• Home
  • cyber
  • Loytec: Claroty says CEA-852 adoption accelerates risk as building systems become exposed to critical infrastructure threats
cyber Vulnerability

Loytec: Claroty says CEA-852 adoption accelerates risk as building systems become exposed to critical infrastructure threats

Feb 1, 2026 3 min read
Loytec: Claroty says CEA-852 adoption accelerates risk as building systems become exposed to critical infrastructure threats

Critical Vulnerabilities in Building Management Systems Expose Infrastructure to Cyberattacks

Research from Claroty’s Team82 reveals that the widespread adoption of the CEA-852 standard which enables legacy protocols like LonTalk to operate over IP networks has significantly expanded the attack surface for building management systems (BMS). While this shift enhances flexibility and interoperability, it also introduces severe cybersecurity risks, including unauthorized access, traffic manipulation, and remote exploitation when security controls are weak or absent.

The findings, detailed in The Risky Road Bringing Building Management Systems Online, highlight systemic vulnerabilities in smart buildings. Three-quarters of organizations using BMS are affected by known exploited vulnerabilities, with over half exposing these systems to the internet often linked to ransomware attacks. Since BMS control critical functions like HVAC, energy, and physical security, their compromise could disrupt operations or serve as a gateway for deeper infiltration into enterprise and critical infrastructure networks.

Key Vulnerabilities in CEA-852 Implementations

The CEA-852 standard supports three variants IP-852, RNI, and LPA each differing in packet types, payload formats, and HMAC signing algorithms. While RNI and LPA share similarities, IP-852 stands apart with distinct packet structures and authentication methods.

  • IP-852 packets (protocol code 0x01) include standard (vendor-neutral) and proprietary (vendor-specific) types. Standard packets handle core functions like LonTalk encapsulation and device queries, while proprietary packets used by vendors like Echelon (0x01) and Loytec (0x02) enable advanced features such as remote reboots, firmware updates, and NAT configuration.
  • HMAC authentication, based on MD5 and a 16-byte pre-shared key, is used to verify packet integrity. However, many devices disable HMAC entirely or use default keys (e.g., all-zero values), making it trivial for attackers to forge valid messages.

Exploitable Weaknesses in RNI/LPA and Loytec Devices

  • RNI (0x03) and LPA (0x04) packets share identical structures but differ in response handling. Analysis of compiled libraries (e.g., libRNI.so, libLSPA.so) revealed that KEEP_ALIVE packets (type 0x00) enforce payload constraints, rejecting malformed or manipulated messages.
  • HMAC recovery is possible via offline brute-force attacks using a single captured packet, even without direct interaction with the target.
  • Loytec-specific packets (vendor code 0x02) contain unauthenticated reboot commands (type 0x90), allowing attackers to trigger denial-of-service (DoS) conditions by forcing controller restarts. Additionally, researchers identified methods to bypass internal security mechanisms, enabling unauthorized modification of core device configurations.

Real-World Impact

The research underscores that insecure BMS deployments are already widespread, with many devices publicly exposed and lacking basic protections. Attackers could exploit these flaws to disrupt building operations, manipulate environmental controls, or pivot into broader network infrastructure posing risks to hospitals, data centers, and industrial facilities.

Claroty’s findings serve as a critical warning: as legacy BMS protocols transition to IP-based networks, organizations must address design weaknesses, enforce HMAC authentication, and restrict internet exposure to mitigate escalating cyber threats.

Source: https://industrialcyber.co/building-management-systems/claroty-says-cea-852-adoption-accelerates-risk-as-building-systems-become-exposed-to-critical-infrastructure-threats/

LOYTEC cybersecurity rating report: https://www.rankiteo.com/company/loytec-electronics-gmbh

"id": "LOY1775838976",
"linkid": "loytec-electronics-gmbh",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Facility Management',
                                     'Healthcare',
                                     'Data Center Operations',
                                     'Industrial'],
                        'type': ['Organizations Using BMS',
                                 'Hospitals',
                                 'Data Centers',
                                 'Industrial Facilities']}],
 'attack_vector': ['Network Exploitation',
                   'Remote Access',
                   'Traffic Manipulation'],
 'description': 'Research from Claroty’s Team82 reveals that the widespread '
                'adoption of the CEA-852 standard, enabling legacy protocols '
                'like LonTalk to operate over IP networks, has expanded the '
                'attack surface for building management systems (BMS). This '
                'introduces severe cybersecurity risks, including unauthorized '
                'access, traffic manipulation, and remote exploitation when '
                'security controls are weak or absent. The findings highlight '
                'systemic vulnerabilities in smart buildings, with '
                'three-quarters of organizations using BMS affected by known '
                'exploited vulnerabilities and over half exposing these '
                'systems to the internet, often linked to ransomware attacks. '
                'Since BMS control critical functions like HVAC, energy, and '
                'physical security, their compromise could disrupt operations '
                'or serve as a gateway for deeper infiltration into enterprise '
                'and critical infrastructure networks.',
 'impact': {'operational_impact': ['Disruption of Building Operations',
                                   'Denial-of-Service (DoS) Conditions'],
            'systems_affected': ['Building Management Systems (BMS)',
                                 'HVAC Systems',
                                 'Energy Management Systems',
                                 'Physical Security Systems']},
 'lessons_learned': 'The transition of legacy BMS protocols to IP-based '
                    'networks introduces significant cybersecurity risks. '
                    'Organizations must address design weaknesses, enforce '
                    'HMAC authentication, and restrict internet exposure to '
                    'mitigate threats.',
 'post_incident_analysis': {'corrective_actions': ['Enforce HMAC '
                                                   'authentication',
                                                   'Restrict internet exposure '
                                                   'of BMS devices',
                                                   'Address design flaws in '
                                                   'CEA-852 implementations'],
                            'root_causes': ['Widespread adoption of CEA-852 '
                                            'standard without adequate '
                                            'security controls',
                                            'Disabled or weak HMAC '
                                            'authentication',
                                            'Default pre-shared keys',
                                            'Unauthenticated reboot commands '
                                            'in vendor-specific '
                                            'implementations']},
 'recommendations': ['Enforce HMAC authentication for CEA-852 implementations',
                     'Restrict internet exposure of BMS devices',
                     'Address design weaknesses in CEA-852 and vendor-specific '
                     'protocols',
                     'Monitor for unauthorized access or traffic manipulation',
                     'Implement network segmentation to limit lateral '
                     'movement'],
 'references': [{'source': 'Claroty Team82'}],
 'response': {'remediation_measures': ['Enforce HMAC Authentication',
                                       'Restrict Internet Exposure',
                                       'Address Design Weaknesses in CEA-852 '
                                       'Implementations']},
 'title': 'Critical Vulnerabilities in Building Management Systems Expose '
          'Infrastructure to Cyberattacks',
 'type': ['Vulnerability Disclosure', 'Exploitation Risk'],
 'vulnerability_exploited': ['CEA-852 Standard Weaknesses',
                             'Disabled HMAC Authentication',
                             'Default Pre-Shared Keys',
                             'Unauthenticated Reboot Commands']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.