Honeywell, Researcher Clash Over Impact of IQ4 Building Controller Vulnerability

By Azhar Khan
Honeywell, Researcher Clash Over Impact of IQ4 Building Controller Vulnerability

Overview of the Dispute

A public disagreement has emerged between Honeywell and security researcher Gjoko Krstic over the severity and real-world exposure of a reported vulnerability affecting Honeywell’s IQ4 building management controller. The issue centers on whether the risk stems from insecure default behavior or improper deployment practices.

Krstic describes the vulnerability as high risk, warning that certain factory-default conditions may expose the controller’s web-based Human-Machine Interface (HMI) without authentication. Honeywell, however, disputes this characterization and maintains that proper installation procedures mitigate the risk.

Technical Details of the Reported Vulnerability

According to Krstic’s findings, the vulnerability can manifest under specific conditions:

  • The IQ4 web HMI may be accessible without authentication in factory-default setups.
  • If a user authentication module is not enabled, a remote actor could create an administrator account.
  • When exposed to the public internet, the device could potentially be accessed remotely without credentials.

The researcher argues that these conditions, if present in internet-facing deployments, create a pathway for unauthorized administrative control.

Extent of Internet Exposure

Krstic claims to have identified approximately 7,500 IQ4 instances exposed to the internet. Of those, he estimates that around 20% were accessible without authentication.

If accurate, this would mean that roughly 1,500 devices could be directly accessible without login protection, raising concerns about widespread misconfiguration or insecure default states in real-world environments.

Honeywell’s Response

Honeywell disputes the severity assessment and states that:

  • IQ4 controllers are shipped unconfigured.
  • Devices are intended for on-premises deployment within secured networks.
  • Security settings, including authentication, are enabled during standard setup and commissioning procedures.
  • Direct internet exposure contradicts deployment guidance and best practices.

The company maintains that the issue represents improper installation or network configuration rather than a fundamental product vulnerability.

Security Implications

IQ4 controllers are used in building management systems (BMS) to manage functions such as HVAC, lighting, and environmental controls. Unauthorized access could allow an attacker to:

  • Manipulate temperature or environmental systems
  • Disrupt building operations
  • Use the device as a foothold for lateral movement within enterprise networks
  • Target sensitive facilities such as hospitals, data centers, or government buildings

Building automation systems have historically been vulnerable to misconfiguration, particularly when connected to broader corporate networks or exposed for remote access without adequate safeguards.

Secure-by-Default vs. Deployment Responsibility

The dispute reflects a broader debate within industrial and operational technology (OT) security:

  • Researchers often argue that products should be secure by default, even before configuration.
  • Vendors may assert that devices are designed for controlled environments and require secure deployment by integrators or customers.

In today’s threat landscape—where automated scanning tools continuously search for exposed industrial devices—temporary misconfigurations can quickly become exploitation opportunities.

Recommended Mitigations

Regardless of the dispute over severity, organizations operating building management systems should:

  • Avoid exposing controllers directly to the public internet.
  • Enable authentication modules during initial setup.
  • Implement network segmentation between BMS and core enterprise systems.
  • Use VPNs or secure remote access gateways for maintenance access.
  • Regularly audit exposed assets using external attack surface monitoring tools.

Conclusion

The disagreement between Honeywell and Gjoko Krstic highlights ongoing challenges in industrial cybersecurity, particularly around default configurations and deployment practices. While Honeywell emphasizes secure installation procedures, the reported number of exposed devices suggests that real-world implementation gaps may exist.

As building management systems become increasingly interconnected, ensuring secure-by-design principles and strict deployment controls will remain critical to protecting operational environments from unauthorized access.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.