Qiguang Zhang (Southeast University), Junzhou Luo (Southeast University, Fuyao University of Science and Technology), Zhen Ling (Southeast University), Yue Zhang (Shandong University), Chongqing Lei (Southeast University), Christopher Morales (University of Massachusetts Lowell), Xinwen Fu (University of Massachusetts Lowell)
Building Automation Systems (BASs) are crucial for managing essential functions like heating, ventilation, air conditioning, and refrigeration (HVAC&R), as well as lighting and security in modern buildings. BACnet, a widely adopted open standard for BASs, enables integration and interoperability among heterogeneous devices. However, traditional BACnet implementations remain vulnerable to various security threats. While existing fuzzers have been applied to BACnet, their efficiency is limited, particularly due to the slow bus-based communication medium with low throughput. To address these challenges, we propose BACsFuzz, a behavior-driven fuzzer aimed at uncovering vulnerabilities in BACnet systems. Unlike traditional fuzzing approaches focused on input diversity and execution path coverage, BACsFuzz introduces the token-seize-assisted fuzzing technique, which leverages the token-passing mechanism of BACnet for improved fuzzing efficiency. The token-seize-assisted fuzzing technique proves highly effective in uncovering vulnerabilities caused by the misuse of implicitly reserved fields. We identify this issue as a common vulnerability affecting both BACnet and KNX, another major BAS protocol. Notably, the BACnet Association (ASHRAE) confirmed the presence of a protocol-level token-seize vulnerability, further validating the significance of this finding. We evaluated BACsFuzz on 15 BACnet and 5 KNX implementations from leading manufacturers, including Siemens, Honeywell, and Johnson Controls. BACsFuzz improves fuzzing throughput by 272.49% to 776.01% over state-of-the-art (SOTA) methods. In total, 26 vulnerabilities were uncovered--18 in BACnet and 8 in KNX--each related to implicitly reserved fields. Of these, 24 vulnerabilities were confirmed by manufacturers, with 9 assigned CVEs.