The Honeywell IQ4 (Trend IQ4) is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACnet over IP, and can expand up to 192 I/O points depending on the model, making them suitable for a wide range of plant-control applications. They offer multiple communication ports (Ethernet, USB, RS232, Wallbus), optional Trend current-loop neworking, and seamless compatability with other Trend IQ controllers - enabling unified, energy-efficient building automation across devices.
The IQ4xx building management controller, manufactured by Honeywell, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System User (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.
Additionally, a hidden 'Diagnostics Overview' endpoint (/^.htm or /%5E.htm) is accessible through the interface, further expanding the exposed attack surface. While the vendor states the controller is intended for on-premise use and not direct Internet exposure, reliance on network isolation does not mitigate insecure default states. Operational environments frequently include flat network segments, remote access services, and integration pathways that expand reachability. Systems controlling critical building functions must enforce authentication and least-privilege controls by default, independent of deployment assumptions. This design leaves schools, commercial buildings, and other facilities vulnerable to unauthorized control, configuration tampering, and administrative lockout wherever network access is obtained. "Security must be engineered for resilience, not isolation." - AI Joe
From the manual, page 12: 3.3 Access Rights (Security) "Controller security should always be enabled in line with the 'General Security Best Practice for Trend IP Based Products Information Sheet' (TP201331). You can login to the web interface using a user name and password that match one of the user modules defined in the controller's strategy. Once logged in your access rights will be determined by the user module configuration."