Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities

OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.

Four vulnerabilities have been found in the Alerton Compass software, which is the product’s human-machine interface (HMI), the Ascent Control Module (ACM), and the Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.

SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a press release that points to National Vulnerability Database entries providing some technical information for each of the four security holes.

The vulnerabilities, two of which have been rated ‘high severity’, can be exploited by sending specially crafted packets to the targeted system. Remote, unauthenticated attackers can make configuration changes or write unauthorized code on the controller, both of which can lead to changes in the controller’s functionality. If an attacker writes malicious code on the controller, the victim will need to overwrite the program in order to restore the original operational function.

The cybersecurity firm pointed out that the malicious changes would not be reflected in the user interface, making it more likely for the attack to go unnoticed.

SecurityWeek has used the Shodan search engine to look for internet-exposed Alerton systems and found 240 results, a wide majority in the United States and a dozen in Canada. Most of the exposed systems are HMIs and controllers.

Yossi Reuven, security research team lead at SCADAfence, confirmed for SecurityWeek that exploitation of the vulnerabilities directly from the internet is possible.

SCADAfence has described several theoretical worst-case scenarios involving exploitation of the vulnerabilities.

Hackers could, for instance, target a building’s management system to cause ‘catastrophic damage’, or they could tamper with temperatures in healthcare, pharmaceutical or food production facilities where maintaining certain temperatures is critical. Malicious actors could also remotely shut down ventilation systems, which could pose a safety risk in manufacturing facilities that work with dangerous chemicals.

SCADAfence says Honeywell is expected to release patches soon. In the meantime, the cybersecurity firm has shared a series of recommendations for impacted Alerton customers, including ensuring that their OT network is isolated, properly configuring building automation system (BAS) firewalls, creating and maintaining ACM baseline configurations, disabling BAS protocols on external network segments, and disabling Ethernet on all ports where it’s not needed.

SecurityWeek has reached out to Honeywell for comment and will update this article if the company responds. 

Threat actors targeting building management systems is not unheard of. Kaspersky reported recently that Chinese hackers used these types of systems as a point of infiltration in an attack aimed at a telecoms company.

UPDATE: Honeywell has provided the following statement:

Security is a top priority at Honeywell, and we are committed to taking all appropriate measures to ensure the highest integrity of our products and services. We are aware of the findings presented by SCADAfence, which did not take into consideration guidance in the Alerton ACM Dealer and End User Security Guides that we shared with them. We have encouraged our Alerton customers to follow our published security guidelines, review their current configuration and make any necessary updates.

UPDATE 2: SCADAfence has published a technical blog post describing the vulnerabilities.

Related: Schneider Electric, Claroty Launch Cybersecurity Solution for Buildings

Related: Hackers Can Make Siemens Building Automation Controllers ‘Unavailable for Days’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...