Homeland Security has given the maximum severity score for a vulnerability in a popular smart building automation system.
Optergy’s Proton allows building owners and managers to remotely monitor energy consumption and manage who can access the premises. The box is web-connected, and connects to other devices — like air conditioning and heating — in the building for real-time monitoring through a web interface.
CISA, the government’s dedicated cybersecurity unit, said the device had serious vulnerabilities.
An advisory said an attacker could gain “full system access” through an “undocumented backdoor script.” This, the advisory said, could allow the attacker to run commands on a vulnerable device with the highest privileges. Backdoors typically grant hidden or undocumented access to a system, and can be used for tech support to remotely login and troubleshoot issues. But if found by an attacker, backdoors can also be used maliciously.
The vulnerability required a “low level” … Read the rest