KNX International KNX Secure

KNX International KNX Secure Joost Demarest - KNX Association KNX security cases Content of the presentation  1. Foreword  2. Listing of 4 of t...
7 downloads 3 Views 2MB Size
KNX International

KNX Secure

Joost Demarest - KNX Association

KNX security cases Content of the presentation

 1. Foreword  2. Listing of 4 of the known attack cases  3. Security updates of the KNX protocol

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 2 May 2014

KNX security cases Foreword



Conventional KNX communication is not secured. •

There is no encryption (confidentiality), no authentication, no duplication prevention.







The major countermeasure is thus always to prevent access to the KNX installation (cables, devices, connected systems). With the growing use of IP in KNX installations but also with the simple KNX electronics (open source, Raspberry pi etc.), accessing the KNX bus has become more easy than ever. Counter measures are possible, to make attacks more difficult or make them leave traces.

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 3 May 2014

KNX security cases The four known attacks against KNX: Case 1

 Case 1: Security attack in hotel The situation

Some LAN

• Multicast @ 224.0.23.12 Port 3671 open

• •

KNXnet/IP Router or Tunnelling Server(s) TP Area

End device

Room 1460

TP Line

TP Line

Room 1451

End device

KNX Association International



TP Line

Room 1450



KNX devices are used to control lighting, air conditioning, shutters, etc. in the hotel rooms. There is a KNXnet/IP Backbone or – Main Line. Guests are given a tablet with a “Buttler app”, to control the functions in their room. Guest are also given the key to a WiFi network to allow free Internet connection. So far, so good.

This is the tablet for room 1451. It only accesses the functions of room 1451.

End device

KNX: The worldwide STANDARD for home & building control

Page No. 4 May 2014

KNX security cases The four known attacks against KNX: Case 1

 Case 1: Security attack in hotel What was observed?

Some LAN

Multicast @ 224.0.23.12 Port 3671 open

KNXnet/IP Router or Tunnelling Server(s) TP Area

End device

Room 1460

TP Line

TP Line

Room 1451

End device

KNX Association International



TP Line

Room 1450

End device

• The hacker observes that the tablet only has a WiFi connection, so supposes this must be how the room is controlled. • The WiFi appears protected, but the hacker tries out the WiFi key given to him to access the Internet from his laptop... This works. • The hacker asks for a new hotel room and from that room, he can control the applications in his preceding room. • The hacker sees that port 3671 is used. He googles it and finds this can be used by KNX.

KNX: The worldwide STANDARD for home & building control

Page No. 5 May 2014

KNX security cases The four known attacks against KNX: Case 1

 Countermeasures 1. Do not use the same LAN or WiFi for home – or building automation as you are using for computer networks and other applications. Operate different LANs and WiFi’s to keep applications separated and keep control of access. 2. Do not give any network access key to somebody who should not have access. 3. Do not use te default system setup multicast address (224.0.23.12) for runtime communication (Routing). Do not use the default ports 3671. Another multicast address does not make you installation more secure, but it makes it more difficult to identify and to reverse engineer.

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 6 May 2014

KNX security cases The four known attacks against KNX: Case 2

 Case 2: Hacker device The situation • •

• • •

End device

End device

KNX Association International



TP Line

TP Line

TP Line

TP Area

A device is mounted in the installation. It listens passively to the bus and guesses the functionality of the Telegrams. Or it may actively discover the bus. It reports its findings over WiFi or UMTS. It can be controlled from remote and send Telegrams on the bus.

End device

KNX: The worldwide STANDARD for home & building control

Page No. 7 May 2014

KNX security cases The four known attacks against KNX: Case 2

 Case 2: Hacker device Considerations •

• •

End device

End device

KNX Association International



TP Line

TP Line

TP Line

TP Area

The hacker needs physical access to the bus where he can hide this device (like a suspended ceiling, behind a push button ...). Data is transferred on KNX anonymously. Any concluded functionality has some uncertainty. Claimed is that anti-intrusion systems and automatic doors and gates can be controlled. These are no typical KNX applications.

End device

KNX: The worldwide STANDARD for home & building control

Page No. 8 May 2014

KNX security cases The four known attacks against KNX: Case 2

 Countermeasures 1. Make that KNX devices and cables cannot be accessed. • •

KNX devices in the suspended ceiling, or in a distribution cabinet? Make that push buttons, movement detectors, etc. cannot be removed, or not without breaking them.

• •

Use anti-theft clamps (push buttons, valves...). Or use push button interfaces (makes no bus available in wall boxes).

2. Observe bus traffic in the installation. • •

This will reveal the active discovery and the presence of an unknown device sending Telegrams. Activate “Detection Individual Address usage” in the devices.

3. If the device is controlled over WiFi • •

KNX Association International

The hacker must be nearby. Unknown WiFi showing up in or near your building?

KNX: The worldwide STANDARD for home & building control

Page No. 9 May 2014

KNX security cases The four known attacks against KNX: Case 3

 Case 3: Hacking a home from the outside The situation •







KNX Association International

The hacker gets access to the installation by dismounting an outside movement detector. He connects again a spying device, that sends KNX Telegram information wireless to a laptop. By “finger print analysis”, the functionality of the installation is reverse engineered. The hacker can take over control of the home.

KNX: The worldwide STANDARD for home & building control

Page No. 10 May 2014

KNX security cases The four known attacks against KNX: Case 3

 Case 3: Hacking a home from the outside Considerations • • •

KNX Association International

The outside movement detector can be removed. It can be removed unnoticed. Apparantly, all home communication can go in and out through this single external access.

KNX: The worldwide STANDARD for home & building control

Page No. 11 May 2014

KNX security cases The four known attacks against KNX: Case 3

 Countermeasures 1. Make that KNX devices and cables cannot be accessed. •

See before.

2. Outside devices • • •

should be in a dedicated Subnetwork (Line). should have anti-tamper protection could be supervised

3. Couplers (Line -, Backbone, Media Couplers and KNXnet/IP Routers) should be configured to • • •

KNX Association International

pass Telegrams per Group Address only in the direction they would normally go (only in or only out) not pass any other group Telegram  Use the Filter Table. not pass any point-to-point Telegrams.

KNX: The worldwide STANDARD for home & building control

Page No. 12 May 2014

KNX security cases The four known attacks against KNX: Case 4

 Case 4: Hacking KNX via IP The situation • • •



KNX Association International

Iterate through all IPv4 unicast addresses worldwide and try to discover KNX services. Assume the same IP port number is used for discovery as well as for runtime. Access the found installations and try finding further open ports, like from a web server (visualisation via html). If authentication is required, supply default user names and passwords.

KNX: The worldwide STANDARD for home & building control

Page No. 13 May 2014

KNX security cases The four known attacks against KNX: Case 4

 Case 4: Hacking KNX via IP The findings • KNX net/IP Messages unprotected on Internet Multicast @ 224.0.23.12 Port 3671 open

KNXnet/IP Router or Tunneling Server(s) TP Area

• •

3 295 installations world wide can be connected unprotected over the Internet. Many (no number) allow additional access to other functionality (alarms, camera’s...) Look closer.

TP Line

Line Coupler

End Device

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 14 May 2014

KNX security cases The four known attacks against KNX: Case 4

 Countermeasures (1/2) 1. Allow Internet accessibility only over VPN connections. 2. Do not expose ports for discovery and configuration. 3. If usernames and passwords are supported, do not use the default ones, but use non-obvious values. 4. Explain (to the LAN administrator or building user, owner) these measures and document them!

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 15 May 2014

KNX security cases The four known attacks against KNX: Case 4

 Countermeasures (2/2) RECOMMENDED A

RECOMMENDED B

http access to object data

KNX net/IP Messages through VPN connection

Router with VPN functionality or Router + VPN server Device connected to Internet reflecting status of (some) group objects

KNXnet/IP Router or Tunneling Server(s) TP Area

TP Area Line Coupler

TP Line

TP Line

Line Coupler

End Device

KNX Association International

End Device

KNX: The worldwide STANDARD for home & building control

Page No. 16 May 2014

KNX security cases Further counter measures



Restrict communication over Line - , Backbone – and Media Couplers to that what is necessary. •



Observe and analyse bus traffic. • •





“Hacking devices” may show communication will reverse engineering the bus. Look for unexpected Telegrams.

Protect your devices with a BAU password. •



This will not prevent from an attack, but it may reduce the possible impact and physical range.

The runtime communication may be hacked, but the devices cannot be modified.

Check for changes in devices (PID_DEVICE_CONTROL, PID_DOWNLOAD_COUNTER). ...

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 17 May 2014

KNX security cases Finally … 1. There is no knowledge of any criminal hacking of a KNX installations. •

The known cases are proof of concepts.

2. Additional counter measures are possible.

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 18 May 2014

KNX security cases Security updates of the KNX protocol

 1. Foreword  2. Listing of 4 of the known attack cases.  3. Security updates of the KNX protocol.

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 19 May 2014

KNX security cases Security updates of the KNX protocol – “Data security” Secured communication DVC1 GO 1 KNX Message

DVC1 GO 1

The payload is is plain text here: maybe the contents is not secret (a.o. metering). Visualisations can see the data without OK = not modified + not replayed further configuration.

KNX Message

DVC2 GO 1

Authenticated

Authentication Code Sequence

DVC1 GO 1

Unsecured communication

number/identifier The addresses and other fields of the Telegram are sent in plain. Yet, they arethe The Sequence allows The allows OK = MAC trustedalso source The payload Number is encrypted. Only authorised protected by this receiver MAC, which allows verifying thatcan a Telegram is not to verify thethe receivers decode the message. receiver to detect if these would have authenticity of code the sender. OK = not modifiedreplayed. + not replayed + interpretable me the withkeys assigned encryption Visualisations need tobyget (from been altered (except the hop count). ETS) to be able to decode the message. KNX Message

DVC2 GO 1

Authentication Code Encrypted content

Sequence number/identifier

DVC2 GO 1

OK = trusted source

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 20 May 2014

KNX security cases Security updates of the KNX protocol – “Data security” Factory Default Setup key Tool key

ETS Professional Runtime keys

2) ETS creates tool key per installation

4) Save FDSK – no longer used

3) Send tool key encrypted with FDSK to KNX device on the bus

5) ETS creates runtime keys

KNX Device #1 6) Distribute runtime keys encrypted with tool key via the bus

1) Input FDSK into ETS – not via bus – only visible to installer

Supported in ETS 5.5 since May 2016 – devices under development by KNX members

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 21 May 2014

KNX security cases Security updates of the KNX protocol – KNX IP Secure

 Multicast KNXnet/IP Routing

1. Encryption: AES128 CTR mode Authentication: CBC-MAC 2. 6 octet group counter KNXnet/IP Router or Tunneling Server(s) TP Area

KNXnet/IP Router or Tunneling Server(s) TP Area

Line Coupler TP Line

TP Line

Line Coupler

End Device

Secured communication

End Device

Unsecured communication

Supported in ETS 5.5 since May 2016 – devices under development by KNX members

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 22 May 2014

More info needed?

Visit the KNX Website

Brochures and presentation in our download section

Order our tools in MyKNX

Buy our eBooks on Amazon

http://www.knx.org | http://my.knx.org KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 23 May 2014

Start@KNX

Enrol in our KNX Webinars

Follow a Certified KNX Course

Discover ETS5 via the eCampus

Join an Online Training Program

More info: http://start.knx.org KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 24 May 2014

Join the worldwide KNX community

Join us!

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 25 May 2014

Follow us on the social media

Find us at: http://.../KNXassociation

KNX Association International

KNX: The worldwide STANDARD for home & building control

Page No. 26 May 2014

Thank you for your attention!

More information? Contact: [email protected] +32 2 775 86 44