The Risky Road Bringing Building Management Systems Online: Exploring the CEA-852 Standard

This report analyzes security weaknesses in the CEA-852 (LonTalk-over-IP) protocol and its implementations (IP-852, RNI, LPA), describing a flawed MD5-based HMAC authentication, default or optional keys, and vendor-specific packet types that allow remote reboot and firmware push. The weaknesses enable offline brute-force of the 16-byte pre-shared key (or trivial exploitation when keys are default/disabled), creating remote attack vectors against building management gateways (EnOcean/Echelon, Loytec) that can lead to denial-of-service or full compromise of systems bridging BACnet, Modbus, HTTP and other networks.