Black Hat Europe 2025: Was that device designed to be on the internet at all?

“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025. I am sure you will appreciate why these few words sparked my interest enough to dedicate time to the presentation; especially given that back in 2019 I delivered a talk on the evolving risk of smart buildings at Segurinfo in Argentina.

The talk at Black Hat, delivered by Gjoko Krstic of Zero Science Lab, focused on one vendor of building management systems and how the evolution of one of their products through various acquisitions caused it to end up being an incredibly vulnerable piece of software. In summary, the talk highlighted that there are over 1,000 buildings around the world that use the vendor’s building management system (BMS) running on a software platform with a long list of vulnerabilities. Compounding the issue, the software is hosted on public-facing IP ...