Building automation systems rely heavily on general-purpose computers and communication protocols, which are often affected by security vulnerabilities. In this paper, we first analyze the attack surface of a real building automation system - based on the widely used KNX protocol-connected to a general-purpose IP network. To this end, we analyze the vulnerabilities of KNX-based networks highlighted by previous research work, which, however, did not corroborate their findings with experimental results. To verify the practical exploitability of these vulnerabilities and their potential impact, we implement a full-fledged testbed infrastructure that reproduces the typical deployment of a building automation system. On this testbed, we show the feasibility of a practical attack that leverages and combines the aforementioned vulnerabilities. We show the ease of reverse engineering the vendor-specific components of the KNX protocol. Our attack leverages the IP-to-KNX connectivity to send arbitrary commands which are executed by the actuators. We conclude that the vulnerabilities highlighted by previous work are effectively exploitable in practice, with severe results. Although we use KNX as a target, our work can be generalized to other communication protocols, often characterized by similar issues. Finally, we analyze the countermeasures proposed in previous literature and reveal the limitations that prevent their adoption in practice. We suggest a practical stopgap measure to protect real KNX-based BASs from our attack.
[1]
David Clark,et al.
Safety and Security Analysis of Object-Oriented Models
,
2002,
SAFECOMP.
[2]
Wolfgang Granzer,et al.
Security in Building Automation Systems
,
2010,
IEEE Transactions on Industrial Electronics.
[3]
Wolfgang Granzer,et al.
Security Analysis of Open Building Automation Systems
,
2010,
SAFECOMP.
[4]
Giovanni Cutuli,et al.
Implementing encryption and authentication in KNX using Diffie-Hellman and AES algorithms
,
2009,
2009 35th Annual Conference of IEEE Industrial Electronics.
[5]
Hye-Jin Kim,et al.
Power consumption scheduling for peak load reduction in smart grid homes
,
2011,
SAC '11.
[6]
Chung-Ming Tung.
Growing trend of network-based, smart green buildings towards automatic energy-saving performance: A study based on Advantech’s energy-saving system
,
2012
.
[7]
Wolfgang Granzer,et al.
Securing IP backbones in building automation networks
,
2009,
2009 7th IEEE International Conference on Industrial Informatics.