Homeland Security has given the maximum severity score for a vulnerability in a popular smart building automation system.
Optergy’s Proton allows building owners and managers to remotely monitor energy consumption and manage who can access the premises. The box is web-connected, and connects to other devices — like air conditioning and heating — in the building for real-time monitoring through a web interface.
CISA, the government’s dedicated cybersecurity unit, said the device had serious vulnerabilities.
An advisory said an attacker could gain “full system access” through an “undocumented backdoor script.” This, the advisory said, could allow the attacker to run commands on a vulnerable device with the highest privileges. Backdoors typically grant hidden or undocumented access to a system, and can be used for tech support to remotely login and troubleshoot issues. But if found by an attacker, backdoors can also be used maliciously.
The vulnerability required a “low level” of skill to remotely exploit, and was rated 10.0, the highest score on the industry standard common vulnerability scoring system.
The advisory noted several other bugs, one of which was rated with a score of 9.9.
Although 10.0 scores are not unheard of, they are not common in everyday technology. 10.0 scores rely on vulnerabilities that can have a significant impact on the system’s integrity and availability, or put data on the affected system at high risk of damage or theft.
Gjoko Krstic, a security researcher at Applied Risk who reported the vulnerabilities to Optergy, told TechCrunch that the bug was “very, very bad” and “easy to exploit.” According to Krstic, there are 50 buildings vulnerable at the time of writing. His findings were presented last month in Amsterdam at Hack In The Box, a security conference, as part of wider issues with four other vendors — including Opertgy.
By exploiting the vulnerability, it’s possible to “shut down a building with one click,” he said at his talk.
Optergy president Steve Guzelimian said the company fixed the issues but wouldn’t confirm how many devices were affected. The company says it serves more than 1,800 facilities.
“We fix everything brought to our attention as well as do our own regular testing,” he said.