KNX International
KNX Secure
Joost Demarest - KNX Association
KNX security cases Content of the presentation
1. Foreword 2. Listing of 4 of the known attack cases 3. Security updates of the KNX protocol
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 2 May 2014
KNX security cases Foreword
•
Conventional KNX communication is not secured. •
There is no encryption (confidentiality), no authentication, no duplication prevention.
•
•
The major countermeasure is thus always to prevent access to the KNX installation (cables, devices, connected systems). With the growing use of IP in KNX installations but also with the simple KNX electronics (open source, Raspberry pi etc.), accessing the KNX bus has become more easy than ever. Counter measures are possible, to make attacks more difficult or make them leave traces.
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 3 May 2014
KNX security cases The four known attacks against KNX: Case 1
Case 1: Security attack in hotel The situation
Some LAN
• Multicast @ 224.0.23.12 Port 3671 open
• •
KNXnet/IP Router or Tunnelling Server(s) TP Area
End device
Room 1460
TP Line
TP Line
Room 1451
End device
KNX Association International
…
TP Line
Room 1450
•
KNX devices are used to control lighting, air conditioning, shutters, etc. in the hotel rooms. There is a KNXnet/IP Backbone or – Main Line. Guests are given a tablet with a “Buttler app”, to control the functions in their room. Guest are also given the key to a WiFi network to allow free Internet connection. So far, so good.
This is the tablet for room 1451. It only accesses the functions of room 1451.
End device
KNX: The worldwide STANDARD for home & building control
Page No. 4 May 2014
KNX security cases The four known attacks against KNX: Case 1
Case 1: Security attack in hotel What was observed?
Some LAN
Multicast @ 224.0.23.12 Port 3671 open
KNXnet/IP Router or Tunnelling Server(s) TP Area
End device
Room 1460
TP Line
TP Line
Room 1451
End device
KNX Association International
…
TP Line
Room 1450
End device
• The hacker observes that the tablet only has a WiFi connection, so supposes this must be how the room is controlled. • The WiFi appears protected, but the hacker tries out the WiFi key given to him to access the Internet from his laptop... This works. • The hacker asks for a new hotel room and from that room, he can control the applications in his preceding room. • The hacker sees that port 3671 is used. He googles it and finds this can be used by KNX.
KNX: The worldwide STANDARD for home & building control
Page No. 5 May 2014
KNX security cases The four known attacks against KNX: Case 1
Countermeasures 1. Do not use the same LAN or WiFi for home – or building automation as you are using for computer networks and other applications. Operate different LANs and WiFi’s to keep applications separated and keep control of access. 2. Do not give any network access key to somebody who should not have access. 3. Do not use te default system setup multicast address (224.0.23.12) for runtime communication (Routing). Do not use the default ports 3671. Another multicast address does not make you installation more secure, but it makes it more difficult to identify and to reverse engineer.
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 6 May 2014
KNX security cases The four known attacks against KNX: Case 2
Case 2: Hacker device The situation • •
• • •
End device
End device
KNX Association International
…
TP Line
TP Line
TP Line
TP Area
A device is mounted in the installation. It listens passively to the bus and guesses the functionality of the Telegrams. Or it may actively discover the bus. It reports its findings over WiFi or UMTS. It can be controlled from remote and send Telegrams on the bus.
End device
KNX: The worldwide STANDARD for home & building control
Page No. 7 May 2014
KNX security cases The four known attacks against KNX: Case 2
Case 2: Hacker device Considerations •
• •
End device
End device
KNX Association International
…
TP Line
TP Line
TP Line
TP Area
The hacker needs physical access to the bus where he can hide this device (like a suspended ceiling, behind a push button ...). Data is transferred on KNX anonymously. Any concluded functionality has some uncertainty. Claimed is that anti-intrusion systems and automatic doors and gates can be controlled. These are no typical KNX applications.
End device
KNX: The worldwide STANDARD for home & building control
Page No. 8 May 2014
KNX security cases The four known attacks against KNX: Case 2
Countermeasures 1. Make that KNX devices and cables cannot be accessed. • •
KNX devices in the suspended ceiling, or in a distribution cabinet? Make that push buttons, movement detectors, etc. cannot be removed, or not without breaking them.
• •
Use anti-theft clamps (push buttons, valves...). Or use push button interfaces (makes no bus available in wall boxes).
2. Observe bus traffic in the installation. • •
This will reveal the active discovery and the presence of an unknown device sending Telegrams. Activate “Detection Individual Address usage” in the devices.
3. If the device is controlled over WiFi • •
KNX Association International
The hacker must be nearby. Unknown WiFi showing up in or near your building?
KNX: The worldwide STANDARD for home & building control
Page No. 9 May 2014
KNX security cases The four known attacks against KNX: Case 3
Case 3: Hacking a home from the outside The situation •
•
•
•
KNX Association International
The hacker gets access to the installation by dismounting an outside movement detector. He connects again a spying device, that sends KNX Telegram information wireless to a laptop. By “finger print analysis”, the functionality of the installation is reverse engineered. The hacker can take over control of the home.
KNX: The worldwide STANDARD for home & building control
Page No. 10 May 2014
KNX security cases The four known attacks against KNX: Case 3
Case 3: Hacking a home from the outside Considerations • • •
KNX Association International
The outside movement detector can be removed. It can be removed unnoticed. Apparantly, all home communication can go in and out through this single external access.
KNX: The worldwide STANDARD for home & building control
Page No. 11 May 2014
KNX security cases The four known attacks against KNX: Case 3
Countermeasures 1. Make that KNX devices and cables cannot be accessed. •
See before.
2. Outside devices • • •
should be in a dedicated Subnetwork (Line). should have anti-tamper protection could be supervised
3. Couplers (Line -, Backbone, Media Couplers and KNXnet/IP Routers) should be configured to • • •
KNX Association International
pass Telegrams per Group Address only in the direction they would normally go (only in or only out) not pass any other group Telegram Use the Filter Table. not pass any point-to-point Telegrams.
KNX: The worldwide STANDARD for home & building control
Page No. 12 May 2014
KNX security cases The four known attacks against KNX: Case 4
Case 4: Hacking KNX via IP The situation • • •
•
KNX Association International
Iterate through all IPv4 unicast addresses worldwide and try to discover KNX services. Assume the same IP port number is used for discovery as well as for runtime. Access the found installations and try finding further open ports, like from a web server (visualisation via html). If authentication is required, supply default user names and passwords.
KNX: The worldwide STANDARD for home & building control
Page No. 13 May 2014
KNX security cases The four known attacks against KNX: Case 4
Case 4: Hacking KNX via IP The findings • KNX net/IP Messages unprotected on Internet Multicast @ 224.0.23.12 Port 3671 open
KNXnet/IP Router or Tunneling Server(s) TP Area
• •
3 295 installations world wide can be connected unprotected over the Internet. Many (no number) allow additional access to other functionality (alarms, camera’s...) Look closer.
TP Line
Line Coupler
End Device
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 14 May 2014
KNX security cases The four known attacks against KNX: Case 4
Countermeasures (1/2) 1. Allow Internet accessibility only over VPN connections. 2. Do not expose ports for discovery and configuration. 3. If usernames and passwords are supported, do not use the default ones, but use non-obvious values. 4. Explain (to the LAN administrator or building user, owner) these measures and document them!
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 15 May 2014
KNX security cases The four known attacks against KNX: Case 4
Countermeasures (2/2) RECOMMENDED A
RECOMMENDED B
http access to object data
KNX net/IP Messages through VPN connection
Router with VPN functionality or Router + VPN server Device connected to Internet reflecting status of (some) group objects
KNXnet/IP Router or Tunneling Server(s) TP Area
TP Area Line Coupler
TP Line
TP Line
Line Coupler
End Device
KNX Association International
End Device
KNX: The worldwide STANDARD for home & building control
Page No. 16 May 2014
KNX security cases Further counter measures
•
Restrict communication over Line - , Backbone – and Media Couplers to that what is necessary. •
•
Observe and analyse bus traffic. • •
•
•
“Hacking devices” may show communication will reverse engineering the bus. Look for unexpected Telegrams.
Protect your devices with a BAU password. •
•
This will not prevent from an attack, but it may reduce the possible impact and physical range.
The runtime communication may be hacked, but the devices cannot be modified.
Check for changes in devices (PID_DEVICE_CONTROL, PID_DOWNLOAD_COUNTER). ...
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 17 May 2014
KNX security cases Finally … 1. There is no knowledge of any criminal hacking of a KNX installations. •
The known cases are proof of concepts.
2. Additional counter measures are possible.
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 18 May 2014
KNX security cases Security updates of the KNX protocol
1. Foreword 2. Listing of 4 of the known attack cases. 3. Security updates of the KNX protocol.
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 19 May 2014
KNX security cases Security updates of the KNX protocol – “Data security” Secured communication DVC1 GO 1 KNX Message
DVC1 GO 1
The payload is is plain text here: maybe the contents is not secret (a.o. metering). Visualisations can see the data without OK = not modified + not replayed further configuration.
KNX Message
DVC2 GO 1
Authenticated
Authentication Code Sequence
DVC1 GO 1
Unsecured communication
number/identifier The addresses and other fields of the Telegram are sent in plain. Yet, they arethe The Sequence allows The allows OK = MAC trustedalso source The payload Number is encrypted. Only authorised protected by this receiver MAC, which allows verifying thatcan a Telegram is not to verify thethe receivers decode the message. receiver to detect if these would have authenticity of code the sender. OK = not modifiedreplayed. + not replayed + interpretable me the withkeys assigned encryption Visualisations need tobyget (from been altered (except the hop count). ETS) to be able to decode the message. KNX Message
DVC2 GO 1
Authentication Code Encrypted content
Sequence number/identifier
DVC2 GO 1
OK = trusted source
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 20 May 2014
KNX security cases Security updates of the KNX protocol – “Data security” Factory Default Setup key Tool key
ETS Professional Runtime keys
2) ETS creates tool key per installation
4) Save FDSK – no longer used
3) Send tool key encrypted with FDSK to KNX device on the bus
5) ETS creates runtime keys
KNX Device #1 6) Distribute runtime keys encrypted with tool key via the bus
1) Input FDSK into ETS – not via bus – only visible to installer
Supported in ETS 5.5 since May 2016 – devices under development by KNX members
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 21 May 2014
KNX security cases Security updates of the KNX protocol – KNX IP Secure
Multicast KNXnet/IP Routing
1. Encryption: AES128 CTR mode Authentication: CBC-MAC 2. 6 octet group counter KNXnet/IP Router or Tunneling Server(s) TP Area
KNXnet/IP Router or Tunneling Server(s) TP Area
Line Coupler TP Line
TP Line
Line Coupler
End Device
Secured communication
End Device
Unsecured communication
Supported in ETS 5.5 since May 2016 – devices under development by KNX members
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 22 May 2014
More info needed?
Visit the KNX Website
Brochures and presentation in our download section
Order our tools in MyKNX
Buy our eBooks on Amazon
http://www.knx.org | http://my.knx.org KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 23 May 2014
Start@KNX
Enrol in our KNX Webinars
Follow a Certified KNX Course
Discover ETS5 via the eCampus
Join an Online Training Program
More info: http://start.knx.org KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 24 May 2014
Join the worldwide KNX community
Join us!
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 25 May 2014
Follow us on the social media
Find us at: http://.../KNXassociation
KNX Association International
KNX: The worldwide STANDARD for home & building control
Page No. 26 May 2014
Thank you for your attention!
More information? Contact:
[email protected] +32 2 775 86 44