HVACking: Understand the Difference Between Security and Reality!

Conference:  Defcon 27



The presentation discusses a vulnerability found in Delta HVAC systems that can be exploited remotely, and the importance of cooperation between security researchers and vendors to fix such vulnerabilities.
  • Delta was cooperative in fixing the vulnerability
  • Cooperation between security researchers and vendors is necessary to fix vulnerabilities before malicious attacks can occur
  • The vulnerability can be exploited remotely using certain technology
  • Approximately 1600-1700 Delta devices worldwide were found to have the same vulnerability
  • A fully functional HVAC unit controlled by a Delta system was built to demonstrate the effectiveness of the attack
The presenters built a fully functional HVAC unit controlled by a Delta system to demonstrate the effectiveness of the attack. The unit had all the components of a real working HVAC system, including valves, pumps, fans, and a raised floor. The only component that was not 100% accurate was the use of cold water instead of a compressor. The presenters also added lights to indicate the state of different devices and to indicate an alarm is active. The alarm could be in the form of an audible siren, a light, or even email notifications. The presenters used this anecdote to illustrate the potential impact of the vulnerability on real-life systems.


Like most modern devices, building controllers have increasingly become network connected, exposing them to a wider range of threats. If malicious actors could manipulate access control systems, boiler rooms, or temperature control for critical industrial systems, the potential for catastrophic damage is extreme. McAfee's ATR team has discovered a 0-day vulnerability in a major building controller. This controller is a fully programmable native BACnet™ device designed to manage a wide range of building systems. By modifying BACnet broadcast traffic, a buffer overflow can be leveraged into a write-what-where (WWW) condition. This WWW leads to execution control, providing the attacker with a root shell and complete control over the device remotely. Because this attack vector is through BACnet broadcast traffic, there is no authentication mechanism for the target device, allowing anyone on the same network to communicate with it directly and exploit the vulnerability without authentication. Currently, there are over 500 of these devices connected to the internet running in BACnet/IP Broadcast Management Device (BBMD) mode. Utilizing this mode, broadcast traffic can travel over the internet, increasing the potentially devastating impact of this vulnerability. This presentation will include a deep technical analysis of the vulnerability discovery process and demos illustrating an attack in a critical scenario. Finally, we will discuss the steps taken by the vendor to patch this vulnerability and demonstrate its effectiveness.