“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025. I am sure you will appreciate why these few words sparked my interest enough to dedicate time to the presentation; especially given that back in 2019 I delivered a talk on the evolving risk of smart buildings at Segurinfo in Argentina.
The talk at Black Hat, delivered by Gjoko Krstic of Zero Science Lab, focused on one vendor of building management systems and how the evolution of one of their products through various acquisitions caused it to end up being an incredibly vulnerable piece of software. In summary, the talk highlighted that there are over 1,000 buildings around the world that use the vendor’s building management system (BMS) running on a software platform with a long list of vulnerabilities. Compounding the issue, the software is hosted on public-facing IP addresses; thus, it’s accessible from the internet.
In one example, Gjoko explained the root cause of one vulnerability dates back to an 18-year-old firmware codebase. Through several company acquisitions and a lack of audit and due diligence during the merger and acquisition process on the security aspects of the software, vulnerabilities appear to have been largely ignored until recently.
Coordinated disclosure has prompted numerous fixes, but the process has resulted in fixing one problem while leaving the root cause intact, thus exposing further vulnerabilities later. The message here is clear: don’t just use a sticking plaster while ignoring the underlying cause. It’s essential that companies conduct full code audits after a vulnerability notification and release a patch to ensure the root cause is identified and resolved.
While the white paper that accompanies the talk offers several messages for software developers of critical infrastructure systems, there is one that I feel needs to pushed to the front. Back in 2017, my colleagues at ESET published details of one of the first known malware to target Industrial Control Systems (ICS) and the very first one to specifically target power grids. One comment I distinctly remember from the research is that the protocol used by the ICS device concerned was never designed to be connected to the internet.
The talk by Gjoko raised a similar concern: the building management system was not designed to be public facing on the internet, and the vendor recommends to secure it behind a virtual private network (VPN).
Asking for trouble
While vulnerabilities in software are, of course, an issue and I commend the detailed research, there is a wider issue: some systems available on public IP addresses should really be protected through additional security layers, such as a VPN.
Building management systems are one example of this. The issue here may stem from building ownership as opposed to tenant control: the landlord may not have the knowledge, resources or risk-averse approach to security that the tenant has; at the same time, the tenant may not realize the significant risk to their business being caused by a lack of security relating to the building services.
The potential risk is significant. For example, a malicious actor who can control and adjust the heat in a server room could cause operational disruption or, by using the fire controls to release all doors, they could let unauthorized people into the building (this sounds a bit Mission: Impossible, but is very plausible). All companies need to ensure the services that form the fabric of their buildings are secured to the same level as their own corporate systems, are patched regularly and audited on a similar cadence to their cybersecurity audits.
There are other types of systems that remain publicly accessible despite overwhelming reasons for them to be behind another security layer. An example is remote desktop protocol (RDP) servers, some without multi-factor-authentication, are still accessible on public IP addresses.
As a principle, if bypassing or compromising a login screen results in direct access to an application or corporate network, then there should be enhanced security using a VPN or similar technology. At some stage, a cybercriminal will find a vulnerability, socially engineer login credentials or brute force access to the system. It’s just a matter of time and is something that is easily avoidable.
