Cisco warned today of vulnerabilities in their Cisco Network Building Mediator products. These products are used to remotely connect building systems to an IT controled monitoring panel. The system controls building lighting, HVAC, security and energy systems.
According to an article on The Register:
No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated. The notice also warned that the vulnerabilities are present in the legacy products from Richards-Zeta, the Cisco-acquired company that originally designed the system. The bugs were discovered during internal testing.