After internal audit on HVAC products, Cisco revealed critical security holes in a device that connects a building's ventilation, lighting, security, and energy supply systems so they can be controlled by the IT department remotely. These vulnerabilities could allow an attacker to obtain administrative passwords, as no authentication mechanism exists in order to read the system configuration files, making it easier for intruders to compromise a building's most critical control systems. Cisco announced that these vulnerabilities exist due to the use of legacy products from Richards-Zeta, which Cisco-acquired and revealed security holes during internal audits of the system. Cisco Engineers advised the appropriate personnel to use Cisco Network Building Mediator in order to patch the vulnerabilities. Additionally other bugs allowed malicious insiders to intercept traffic as it travels between an administrator and the Building Mediator and to escalate limited privileges. Cisco advisory includes a configuration manual in order to secure the system’s function, but warns its customers to be really careful, as new threats might arise since the product is designed to seamlessly interact with larger power grids. Source: Trust-IT