A cybersecurity researcher and Honeywell are at odds over the seriousness of a vulnerability found in one of the company’s building management controllers. The researcher claims the issue is significant, while Honeywell maintains that the impact is minimal.
Researcher’s Findings on Honeywell’s IQ4 Controller
Gjoko Krstic, a recognized figure in cybersecurity, particularly in the field of building control systems, recently scrutinized Honeywell’s IQ4 controller. Krstic discovered that the product’s web-based human-machine interface (HMI) is exposed without needing authentication if left in its factory-default settings.
Further analysis by Krstic revealed that improper configuration and the absence of user module activation during setup could allow remote attackers to create administrator accounts. This could potentially lock legitimate users out of the system’s configuration and administration interfaces.
Implications and Vendor’s Response
The vulnerability poses a risk to various facilities such as schools and commercial buildings that utilize the system. Despite these findings, Honeywell has not released any patches, noting that the IQ4 is intended for on-premises use and should not be exposed to the internet.
According to Honeywell, the device is shipped unconfigured and must be set up by trained personnel before use. The company asserts that any security lapse during the initial installation phase can be rectified with a standard reset, and normal installation processes automatically enable security settings.
Disagreement Over Security Risks
Krstic contests Honeywell’s position, pointing out that approximately 7,500 instances of the IQ4 are accessible online, with about 20% lacking authentication protection. He also claims that incomplete setups still allow unauthorized control over building components such as lighting and temperature.
While SecurityWeek confirms many IQ4 interfaces are available on the internet, other claims remain unverified. Krstic has initiated a CVE process for the vulnerability and contacted the CERT Coordination Center for further mediation.
Cybersecurity experts warn that building automation systems are frequent targets for malicious actors, emphasizing the ongoing importance of robust security measures in industrial control systems.
