{"id":1295,"date":"2023-08-31T13:06:21","date_gmt":"2023-08-31T10:06:21","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1295"},"modified":"2023-08-31T13:06:21","modified_gmt":"2023-08-31T10:06:21","slug":"ot-hunt-honeywell-trend-controls-iq-controllers","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2023\/08\/31\/ot-hunt-honeywell-trend-controls-iq-controllers\/","title":{"rendered":"OT Hunt: Honeywell Trend Controls &#8211; IQ controllers"},"content":{"rendered":"\n<p>This is the 8th topic of \u201c<a rel=\"noreferrer noopener\" href=\"https:\/\/zerontek.com\/zt\/category\/ot-hunt\/\" target=\"_blank\">OT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n<p>In this article, my target is <a href=\"https:\/\/buildings.honeywell.com\/us\/en\/products\/by-category\/control-panels\/building-controls\/plant-and-integration-controllers\/iq4e-controller\">Honeywell Trend Controls IQ4E<\/a>. The IQ4E controller is versatile, fitting a wide variety of applications. It incorporates Ethernet, TCP\/IP, and embedded XML, and is compatible with other Trend IQ controllers. It supports BACnet over IP by default, with an option for Trend communications over a current loop LAN. It has an RS232 port for connection to local PCs or displays like IQView4 and includes a Wallbus port for room displays.<\/p>\n\n\n\n<p>The following keywords\/dorks I used to search for IQ4E on Shodan search engine, please check out my <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/selmux\/ICS-Security\/blob\/main\/ICS-OT-IoT%20dorks\/Honeywell-Shodan\" target=\"_blank\">ICS-OT-iIoT dorks project<\/a> at GitHub:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Vendor Name: Trend Control Systems Ltd product:\"IQ4E\"<\/code><\/pre>\n\n\n\n<p>The search for IQ4E yielded 74 devices. These devices have web servers for configuration and system control, accessible on the following ports:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>47808  UDP<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"472\" src=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-1024x472.jpg\" alt=\"\" class=\"wp-image-1304\" srcset=\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-1024x472.jpg 1024w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-300x138.jpg 300w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-768x354.jpg 768w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-1536x708.jpg 1536w, https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2023\/08\/iq4a-2048x944.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Once you gain access to this server, its possible to control IQ4E controller or obtain the 4-digit authentication PIN for this controller which is transmitted in plaintext. This vulnerability is exposed in the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.forescout.com\/blog\/ot-icefall-56-vulnerabilities-caused-by-insecure-by-design-practices-in-ot\/\" target=\"_blank\">OT:ICEFALL<\/a> report. Check<a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-22-242-08\" target=\"_blank\"> CISA advisory <\/a>for more information. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ICSA-22-242-08<\/code><\/pre>\n\n\n\n<p>Happy hacking !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the 8th topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. In this article, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,161,157,4,216,45,3,76,130,168,48,23,5,32],"tags":[7,13,6,75,217,12,47,218,20],"class_list":["post-1295","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-bacnet","category-building-automation-systems","category-cyber-security","category-honeywell","category-ics-protocols","category-ics-security","category-icsrank","category-insecure-by-design","category-ot-hunt","category-ot-security","category-shodan","category-vendors","category-vulnerability-assessment","tag-cyber-security","tag-ics","tag-ics-security","tag-icsrank","tag-iq4e","tag-ot","tag-ot-security","tag-oticefall","tag-shodan"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1295"}],"version-history":[{"count":16,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1295\/revisions"}],"predecessor-version":[{"id":1298,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1295\/revisions\/1298"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}