BACnet or "BADnet"? On the (In)Security of Implicitly Reserved Fields in BACnet
Qiguang Zhang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Attacks
**Building Automation Systems (BAS)** control heating, ventilation, air conditioning, lighting, security subsystems, and door locks in commercial buildings worldwide, with the **BACnet protocol** commanding over **70% market share**. Yet the security of BACnet device implementations has received surprisingly little scrutiny, in part because traditional fuzzing approaches face severe challenges: no source code access, no firmware availability, no internal state visibility, and physical-layer throughput constraints that throttle packet transmission to just a few packets per second. This talk introduces **BACFuzz**, the first protocol-behavior-driven fuzzer for BAS devices, which uses **LLM-assisted specification parsing** to automatically identify error-prone "implicitly reserved fields" in the BACnet protocol, bypasses the **MS/TP token-passing** mechanism to achieve a **700% throughput improvement**, and uncovers **26 vulnerabilities** across **20 devices from 9 vendors** -- with **24 confirmed** and **9 assigned CVEs**. One finding was acknowledged by the BACnet community as a **protocol-level flaw** in the MS/TP specification itself.
AI review
A creative and practical fuzzing approach for building automation systems that identifies error-prone fields via LLM-assisted specification parsing, exploits the MS/TP token-passing mechanism for a 700% throughput boost, and uncovers 26 vulnerabilities across 20 commercial BAS devices. The finding that 100% of bugs cluster in implicitly reserved fields is a genuinely useful insight for industrial protocol security.