BACnet or “BADnet”? On the (In)Security of Implicitly Reserved Fields in BACnet

growing smart building technology market. According to a ReportLinker forecast [1] , the global BAS market is projected to reach $277 billion by 2027, driven by the increasing demand for energy efficiency, safety, and comfort. BACnet International [2] reports that BACnet holds a 77% global market share, with 1,539 official manufacturers worldwide [3] , underscoring its critical role in this evolving sector. While many known threats to BACnet stem from the lack of security measures such as encryption and integrity in the specification, our study has identified a class of implicitly reserved fields that may introduce software and system security issues. Although the protocol carefully defines field names and their corresponding lengths, their practical utilization may not fully leverage the theoretical maximum capacities. For instance, the Actual Window Size field (as specified on Page 847 of the BACnet standard [4] ) is designed to occupy 8 bits, yet its values are limited to the range between 0 and 0x7F (127), implicitly leaving the upper range unused (i.e., up to 0xFF or 255). If manufacturers fail to implement proper input validation, inputs beyond the expected range could trigger undefined behavior, resulting in data corruption, system crashes, or arbitrary code execution by attackers. Fuzzing is an intuitive and widely adopted approach for uncovering BAS vulnerabilities arising from poor input validation. However, existing techniques [5]-relying on random mutations and neglecting BAS network transmission overhead-often suffer from inefficiency and limited effectiveness. We observe that BACnet devices commonly use the Master-Slave/Token-Passing (MS/TP) link layer, which suffers from extremely low data throughput. The low throughput exacerbates the inefficiencies of fuzzing BACnet. As a result, even well-crafted mutated inputs experience prolonged transmission times, significantly reducing overall fuzzing efficiency. To address the inefficiency of fuzzing BACnet, we conducted a protocol-level analysis of MS/TP and identified the token-passing mechanism as the primary bottleneck. At one time, only a single token exists on the network, and all devices must compete for it. Only the device holding the token is allowed to transmit. As a result, a fuzzer must acquire the token prior to transmitting mutated packets to the target, substantially limiting execution speed. Further analysis identified a critical protocol behavior: if the token holder detects unauthorized Abstract-Building Automation Systems (BASs) are crucial for managing essential functions like heating, ventilation, air conditioning, and refrigeration (HVAC&R), as well as lighting and security in modern buildings. BACnet, a widely adopted open standard for BASs, enables integration and interoperability among heterogeneous devices. However, traditional BACnet implementations remain vulnerable to various security threats. While existing fuzzers have been applied to BACnet, their efficiency is limited, particularly due to the slow bus-based communication medium with low throughput. To address these challenges, we propose BACSFUZZ, a behavior-driven fuzzer aimed at uncovering vulnerabilities in BACnet systems. Unlike traditional fuzzing approaches focused on input diversity and execution path coverage, BACSFUZZ introduces the token-seizeassisted fuzzing technique, which leverages the token-passing mechanism of BACnet for improved fuzzing efficiency. The token-seize-assisted fuzzing technique proves highly effective in uncov-ering vulnerabilities caused by the misuse of implicitly reserved fields. We identify this issue as a common vulnerability affecting both BACnet and KNX, another major BAS protocol. Notably, the BACnet Association (ASHRAE) confirmed the presence of a protocol-level token-seize vulnerability, further validating the significance of this finding. We evaluated BACSFUZZ on 15 BAC-net and 5 KNX implementations from leading manufacturers, including Siemens, Honeywell, and Johnson Controls. BACS-FUZZ improves fuzzing throughput by 272.49% to 776.01%over state-of-the-art (SOTA) methods. In total, 26 vulnerabilities were uncovered-18 in BACnet and 8 in KNX-each related to implicitly reserved fields. Of these, 24 vulnerabilities were confirmed by manufacturers, with 9 assigned CVEs.