Like most modern devices, building controllers have increasingly become network connected, exposing them to a wider range of threats. If malicious actors could manipulate access control systems, boiler rooms, or temperature control for critical industrial systems, the potential for catastrophic damage is extreme.
McAfee’s ATR team has discovered a 0-day vulnerability in a major building controller. This controller is a fully programmable native BACnet™ device designed to manage a wide range of building systems. By modifying BACnet broadcast traffic, a buffer overflow can be leveraged into a write-what-where (WWW) condition. This WWW leads to execution control, providing the attacker with a root shell and complete control over the device remotely. Because this attack vector is through BACnet broadcast traffic, there is no authentication mechanism for the target device, allowing anyone on the same network to communicate with it directly and exploit the vulnerability without authentication. Currently, there are over 500 of these devices connected to the internet running in BACnet/IP Broadcast Management Device (BBMD) mode. Utilizing this mode, broadcast traffic can travel over the internet, increasing the potentially devastating impact of this vulnerability.
This presentation will include a deep technical analysis of the vulnerability discovery process and demos illustrating an attack in a critical scenario. Finally, we will discuss the steps taken by the vendor to patch this vulnerability and demonstrate its effectiveness.
Douglas McKee is a senior security researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement. Douglas recently presented his research focused on hacking medical devices at DEF CON 26.
Mark Bereza is a security researcher and new addition to McAfee’s Advanced Threat Research team. A recent alumnus of Oregon State’s CS systems program, Mark’s work has focused primarily on vulnerability discovery and exploit development for embedded systems.