Building Systems at Risk Due to Cisco Bug

Cisco warned today of vulnerabilities in their Cisco Network Building Mediator products. These products are used to remotely connect building systems to an IT controled monitoring panel. The system controls building lighting, HVAC, security and energy systems.

According to an article on The Register:

No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.

“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated. The notice also warned that the vulnerabilities are present in the legacy products from Richards-Zeta, the Cisco-acquired company that originally designed the system. The bugs were discovered during internal testing.
When I worked at an electrical engineering company, these devices were just coming out. The ones that I saw were simpler and only read data, they did not allow remote control. They were interesting because management could see realtime on their desktop what the building energy supply and loads were. The were great for forecasting energy use and supply.
Allowing control of these systems via computer was the next logical step, but bugs allowing a hacker remote control of your electric and lighting is a serious issue, especially in large metropolis buildings. 

3 thoughts on “Building Systems at Risk Due to Cisco Bug”

  1. Within the industry, how likely is it that implementers of this device would have put it on a separate network or management VLAN, that isn’t accessible by desktops users or connected to the Internet?

    1. Now that just makes sense. But in all honesty, probably not very likely. When you have companies that insist on having a plain vanilla webserver connected to their network when a hosted one would work just as well, anything is possible.

      By the way, I read the preview of your book, it looks very good. For those interested OWNED: Why hacking continues to be a problem is available on Mister Reiner’s website.

      1. Thank you for answering my question, the kind words and the link. If you would like a complimentary copy of the book, send me an email.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.