Security researchers have found a zero-day bug in a popular building controller that is used for controlling systems such as HVAC, trouble alarms, or pressure-controlled environments. The flaw lies within the enteliBUS Manager (eBMGR) from Delta Controls. The vulnerability was discovered through the use of an automated testing technique called “fuzzing,” which provides invalid, unexpected, or random data as inputs to a computer program in an attempt to find the proper access codes for the vulnerable system. Using this technique, researchers were successful in taking control of the eBMGR and completely take over a building’s control system. The zero-day is now being tracked as CVE-2019-9569 and is a buffer overflow flaw that would lead an attacker to be able to remotely execute code and disrupt building systems. The researchers who found this bug had physical access to the building, but if an attacker knew the IP address of the eMBGR, the hack could be carried out over the internet. Once this flaw is executed successfully, an attacker would be able to see all the devices connected to the controller and operate them at their leisure. The vulnerability has been responsibly reported to Delta Controls and they have provided a security patch.
Users of the eBMGR system are referred to Delta Control’s website to obtain and install the patch as soon as possible. It is also recommended that users isolate the devices of the building from the rest of the network, shield them with a firewall and monitor them for abnormal traffic.