Project Brainfog: Beyond The Facade – Exposing Smart Giants

From the research whitepaper: This whitepaper accompanies the original talk and presentation delivered at the conference. It delves into the critical cybersecurity flaws discovered in ABB’s building automation systems, specifically focusing on two widely deployed controllers: the ABB Cylon Aspect and ABB Cylon FLXeon Series (also known as BACnet Building Control). Since April 2024, I have identified over 800 zero-day vulnerabilities in these Building Management Systems (BMS) and Building Automation Systems (BAS). The scale of impact is staggering, affecting high-profile infrastructures such as skyscrapers, stadiums, hospitals, airports, museums, industrial control systems, educational institutions, and other critical facilities worldwide. The handling of these vulnerabilities by ABB, the vendor, has demonstrated a margin of improvement required to have a more secure ecosystem. Silent patching practices emerged throughout 2024 with the release of version 3.08.01 of Aspect system, leaving numerous flaws unaddressed. Among the issues discovered are backdoors, unauthenticated remote root exploits, and a lack of transparency in vulnerability disclosure. The vendor’s failure to release timely advisories, misassignment and incorrect scoring of CVEs, and overall neglect of cybersecurity best practices have amplified the risks. In one of the devices the root cause of these vulnerabilities lies in the 18-year-old codebase and firmware, which has passed through multiple acquisitions without significant security updates.