LAS VEGAS – Critical internet-connected smart building devices used in countless commercial and industrial properties, have been found to be vulnerable to a new malicious attack, according to cybersecurity researcher Bertin Bervis.

The vulnerability exploits the properties in the building automation protocol (Bacnet) which enables technicians and engineers performing monitoring, setup changes and remote control of a wide range of key smart systems that impact temperature control, and other monitoring systems. Bervis analyzed several building automation devices with built-in web applications for remote monitoring and control. They were disclosed to manufacturers who didn’t respond.

The research “Mixing industrial protocols with web application flaws in order to exploit devices connected to the internet. was presented at the DEF CON IoT Village at the  Flamingo Hotel.  DEF CON IoT Village is organized by security consulting and research firm Independent Security Evaluators.

The attacker is able to maliciously modify the system’s web application code by injecting javascript code in the Bacnet device, abusing the read/write properties from the Bacnet protocol itself.  The code is stored in the Bacnet database helping the attacker to achieve persistence on browser devices that are used in building environments or industrial facilities that connect via BACnet.

The web applications allow malicious code modification in specific elements taken directly from the protocol level user interaction and protocol level database information changes, which means any data change performed directly from protocol interaction can modify pieces of code in the whole web application in a persistent way.

“Remote attackers can jump from that point to another using this technique to steal sensitive information from technicians or engineers who interacts directly with the infected devices,” Bervis says. “It opens a new door for remote attacks without touching or interacting with the web application in those devices. The attacker only needs an insecure building automation protocol to modify the data.”

Bertin Bervis is an independent cyber security researcher from Costa Rica. He has been a featured speaker at DEF CON, Ekoparty and other technical conferences worldwide. His research is focused on internet-connected devices and industrial protocols and is focused on analyzing web servers on the wild and exploiting their vulnerabilities.