OT Hunt: Honeywell Trend Controls – IQ controllers
This is the 8th topic of “OT Hunt ”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
In this article, my target is Honeywell Trend Controls IQ4E . The IQ4E controller is versatile, fitting a wide variety of applications. It incorporates Ethernet, TCP/IP, and embedded XML, and is compatible with other Trend IQ controllers. It supports BACnet over IP by default, with an option for Trend communications over a current loop LAN. It has an RS232 port for connection to local PCs or displays like IQView4 and includes a Wallbus port for room displays.
The following keywords/dorks I used to search for IQ4E on Shodan search engine, please check out my ICS-OT-iIoT dorks project at GitHub:
Vendor Name: Trend Control Systems Ltd product:"IQ4E"
The search for IQ4E yielded 74 devices. These devices have web servers for configuration and system control, accessible on the following ports:
47808 UDP
Once you gain access to this server, its possible to control IQ4E controller or obtain the 4-digit authentication PIN for this controller which is transmitted in plaintext. This vulnerability is exposed in the OT:ICEFALL report. Check CISA advisory for more information.
ICSA-22-242-08
Happy hacking !
Senior OT Specialist at SektorCERT (Denmark)
1 年p? danske ;)
Information Security | Instructor
1 年William Nogueira