

 Read Full Article