Project Brainfog: How an 18-Year-Old Codebase Left Smart Buildings Vulnerable Worldwide

Listen to this Post

Featured Image
In an era where cities are increasingly “smart,” a hidden threat has been quietly lurking behind the walls of hospitals, schools, offices, and entertainment venues: outdated building-automation systems. Researcher Gjoko Krstic’s investigation, dubbed Project Brainfog, uncovered over 800 zero-day vulnerabilities in systems that were once thought to be secure, revealing a cybersecurity blind spot that spans decades and continents. What started as a simple security check quickly spiraled into a global revelation about the fragility of our modern infrastructure.

A Deep Dive Into Forgotten Code

Krstic’s journey began with a single exposed building management controller, which led him to an 18-year-old codebase originally written by American Auto-Matrix in 2008. Over the years, this code passed through multiple acquisitions—first by Ireland-based Cylon Controls and eventually ABB in 2020—without ever undergoing thorough security reviews. The result? A treasure trove of vulnerabilities including backdoors, buffer overflows, unencrypted firmware, default credentials, and unauthenticated remote root exploits. Although the systems weren’t designed to be online, Internet connectivity was necessary for updates, inadvertently exposing them to attackers.

Global Reach of Vulnerable Systems

Krstic’s findings were staggering: these controllers were not confined to obscure locations. They powered facilities in over 30 countries and 220 cities, including ice rinks, correctional institutions, office towers, and iconic landmarks like London’s “Walkie Talkie” building. With minimal effort, anyone could identify the systems online—no login required—and potentially manipulate HVAC or fire suppression systems, creating risks of financial damage and real-world harm.

Corporate Response: Patchwork and Inconsistency

Upon reporting his findings to ABB, Krstic faced a mixed response. Some issues were addressed, but many patches were applied silently, without CVE records, changelogs, or consistent severity ratings. Minor bugs were sometimes rated higher than critical unauthenticated remote code execution flaws, highlighting a troubling lack of transparency and prioritization. Over time, this inconsistency contributed to the overwhelming nature of Krstic’s research, giving the project its “Brainfog” moniker.

Mergers, Acquisitions, and Legacy Risks

Project Brainfog also underscores the cybersecurity dangers of corporate mergers. Krstic emphasizes that when larger vendors acquire smaller ones, they inherit legacy code that often escapes proper audit and testing. Frameworks like IEC 62443 and the EU Cyber Resilience Act (CRA) are designed to mitigate these risks, but implementation remains uneven. Even after remediation, hundreds of vulnerable systems remain online, with only partial fixes applied.

The Urgent Message for Organizations

Krstic’s research serves as a wake-up call: organizations must know what’s running on their networks, especially in automated buildings. Ownership, firmware updates, and vendor history are not optional details—they are essential to maintaining security in an increasingly connected world.

What Undercode Say: An Analytical Perspective

Project Brainfog illustrates a broader systemic problem in cybersecurity: legacy inertia. Organizations often focus on new threats while neglecting decades-old systems that continue to operate quietly in the background. The risk is amplified by mergers and acquisitions, which can propagate vulnerabilities across industries and geographies without proper oversight.

The case also highlights how security assumptions fail in the real world. Many vendors rely on the notion that certain systems “shouldn’t be online,” ignoring that connectivity is often unavoidable for updates or remote management. This creates an illusion of safety, masking significant exposure.

Moreover, Krstic’s findings demonstrate the interconnectedness of digital and physical spaces. Exploiting building-automation systems is no longer just a theoretical concern—it can cause tangible damage, from flooding offices to disrupting critical hospital infrastructure. Cybersecurity, therefore, is not just about protecting data but safeguarding human lives and property.

From a regulatory standpoint, the uneven application of CVE scoring and patching reflects a gap in industry standards enforcement. Without mandatory transparency and standardized protocols for patch management, organizations remain vulnerable. Future frameworks, including CRA and ICS security standards, must evolve to enforce mandatory auditing of legacy systems during acquisitions and mergers.

Krstic’s work also raises questions about responsibility and accountability in cybersecurity. Should vendors be liable for inherited vulnerabilities? Should clients demand independent audits of legacy systems? These questions are central to preventing future “Brainfog” scenarios.

Finally, the human factor cannot be ignored. Organizations often lack visibility into who manages their infrastructure or what software is in use. Krstic’s warning is clear: ignorance is not bliss—it’s vulnerability. Security professionals must adopt proactive strategies, including network inventory audits, penetration testing, and ongoing monitoring, to mitigate long-standing risks.

Fact Checker Results

✅ Over 800 zero-day vulnerabilities discovered across 30+ countries.

✅ Vulnerabilities exist in critical infrastructure like hospitals and schools.
❌ Not all reported vulnerabilities were fully remediated; hundreds remain active.

Prediction

📊 As urban centers expand their smart infrastructure, the risk of legacy vulnerabilities will rise. Expect an increase in regulatory oversight, with stricter enforcement of CVE reporting and mandatory security audits during mergers. Organizations that invest in legacy system audits and proactive monitoring will become the benchmark for safe smart cities, while those ignoring legacy exposure could face both financial and physical damages. The era of “blind trust” in automated systems is ending—security will soon be a competitive advantage as much as a necessity.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon