KNX-Security

KNX, standardly used for building management systems, is vulnerable. Antago's Erebos – the first professional KNX hacking tool – is able to perform those attacks successfully thus turned dry theory into proven practice.

On the one hand, various attacking and damage scenarios are the result and on the other hand, those have to be prevented. See the following steps, such as how Erebos works and how to protect KNX.

Security of building management systems and smart homes

Times are long past when classical wiring was used, hence control systems are the modern technology in buildings. One of the most widespread solutions in Europe or rather in the entire world is certainly EIB (European Installation Bus) or the next version KNX. Such Bus technologies allow the dynamic creation of functions and make buildings smarter.

Next to primary wiring, the connection of the building to the IT via control systems are substantially easier. It is no longer imagination to control and watch buildings via computer. How can we identify where risks arise?

How safe are building management systems?

Security is a frequently used term, but how can we define security in this context and what does it mean in the daily routine of installers, architects, visitors or owners in modern buildings?

To answer this question we are looking at the potential attack vectors of building management systems.

Which attack vectors do exist?

Basically, there are two attack vectors of building management systems: Bus itself and the controlling IT; both to be considered within safety appraisal. In detail, it means to consider the following steps:

IT

  • Network architecture

  • Supply isolation

  • Network access control

  • Firewalling

  • Patch management

  • Access to visualization

BUS

  • Network architecture

  • Supply isolation

  • Network access control

While attacks on IT infrastructures are daily business in the entire world and to be avoided or rather to be contained through various measures, attacks on Bus are different.

Developed for building control on the level of “bell wire” security in Bus systems has never been a subject. Attacking scenarios have not been a research issue, thus, adequate solutions have not been developed. Bus is consequently helpless when attacked by Erebos, unless you mind several aspects in the implementation of your systems. But sometimes more safety implies a possible limitation of function and comfort.

The wide gap between function and security

The security of every system almost always runs contrarily to its usability. If we liked to control, e. g., every light by every switch, an attacker would be able to do so as well. If the lights are in different lines, the switch will also need access to different lines to reach the determined group addresses. Obviously, an attacker is able to take a cross-divisional action, with all the consequences!

How real are attacks on building management systems?

Actually, the subject of safety in building management systems is an intensely debated topic. But what has really happened so far?

Attacks on building management systems are not well known. However, the reason would be that no one is capable of recognizing such attacks in a proper way.

Comparable to this issue are attacks on SCADA systems, containing more significance than building management systems. Those systems control industrial installations, but their attack vectors are similar to building management systems. In the past, a large amount of attacks on such systems appeared, as to be read in the latest publicities.

More security for EIB/KNX

In the future, it is important to recognize and to use the opportunities strategically, given by EIB/KNX, to face those arising issues. For logical reasons, you have to begin within the planning of the systems. Therefore, Antago provides special trainings for EIB/KNX security.

Based on those results, manufacturers are interested in finding solutions concerning the security of EIB/KNX. We would like to make a valuable contribution with the development of our KNX hacking tools Erebos and Thanatos and beyond that to focus this very topic even more!

Disclaimer

The components described above, called Thanatos and Erebos, are not for sale. This software has not been published and is not to be published. Furthermore, the technical details of those attacks are not to be published or communicated. The only intention of Thanatos and Erebos is to demonstrate the vulnerability of EIB/KX Bus and moreover, to derive defense mechanisms. There is no intention of compromising buildings just because of being able to perform.

For further information please select the desired point below. Here you will also find the white papers available for download.

Further Information

Why hack a thermostat in a hotel?

Nach Social-Media, Online-Handel und Automobilen vernetzt man nun die neue Generation der "Internet Dinge". Denn im "Internet der Dinge" (Internet of Things, IoT) kommuniziert alles mit allem.  Bloß ohne Menschen. Schätzungen zu Folge werden bis 2020 rund 50 Milliarden Geräte wie Sensoren, Sicherheitskameras, Fahrzeuge und Produktionsmaschinen miteinander vernetzt sein. Und auch in der Hotellerie sehen wir erste Adaptionen von IoT. Jalousien und Türen sowie ganze Gästezimmer-Management-Technologien werden bereits seit Jahren durch die Gebäudeautomation gesteuert.
Das größte Problem dabei ist die Sicherheit.

Warum also einen Thermostat hacken?

Dieser Artikel beschreibt die Anfälligkeit von Gebäuden, einschließlich Hotels, welche Produkte auf Basis des KNX-Protokolls, das sich schätzungsweise von mehr als 400 Herstellern von Gebäudeautomation weltweit in Benutzung befindet, verwenden.

 

Vulnerabilities of the GIRA Home- and Facilityserver

Introduction

Since a couple of years and in the context of different research projects Antago GmbH has been dealing with the security of EIB/KNX based systems besides classical digital penetration.

In 2014, as a result of this research, „Erebos“ (http://bit.ly/1jWDDu5) was introduced on various security exhibitions as the first professional appliance for attacks against building management systems. Many months of research and the cooperation with manufacturers of the section of EIB/KNX had been preceding. In addition and as the next „evolutionary step“ „Thanatos“ (http://bit.ly/1jWDlxV) was finally published. Both attacking tools require physical access to the building to be attacked. However, Antago succeeded in developing Thanatos to a component that small to be suitable behind previously installed light switches.

This very development enabled Alexander Dörsam, heads of Information Security Antago, to present results according to security in the section of EIB/KNX on international platforms; inter alia the VDS. Furthermore, a cooperation with VDS has started for developing standards for a “safe” EIB/KNX installation.

The vision

Despite the extending opportunities of Erebos and Thanatos a one-time physical access to the building to be attacked was required. As a consequence it would be necessary to perform the same attacks on light/climate and alarm systems via the Internet. The vision would be to access administratively thousands of building control systems via automatically working software.

One of the largest providers for Smart Buildings – linked via the Internet – is Gira. It was obvious to analyze their very product with regard to vulnerability. Such an attack was not been executed up to this point thus it was late-breaking and quite dangerous.

Tip:

The following parts of this statement will not deal with the very issues of KNX Bus. If there is any interest you can consult white papers on http://knx-security.de/. In fact, the following parts will be about the vulnerability of transferring from KNX to IP-based systems.

For further information please download the White Paper.

Erebos - Antagos God of Darkness

Erebos - Antagos God of Darkness - KNX-Hacking-Tool

  • Developed in spring time 2014 as a proof of concept to demonstrate the vulnerability of EIB/KNX based systems
  • First public presentation at the Munich Security Expo on July 2nd, 2014 within the performance “Live hacking: attack vectors of building management systems

  • Power independent up to one day

  • WLAN and UMTS port

  • Command and control function

  • Erebos control center for administration

  • “Hardened” with anti-forensic methods

p { margin-bottom: 0.25cm; line-height: 120%; }

Erebos is an independent system, attacking EIB/KNX directly. It unites common functions of established programs to control and manage EIB/KNX systems and it is also expanded by a large number of attacking programs. Erebos can be used power independent and allows to remote-control buildings via WLAN or UMTS. As a tool, Erebos is built by common electrotechnology and can be manufactured easily involving small expenses, moreover, expanded by command and control.

Thus, we created the opportunity of controlling Erebos remotely via servers on the internet. We are also able , e. g., to manage Erebos instances, “set into the wild”, and to let them “decide for themselves”. Finally, for controlling all the compromised buildings or management systems, there is the so called Erebos Control Center (ECC), which allows central management, status requests, as well as, the manipulation of any number of Erebos and within buildings and management systems.

Erebos was created as a real attacking tool, so it would not stop attacking only. Due to Antago's background in the range of IT forensics, especially Linux server forensic, Erebos is equipped with nearly everything technically possible according to anti-forensics.

Hence, Erebos contains the function that the attacker data remain inaccessible. Even if the victim discovered the used hardware, conclusions about the initiator (in the range of high to very high effort) would be impossible.

Videos, Blogs and (Web) Articles

Videos, Blogs and (Web) Articles to EIB/KNX