Smart Buildings at Risk: Lessons from Black Hat Europe 2025

Modern buildings often hide outdated building management systems (BMS) that were never meant to face the open internet. At Black Hat Europe 2025, Gjoko Krstic of Zero Science Lab presented A City of a Thousand Zero Days, showing how one vendor’s BMS evolved through acquisitions into an insecure platform. More than 1,000 buildings run this software on public-facing IPs, stacking years of vulnerabilities.

Key findings:

• Some weaknesses trace back to an 18-year-old firmware codebase.
• Security due diligence and code audits were neglected during M&A.
• Coordinated disclosure led to patches that fixed symptoms but left root causes.
• The BMS was not designed for internet exposure; the vendor recommends placing it behind a VPN.
• ICS experience echoes this: legacy protocols were built for trusted networks, not the public web.

Why it matters:

• Attackers could overheat server rooms and disrupt operations.
• Misusing fire controls to unlock doors could enable physical intrusion.
• Similar exposure affects other services like RDP still on public IPs, sometimes without MFA.

What to do now:

• Remove BMS and other critical systems from public IPs; require VPN with MFA and tight access controls.
• Segment networks so BMS/ICS are isolated from corporate environments.
• After any vulnerability notice, run full code reviews and eliminate root causes, not just symptoms.
• Maintain regular patching and audits for building services, aligned with corporate cybersecurity audits.
• During mergers and acquisitions, mandate thorough security due diligence on acquired software and firmware.
• For remote access (e.g., RDP), enforce VPN, MFA, allow-listing, and brute-force protections.

Bottom line: If bypassing a login could grant direct access to an app or network, add another security layer. Given time, adversaries will find a flaw, steal credentials, or brute-force access—exposure is optional and preventable.

Source:
WeLiveSecurity