What's Happening?
Cybersecurity researcher Gjoko Krstic has identified a significant vulnerability in Honeywell's IQ4 building management controller. The issue involves the product's web-based human-machine interface (HMI) being exposed without authentication in its default
configuration. Krstic warns that if the product is not properly configured, a remote attacker could create an administrator account, potentially locking out legitimate users. This vulnerability could affect schools, commercial buildings, and other facilities using the system. Honeywell, however, disputes the severity of the vulnerability, stating that the IQ4 is designed for on-premises use and should not be internet-exposed. The company claims that any security issues can be resolved through a standard reset and that security is enabled by default when installed correctly. Despite Honeywell's assurances, Krstic has identified nearly 7,500 internet-exposed instances of the product, with about 20% accessible without authentication.
Why It's Important?
The discovery of this vulnerability highlights the ongoing challenges in securing building automation systems, which are increasingly targeted by cyber threats. If exploited, such vulnerabilities could lead to unauthorized control over critical building functions, posing risks to safety and operations. The disagreement between Krstic and Honeywell underscores the complexities in assessing and addressing cybersecurity risks, particularly in systems designed for local control but exposed to the internet. This situation raises concerns about the adequacy of current security measures and the need for more robust protocols to protect against unauthorized access. The potential impact on schools and commercial buildings emphasizes the importance of ensuring that such systems are properly configured and secured.
What's Next?
A Common Vulnerabilities and Exposures (CVE) identifier for the vulnerability is pending, and Krstic has reached out to the CERT Coordination Center at Carnegie Mellon University for mediation. This could lead to further scrutiny and possibly prompt Honeywell to release patches or updates to address the vulnerability. Stakeholders, including building managers and IT security professionals, may need to reassess their current security configurations and consider additional safeguards to protect against potential exploits. The situation may also prompt broader discussions within the industry about best practices for securing building management systems.
