Breaking BACnet: Protocol Stack Vulnerabilities in Commercial BMS Controllers

BACnet/IP implementations across six major vendors consistently process untrusted network input with no authentication and minimal bounds checking. WriteProperty calls modifying live setpoints with no audit trail.

Background

BACnet (Building Automation and Control Networks) is the dominant protocol in commercial building management systems. Despite its critical role in HVAC, lighting, and access control, most BACnet/IP stacks ship with no authentication layer and rely entirely on network segmentation for security.

Findings

During testing of six commercial BMS controllers, the following issues were consistently identified:

• Unauthenticated ReadProperty and WriteProperty access to all BACnet objects
• No input validation on object identifiers, allowing enumeration of the entire device tree
• Stack-based buffer overflows in custom BACnet object name handling
• Missing rate limiting on WhoIs/IAm discovery, enabling network-wide device mapping
• WriteProperty calls to binary output objects directly controlling physical relay states

Impact

An attacker with network access to the BACnet/IP segment can read all sensor values, modify setpoints (temperature, pressure, flow rates), and toggle physical outputs without any authentication or logging. In tested deployments, the BACnet segment was reachable from the corporate LAN with no firewall rules.