Sneak into buildings with KNXnet/IP

Presented at DEF CON 29 (2021), Aug. 7, 2021, 2 p.m. (45 minutes).

Building Management Systems control a myriad of devices such as lighting, shutters and HVAC. KNX (and by extension KNXnet/IP) is a common protocol used to interact with these BMS. However, the public's understanding and awareness is lacking, and effective tooling is scarce all while the BMS device market keeps on growing. The ability to craft arbitrary KNXnet/IP frames to interact with these often-insecure BMS provides an excellent opportunity in uncovering vulnerabilities in both the implementation of KNX as well as the protocol itself. From unpacking KNX at a lower level, to using a Python-based protocol crafting framework we developed to interact with KNXnet/IP implementations, in this talk we'll go on a journey of discovering how BMS that implement KNXnet/IP work as well as how to interact with and fuzz them. After this talk you could also claim that "the pool on the roof has a leak"! REFERENCES: KNX Standard v2.1 https://my.knx.org/fr/shop/knx-specifications?product_type=knx-specifications Scapy https://github.com/secdev/scapy KNXmap https://github.com/takeshixx/knxmap Papers & talks: in)security in building automation how to create dark buildings with light speed Thomas Brandstetter and Kerstin Reisinger Presented at BlackHat USA 2017 https://www.blackhat.com/docs/us-17/wednesday/us-17-Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed-wp.pdf Hacking Intelligent Building - Pwning KNX & ZigBee Networks HuiYu Wu and YuXiang Li (Tencent) Presented at HITB Amsterdam 2018 https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20YuXiang%20Li,%20HuiYu%20Wu%20&%20Yong%20Yang%20-%20Hacking%20Intelligent%20Buildings%20-%20Pwning%20KNX%20&%20ZigBee%20Networks.pdf Security in KNX or how to steal a skyscraper Egor Litvinov Presented at Zero Nights 2015 http://2015.zeronights.org/assets/files/20-Litvinov.pdf HVACking: Understanding the Delta Between Security and Reality Douglas McKee and Mark Bereza Presented at Defcon 27, 2019 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hvacking-understanding-the-delta-between-security-and-reality/ Anomaly Detection in BACnet/IP managed Building Automation Systems Matthew Peacock - 2019 https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=3180&context=theses

Presenters:

• Claire Vacherot - Senior Security Auditor @ Orange Cyberdefense
  Claire Vacherot is a pentester at Orange Cyberdefense. She likes to test systems and devices that interact with the real world and is particularly interested in industrial and embedded device cybersecurity. As a former software developer, she never misses a chance to write scripts and tools.

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#vacherot
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Claire Vacherot - Sneak into buildings with KNXnetIP.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Claire Vacherot - Sneak into buildings with KNXnetIP.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Claire Vacherot - Sneak into buildings with KNXnetIP.srt (subtitles)
• https://www.youtube.com/watch?v=QofeTV39kQE

Similar Presentations:

• DeepSec 2016 „Ten“ / IoT Hacking: Linux Embedded, Bluetooth Smart, KNX Home Automation
• DEF CON 29 (2021) / Rotten code, aging standards, & pwning IPv4 parsing across nearly every mainstream programming language