An 18-Year-Old Codebase Left Smart Buildings Wide Open TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyber RiskZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecuritybyRobert Lemos, Contributing WriterOct 30, 20257 Min ReadVulnerabilities & ThreatsLotL Attack Hides Malware in Windows Native AI StackLotL Attack Hides Malware in Windows Native AI StackbyNate Nelson, Contributing WriterOct 30, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLVulnerabilities & ThreatsCyber RiskICS/OT SecurityNews, news analysis, and commentary on the latest trends in cybersecurity technology.An 18-Year-Old Codebase Left Smart Buildings Wide OpenAn 18-Year-Old Codebase Left Smart Buildings Wide OpenAn 18-Year-Old Codebase Left Smart Buildings Wide OpenResearcher Gjoko Krstic’s "Project Brainfog" exposed hundreds of zero-day vulnerabilities in building-automation systems still running hospitals, schools, and offices worldwide.Joan Goodchild, Contributing Writer, Dark ReadingOctober 30, 20254 Min ReadSource: Carlos Castilla via Alamy Stock PhotoWhen security researcher Gjoko Krstic finally came up for air from his research, he hadn't slept for a week."I was dizzy. I couldn't stop finding new bugs," he says. "That’s why I called [this research] Project Brainfog."The name stuck — fitting for a research effort that uncovered more than 800 vulnerabilities, many of them zero-day, across building automation systems operating in over 30 countries and 220 cities worldwide. These aren't theoretical flaws: they affect real-world infrastructure — everything from hospitals and high schools to airports, stadiums, and government buildings.At Black Hat Europe 2025, Krstic, an offensive security researcher at Zero Science Lab, will take the stage to present Project Brainfog: Hacking Smart Cities One Building at a Time – A City of a Thousand Zero Days. His talk details how a forgotten line of code and years of corporate mergers left modern cities vulnerable to remote takeover.18 Years of Dormant CodeThe story began when Krstic stumbled across an exposed building management controller during a security operation. Digging deeper, he found an 18-year-old codebase originally written by American Auto-Matrix in 2008, later acquired by Ireland-based Cylon Controls, and eventually absorbed by tech company ABB in 2020.Related:Popular AI Systems Still a Work-in-Progress for Security"The entire code base was actually old, 18 years old, without any security code review done prior," he says.What Krstic uncovered reads like a greatest hits list of industrial control system (ICS) weaknesses: backdoors, unencrypted firmware, default credentials, buffer overflows, and unauthenticated remote root exploits. While the vendor claimed the devices were never meant to be connected to the Internet, they required Internet connectivity to receive updates.A Global Supply Chain of ExposureKrstic says it was alarmingly easy to identify exposed systems, and his findings revealed just how far the problem reached. The controllers were embedded in facilities operated by some of the world's largest companies, including technology campuses, correctional institutions, and even entertainment venues. With a single online request, he could see the names of buildings — no login required. Among them were ice rinks, office towers, and even London's iconic "Walkie Talkie" building, which houses hundreds of companies.These vulnerabilities could have real-world consequences, such as a malicious actor remotely triggering fire suppression or HVAC systems to flood offices or damage critical equipment. "You can inflict massive financial damage, and cause real-world physical harm," he says.Related:SecOps Teams Need to Tackle AI Hallucinations to Improve AccuracyThe Patchwork of Corporate ResponseWhen Krstic first notified ABB, the company fixed some issues, but did not assign Common Vulnerabilities and Exposures (CVE) records to the vulnerabilities. There were also inconsistencies in how the company categorized and scored the severity of these vulnerabilities. Minor bugs were assigned the maximum 10.0 score under the Common Vulnerability Scoring System while an unauthenticated remote code execution flaw was assigned 6.0, Krstic says."They told me, 'These systems shouldn't be online,'" he says. "Then they started issuing silent fixes — patches with no CVEs, no changelogs, and no transparency."Over the following months, communication between Krstic and the vendor grew increasingly strained. The strain of the process — and the sheer volume of findings — led to the project's name. "It was overwhelming," Krstic admits. "Every time I looked deeper, I found more zero-days. My head was spinning."A Case Study in M&A RiskFor Krstic, Project Brainfog isn't just about one product line. It's a cautionary tale about the cybersecurity blind spots that can follow mergers and acquisitions. Industry standards such as IEC 62443 and the EU's Cyber Resilience Act (CRA) are frameworks that can guide future diligence.Related:Keeping LLMs on the Rails Poses Design, Engineering Challenges"When a large vendor acquires a smaller one, they inherit its legacy," he says. "But few perform proper code audits or penetration tests before integration. That's how vulnerabilities travel across decades and continents."While the vendor has since reduced the number of exposed systems — from about 1,000 to 200 — Krstic says many remain online. "They've improved,” he says. "They now require authentication to download firmware, and some hardware is being replaced. But it's only 80% fixed. The rest is still out there."His message to security professionals and facility owners: know what's on your network."If your building runs on automation, you need to know what vendor built it, who owns the firmware, and whether it's being updated," he says. "Too many organizations don't even know who manages their buildings, let alone what systems they're running."Read more about:Black Hat NewsAbout the AuthorJoan GoodchildContributing Writer, Dark ReadingJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.See more from Joan GoodchildMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025The Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Latest Articles in DR TechnologyCloud Outages Highlight the Need for Resilient, Secure Infrastructure RecoveryOct 30, 2025|4 Min ReadMicrosoft Security Change for Azure VMs Creates PitfallsOct 29, 2025|4 Min ReadAI-Generated Code Poses Security, Bloat ChallengesOct 29, 2025|6 Min ReadLevelBlue Announces Plans to Acquire XDR Provider CybereasonOct 15, 2025|2 Min ReadRead More DR TechnologyDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The alarming case of “Project Brainfog” has exposed a critical vulnerability within the architecture of modern smart buildings, revealing a deeply ingrained issue stemming from a combination of legacy code and corporate acquisitions. Gjoko Krstic, an offensive security researcher at Zero Science Lab, unearthed over 800 zero-day vulnerabilities in building automation systems worldwide, primarily due to an 18-year-old codebase originating from American Auto-Matrix in 2008 – a system subsequently acquired by Cylon Controls and finally absorbed by ABB in 2020. This detailed investigation, highlighted at Black Hat Europe 2025, demonstrates a significant risk associated with mergers and acquisitions within the industrial control systems (ICS) domain.

The core of the problem lies in the prolonged neglect of legacy systems – in this instance, the automation control systems – following corporate shifts, and how minimal auditing occurred. The vulnerabilities uncovered include backdoors, unencrypted firmware, default credentials, and buffer overflows, posing a significant threat to infrastructure control. Krstic’s research underscores the importance of due diligence in M&A activities. The sheer proliferation of these vulnerabilities – spanning over 30 countries and 220 cities – highlights the potential for widespread disruption and harm, potentially enabling a malicious actor to trigger fires, flood offices, or cause extensive damage.

Communication between Krstic and ABB was particularly strained, further fueling the project’s name. The vendor initially lacked transparency, failing to assign Common Vulnerabilities and Exposures (CVE) records, and assigning varying severity scores to the same vulnerabilities. This lack of oversight compounded the problem, as the researcher found himself overwhelmed by the scale of the findings, and the company essentially dismissed the scope of the issue. The situation serves as a stark reminder of the challenges involved in managing complex, aging systems within critical infrastructure, and the need for robust vulnerability management processes.

While ABB has taken steps to mitigate the immediate risks - reducing the exposed systems from approximately 1,000 to 200, requiring authentication to download firmware, and initiating hardware replacements - a significant portion, roughly 80% of the vulnerabilities remain active. Krstic emphasizes that knowledge of a system’s origin, ownership, and firmware updates is paramount for facility owners and security professionals. This reinforces the need for proactive monitoring and control, especially in environments reliant on automation.

The findings resonate in the context of emerging regulatory frameworks like the EU’s Cyber Resilience Act (CRA), which intends to establish a security standards for digital products and services, and the IEC 62443 standard, which provides guidelines for the security of industrial automation and control systems – underscoring the criticality of a comprehensive approach to risk management. Krstic's work acts as a prominent case study, illustrating the profound consequences of neglecting legacy systems during times of corporate transformation, and powerfully advocates for a proactive and rigorous approach to vulnerability management within smart building ecosystems.