A researcher has discovered over 100 vulnerabilities in building management and access control systems from four major vendors. An attacker can exploit these flaws to gain full control of impacted products and manipulate the systems connected to them. Roughly one year ago, Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, started analyzing building management (BMS), building automation (BAS) and access control products from Nortek, Prima Systems, Optergy, and Computrols. Krstic summarized his findings last month at SecurityWeek’s ICS Cyber Security Conference in Singapore and Applied Risk has now published advisories for each of the impacted products. All of the impacted vendors released patches for their products after being notified by Applied Risk, except for Nortek, which appears to have a poor process for reporting vulnerabilities. The company at one point told SecurityWeek that the issues identified by Applied Risk had already been patched, despite the company not receiving the actual details of the flaws — Applied Risk said it did not receive a response from Nortek after requesting a PGP key.