Johnson Controls IQ Wifi 6

Plan Patch8.3ICS-CERT ICSA-23-206-04Jul 25, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The IQ Wifi 6 gateway contains a weakness in its authentication mechanism (CWE-307) that allows an unauthorized user to gain account access through brute-force password attacks. Affected firmware versions are below 2.0.2. Johnson Controls has released firmware version 2.0.2 to address this vulnerability. The update can be deployed automatically to devices in the field or manually applied via the device's firmware update page using patch tag "iqwifi2.0.2".

What this means

What could happen

An attacker could gain unauthorized access to the IQ Wifi 6 device through repeated login attempts, potentially allowing them to modify building HVAC, security, or lighting control settings that depend on this gateway.

Who's at risk

Building systems operators and facility managers who rely on Johnson Controls IQ Wifi 6 devices for HVAC, lighting, or security control. Any organization using this gateway in building automation systems, particularly those with network-accessible management interfaces.

How it could be exploited

An attacker with network access to the device's management interface performs a brute-force attack against the authentication mechanism, submitting many password guesses until gaining valid credentials. Once authenticated, the attacker can reconfigure or control systems connected through the IQ Wifi 6 gateway.

Prerequisites

Network access to the IQ Wifi 6 device management interface (typically HTTP/HTTPS on port 80 or 443)
No valid credentials required to initiate the brute-force attack

Remotely exploitableNo authentication required to attempt attackLow complexity attackAffects building control systems (HVAC, lighting, security)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

IQ Wifi 6 Firmware: < 2.0.2< 2.0.22.0.2

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the IQ Wifi 6 management interface using firewall rules; allow connections only from authorized engineering workstations or administrative subnets

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade IQ Wifi 6 firmware to version 2.0.2 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate the IQ Wifi 6 device and connected building systems from the general business network and Internet

HARDENINGDisable remote access to the device unless absolutely necessary; if required, enforce access only through a VPN with strong authentication

CVEs (1)

CVE-2023-3548

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3276f337-e57d-47d8-8915-ae93a7ddf44b