A legacy building management internet protocol from the 1990s is quietly running inside many commercial real estate, retail, hospitality and data center systems, exposing them to cyber risk, according to research published by cybersecurity firm Claroty.
LonTalk, the networking protocol, was once a staple in device-to-device communications, especially for building automation and building management systems. Although the secure open standard BACnet has largely replaced it, LonTalk still exists deep “under the covers of many proprietary BMS implementations,” Claroty said in its report.
For facility managers, cybersecurity has joined physical security as a priority as hackers and threat actors look to exploit vulnerabilities in HVAC, lighting and other building management systems to gain access to an organization's IT network, cybersecurity specialists say.
About “75% of organizations are managing building management system devices with known exploited vulnerabilities,” Claroty said in a report published last year. “Many of these systems do not support cybersecurity features, and direct connectivity to the enterprise network or public internet introduces new risks to the business.”
The LonTalk risks are especially worrisome because organizations are managing their building management systems on IP networks they can access via the cloud. “As with any proprietary deployment of protocols such as LonTalk, there may be undocumented security issues that could pose a risk to organizations,” Claroty said. “Organizations will have to contend with a new host of vulnerabilities and configurations being introduced as a side effect of this connectivity.”
Claroty said it conducted a search for Internet-accessible LonTalk devices and identified “a significant number of exposed controllers.”
“Many of these devices expose the CEA-852 LonTalk-over-IP service on its default ports,” the company said. That’s a standard open-protocol method for transporting control packets over a standard IP network, Claroty says.
A large portion of these controllers either rely on [relatively weak] protection … or do not implement any security mechanisms at all,” it said.
Claroty says it will continue to look at real-world gateway controllers using LonTalk to examine how these packets operate and uncover potential weak spots in implementations within modern BMS deployments.
“LonTalk should not be underestimated as an attack vector for hacktivists and criminal entities, especially as BMS is enabled over IP networks,” Claroty said.
