An 18-Year-Old Codebase Left Smart Buildings Wide Open

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.News, news analysis, and commentary on the latest trends in cybersecurity technology.Researcher Gjoko Krstic's "Project Brainfog" exposed hundreds of zero-day vulnerabilities in building-automation systems still running hospitals, schools, and offices worldwide.October 30, 2025When security researcher Gjoko Krstic finally came up for air from his research, he hadn't slept for a week."I was dizzy. I couldn't stop finding new bugs," he says. "That's why I called [this research] 'Project Brainfog.'"The name stuck — fitting for a research effort that uncovered more than 800 vulnerabilities, many of them zero-day, across building-automation systems operating in over 30 countries and 220 cities worldwide. These aren't theoretical flaws: They affect real-world infrastructure — everything from hospitals and high schools to airports, stadiums, and government buildings.At Black Hat Europe 2025, Krstic, an offensive security researcher at Zero Science Lab, will take the stage to present "Project Brainfog: Hacking Smart Cities One Building at a Time – A City of a Thousand Zero Days." His talk will detail how a forgotten line of code and years of corporate mergers left modern cities vulnerable to remote takeover.The story began when Krstic stumbled across an exposed building management controller during a security operation. Digging deeper, he found an 18-year-old codebase originally written by American Auto-Matrix in 2008, which was later acquired by Ireland-based Cylon Controls and eventually absorbed by tech company ABB in 2020.Related:Popular AI Systems Still a Work-in-Progress for Security"The entire code base was actually old, 18 years old, without any security code review done prior," he says.What Krstic uncovered reads like a greatest hits list of industrial control system (ICS) weaknesses: backdoors, unencrypted firmware, default credentials, buffer overflows, and unauthenticated remote root exploits. While the vendor claimed the devices were never meant to be connected to the Internet, they required Internet connectivity to receive updates.Krstic says it was alarmingly easy to identify exposed systems, and his findings revealed just how far the problem reached. The controllers were embedded in facilities operated by some of the world's largest companies, including technology campuses, correctional institutions, and even entertainment venues. With a single online request, he could see the names of buildings — no login required. Among them were ice rinks, office towers, and even London's iconic "Walkie Talkie" building, which houses hundreds of companies.These vulnerabilities could have real-world consequences, such as a malicious actor remotely triggering fire suppression or HVAC systems to flood offices or damage critical equipment. "You can inflict massive financial damage and cause real-world physical harm," Krstic says.Related:SecOps Teams Need to Tackle AI Hallucinations to Improve AccuracyWhen Krstic first notified ABB, the company fixed some issues but did not assign Common Vulnerabilities and Exposures (CVE) records to the vulnerabilities. There were also inconsistencies in how the company categorized and scored the severity of these vulnerabilities. Minor bugs were assigned the maximum 10.0 score under the Common Vulnerability Scoring System while an unauthenticated remote code execution flaw was assigned 6.0, Krstic says."They told me, 'These systems shouldn't be online,'" he says. "Then they started issuing silent fixes — patches with no CVEs, no changelogs, and no transparency."Over the following months, communication between Krstic and the vendor grew increasingly strained. The strain of the process — and the sheer volume of findings — led to the project's name. "It was overwhelming," Krstic admits. "Every time I looked deeper, I found more zero-days. My head was spinning."For Krstic, Project Brainfog isn't just about one product line. It's a cautionary tale about the cybersecurity blind spots that can follow mergers and acquisitions. Industry standards such as IEC 62443 and the EU's Cyber Resilience Act (CRA) are frameworks that can guide future diligence.Related:Keeping LLMs on the Rails Poses Design, Engineering Challenges"When a large vendor acquires a smaller one, they inherit its legacy," he says. "But few perform proper code audits or penetration tests before integration. That's how vulnerabilities travel across decades and continents."While the vendor has since reduced the number of exposed systems — from about 1,000 to 200 — many remain online, Krstic says. "They've improved,” he says. "They now require authentication to download firmware, and some hardware is being replaced. But it's only 80% fixed. The rest is still out there."His message to security professionals and facility owners: Know what's on your network."If your building runs on automation, you need to know what vendor built it, who owns the firmware, and whether it's being updated," he says. "Too many organizations don't even know who manages their buildings, let alone what systems they're running."Read more about:Joan GoodchildContributing Writer, Dark ReadingJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.AI Security Agents Get Persona MakeoversSora 2 Makes Videos So Believable, Reality Checks Are RequiredOperational Technology Security Poses Inherent Risks for ManufacturersAI App Spending Report: Where Are the Security Tools?Copyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.