Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities

OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

Four vulnerabilities have been found in the Alerton Compass software, which is the product’s human-machine interface (HMI), the Ascent Control Module (ACM), and the Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.

SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a press release that points to National Vulnerability Database entries providing some technical information for each of the four security holes.

The vulnerabilities, two of which have been rated ‘high severity’, can be exploited by sending specially crafted packets to the targeted system. Remote, unauthenticated attackers can make configuration changes or write unauthorized code on the controller, both of which can lead to changes in the controller’s functionality. If an attacker writes malicious code on the controller, the victim will need to overwrite the program in order to restore the original operational function.

The cybersecurity firm pointed out that the malicious changes would not be reflected in the user interface, making it more likely for the attack to go unnoticed.

SecurityWeek has used the Shodan search engine to look for internet-exposed Alerton systems and found 240 results, a wide majority in the United States and a dozen in Canada. Most of the exposed systems are HMIs and controllers.

Yossi Reuven, security research team lead at SCADAfence, confirmed for SecurityWeek that exploitation of the vulnerabilities directly from the internet is possible.

SCADAfence has described several theoretical worst-case scenarios involving exploitation of the vulnerabilities.

Advertisement. Scroll to continue reading.

Hackers could, for instance, target a building’s management system to cause ‘catastrophic damage’, or they could tamper with temperatures in healthcare, pharmaceutical or food production facilities where maintaining certain temperatures is critical. Malicious actors could also remotely shut down ventilation systems, which could pose a safety risk in manufacturing facilities that work with dangerous chemicals.

SCADAfence says Honeywell is expected to release patches soon. In the meantime, the cybersecurity firm has shared a series of recommendations for impacted Alerton customers, including ensuring that their OT network is isolated, properly configuring building automation system (BAS) firewalls, creating and maintaining ACM baseline configurations, disabling BAS protocols on external network segments, and disabling Ethernet on all ports where it’s not needed.

SecurityWeek has reached out to Honeywell for comment and will update this article if the company responds. 

Threat actors targeting building management systems is not unheard of. Kaspersky reported recently that Chinese hackers used these types of systems as a point of infiltration in an attack aimed at a telecoms company.

UPDATE: Honeywell has provided the following statement:

Security is a top priority at Honeywell, and we are committed to taking all appropriate measures to ensure the highest integrity of our products and services. We are aware of the findings presented by SCADAfence, which did not take into consideration guidance in the Alerton ACM Dealer and End User Security Guides that we shared with them. We have encouraged our Alerton customers to follow our published security guidelines, review their current configuration and make any necessary updates.

UPDATE 2: SCADAfence has published a technical blog post describing the vulnerabilities.

Related: Schneider Electric, Claroty Launch Cybersecurity Solution for Buildings

Related: Hackers Can Make Siemens Building Automation Controllers ‘Unavailable for Days’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.