 Thanks guys for coming to see my talk on uh building automation. Um this talk is really meant to introduce you to probably uh a different type of control systems that maybe some of you have worked with already or have been exposed to. Uh that are a little outside of the generic industrial control systems that have been under discussion uh of uh that have been under discussions in Stuxnet. Very short introduction about myself so most noteworthy elements from my past. Uh I was the lead incident handler for Stuxnet back then when it was discovered in 2010. Uh that was mainly also the reason why I created the dedicated computer emergency response team uh uh for Siemens products. Uh I led this for two other years and these days uh I run my own ICS uh cyber security consultancy uh in Austria. I'm a professor at two universities where basically teach ICS security and pen testing uh help out at the SANS Institute for teaching ICS courses and I'm also conference chair for an academic cyber security conference focused on ICS. So first of all short disclaimer really important hacking building automation systems can have serious effects uh on your health. So I highly uh I highly uh recommend not to hack building automation control systems without authorizations because dangerous things can happen. Uh also not if you're unsure what you're actually doing like system wise and control rise uh you'll see what I mean by when we go into the next slides. So uh as I said we're normally doing regular industrial control system security. How did we end up uh working on building automation control systems? Uh answer is because we had to. You see our office uh is uh located like on one of the top floors and we have an automated uh sun shading or sun blind systems. So the problem that we have there is this uh those those uh shading system those blind systems uh are coupled are connected to a wind sensor and the issue is that this wind sensor is really really really sensitive. So what happens is when somebody literally farts in the second next building the sun blinds go up and sort of we can we could not work anymore we get blinded and that's how we decided we really gotta look at building automation control and from there on sort of we really expanded. So uh what is building automation control system uh actually about so as most of you probably haven't been exposed to those systems let's discuss the major use cases. The most common use case I guess these days is uh HVAC so controlling heating ventilation and air conditioning so especially in a venue like this one most probably you would not have like uh direct wiring uh from the temperature sensor to a controller uh anymore but maybe some type of bus system so there would be some type of network packet being sent from the uh temperature sensor to the controller controller would uh read its logic okay what's the target temperature and then uh send a command or another uh uh bus probably to the actuator to either uh yeah turn on the heating or the air conditioning depending on uh depending on its programming. Second area uh is uh lighting so probably if you've noticed that you uh see a decline in like classical light switches they're being more and more replaced by presence or motion detectors uh which is the case in order to save energy uh so you don't just uh flip switches anymore uh depending on if somebody is in the room uh the system would decide whether to turn on the light or not and maybe based also on daytime of course. Third common application area of building control systems uh is just energy management as such so uh of course it's possible to switch on specific devices at a specific point in time so maybe uh when there's cheap energy available via building automation control you uh could switch on specific devices which consume a lot of energy uh like uh like a washing machine or anything similar. And the last and I think one of the most interesting uh application areas of building automation control is physical access control so instead of having like a physical key uh through uh a building automation controller you would be able to lock and unlock doors and also go into uh uh CCTV systems so this this is really a very very powerful uh set of possibilities you get with uh building automation controller. So as we know with great power that we have with building automation controllers there comes great responsibility. So thereby uh we also decided to look into the actual state of security functions and that's what I'm going to show in the next slide which really summarizes the state of native security functions in building automation. I'm really glad we talked about it, right? That's not a mistake by the way. So the the thing I really want to point out here is uh that many many building automation control protocols and and technologies that we use today do miss very uh very critical security functions uh and uh to elaborate a little bit on this. If I'm possible uh if it's if it's possible for me to uh connect to a building automation control network uh and I know which protocol is uh is is being uh is being spoken on this uh on this network I can just set any command I want as long as it is sort of protocol conformant and the device that I target either if it's the controller or any type of sensor will actually accept my command and uh yeah do whatever I want from it because for instance there is no uh like embedded authentication maybe cryptographically supported authentication in those uh protocols. Why? Because those protocols uh were designed maybe in the late 19's or early 2000's where uh there still was to believe that those systems are closed networks, bus networks uh which are not really interconnected maybe not really routable networks uh on the way to the building automation control network and therefore uh the threat model uh was a different thing. Same issue of course leads to uh replay and spoofing so you can just capture uh existing network traffic and then replay it a later point in time. Some of the protocols that you will see in building automation control are actually UDP based so replaying them is even easier uh because it didn't you do not need to go for the TCP 3 way handshake uh so many of them are susceptible to replaying and spoofing. Uh we did a number of uh assessment since then and we also found sort of yeah outdated and legacy software uh why is that the case? If you understand how those how the systems are being created it's sort of they are practically part of the building. So at some point uh the property management company decides we need to have a new building so construction starts and at some point uh electrical engineers will come uh do the cabling put in the actual uh building automation controllers and also do the programming. And from that point in time it sort of stays pretty much the same for the next 5, 10 uh 15 years. Why? Because those those systems are pretty much part of the building itself. It's not like uh it's not like in the IT world where you rip and replace your systems every 3 to 5 years. And of course those systems are quite robust and purpose built from the physical side but we found out if you look at them from the network side they are definitely more fragile. In order to give you an idea what attacks in areas uh might be out there so what an attacker might actually go for uh I'm going to present at least one attack scenario that we are not looking forward to. So uh yeah more like a blueprint. So one scenario in building automation control could actually mean uh you would try to go for a sort of uh targeted attack in in the sense of a physical compromise. Uh enter a building maybe some type of public building. Uh you have to find the appropriate entry point to the building automation control system and that's pretty straightforward. Some of them are quite easy to reach. For instance those uh motion and presence detectors they usually easy to reach because they're being placed sort of at uh at that type of level so you can just uh uh approach one pull it off and then try to connect to the actual the actual building automation bus. So this is an example of a uh KNX uh bus system so two wire bus that we were using there. That's pretty much it. Rip out the plug. Connect two wires uh connect that to a uh KNX USB dongle and from that point in time you're pretty much with you're pretty much in the building automation control system and can do whatever you want. What is it that you might want to do? Well if you think about a scenario that there is maybe a contract hacker being hired uh from a competing property management company you know a building where there's nice condominiums uh probably he could uh enter the building connect to the network and then just trigger random alarms like fire alarms gas alarms which uh yeah throw people out of their beds at random times in the morning. For instance through spoof messages fake sensor readings anything's possible here from a technology uh perspective. And if you do this uh quite often most probably people will start to leave uh this building um before they could not sleep anymore. So if you combine this type of attack uh maybe with a rogue device something like a Raspberry Pi on a battery pack with 3G uh as I said already it's possible to send spoofed messages so at one point in time I would spoof maybe a temperature sensor at another point I would spoof maybe a gas leak sensor. It would be really really difficult for uh the actual yeah operator of the building to find out what is the exact reason why those alarms are actually uh happening. So as this is a security conference I also would like to give you a little bit of information on how to approach uh those types of systems uh more from the security perspective uh so also to give you ideas what type of penetration testing or security testing tools exist out there already uh if you would like to explore uh maybe your own home automation system. Uh if you're into pen testing you know the very first step is always about information gathering, learning about the uh actual target. The good news is if for our good old friend NMAP there is already a significant amount of scripts out there which map uh uh building automation systems so if you're going for instance for KNXnet IP which is a protocol that is highly uh or that is widely used throughout Europe and also uh Asia uh that type of plug in uh comes already uh with NMAP out of the box. If you are more into backnet IP uh which is a standard that is widely used uh especially in the United States and also a little bit in in Europe you would need to tap into project red point created by digital bond uh to get the actual uh fingerprinting uh script for NMAP down. There is another tool called uh HVAC scanner um it looks for specific uh building out of automation control devices from Honeywell and uh also Tridium Niagara controllers. It's not uh it's not working by uh by tapping into the real building automation control protocols by instead looking at fingerprints of uh the web servers of those devices so sort of the um uh the HMI type of systems. And finally some of the yeah more common um professional security scanners like Nesos also have like rudimentary implementations of fingerprinting plugins for detecting building automation systems but only only a small fraction actually is covered of the protocols out there. So if you're into pen testing uh and you would like to explore uh or actually abuse to a certain sense um a building automation system you definitely would need to understand at some point a little bit more about the actual uh protocol. So uh we're going to talk about two protocols here. One is KNICS. The other one is uh backnet which I'll cover later. So uh KNICS is a good example because it comes uh in different forms and types uh and in the sense of uh physical uh media that it supports. There's KNICS twisted pair. Remember the the the photo I had before the two wire bus? Uh there's KNICS RAF radio frequency and of course uh luckily for us there's also KNICS net IP which defines uh how KNICS network protocol should be transmitted over a regular IP network. And of course there's also uh protocol converters out there which allow you to uh have a KNICS net IP gateway in an IP network and behind that the regular uh KNICS bus. If you look at it from a service or functionality perspective you would have something like core services which uh within KNICS net IP for locating and identifying those types of devices as such. Uh you would have uh another group of services for actual configuration and device management. Then there's two types of I would say service groups uh for communication, one for tunneling, one for routing and finally the last group of services is actually there for uh remote diagnostic as well. So let's explore a little more the actual tooling options that you have out there. You know in my uh company back home we have a saying um there is no better hacking tool for industrial control systems than the original engineering software so like the programming software. Uh and this is uh this is an example uh of that as well. So what you see here is screenshots from the so called ETS the engineering tool software that is being put out by the KNICS associations to program those types of devices. Uh so the the the original original uh controls engineers and electrical engineers which build those systems use the software to program a specific building automation controller but there are certain functionalities in there which I'd like to point out which are also interesting for pentesting and security purposes. The first one is on the left side so called uh group monitoring. Uh group monitoring is really the equivalent of sort of uh packet sniffing uh like you would do with Wireshark but here we do not have uh a an ethernet or even IP based network it's like a two wire bus but uh the the principle is the same basically I'm sniffing the two wire bus and I'm building up a list of packets that I see here. Uh you see here different uh source addresses which for for KNICS may be something like 1.14.12 and on the right side you would see destination addresses and if I look there uh if I look into that for for maybe several minutes I will see probably lots and lots of uh addresses on the uh source side but only few addresses on the destination sides and the the the few addresses on the destination side of course the actual control controllers where the different sensors report to. So that's the equivalent of passive information gathering in the KNICS network. I would like to point out one uh functionality which I found quite interesting they intentionally built in also the function called replay telegrams so most probably that was included for uh debugging uh the controls uh the the building automation control system but for security purposes of course this could be a a valid attack tool. On the right side you see the equivalent of uh an active uh information gathering attempt so called line scan so uh with that I can I can do pretty much the same I would do maybe in a uh class C network so scan the available address space and see which addresses are already taken so pretty straightforward and you can download the ETS uh just from the KNICS associations website. If you're not not that into uh using graphical user interface tools if you're more into command line tools the uh next tool I'd like to recommend is called KNICS map created by uh a bunch of German security researchers. It has uh the same functionalities for passive and active information gathering. It also uh has a little more functionality like it allows you to brute force the so called bus coupling unit key which is just a 32 bit key so it's really feasible to brute force it for specific configurations. If you actually would like to change uh the behavior of the uh building automation controller you would want to make use of group messaging or APCI functions so for instance sending something like turn off everything like a wild card uh that's what it would go for with group messaging and APCI functions in principle mean uh something like uh reading or writing memory of a specific controller restarting a device whatever you want to do with a with one specific type of device. Second protocol that I'd like to uh present is backnet IP so building automation control network uh it's another uh what I would call manufacturer independent standard so it defines for each device a standard set of objects and the each object has uh properties and services. Some of those services uh are mandatory like the read property service and again for your convenience we've sort of grouped the uh backnet IP service into different yeah uh logical groups, alarm and event services for actually finding out if something what's going on within the backnet network. Uh there's also uh file access and virtual terminal services so I'm not talking about FTP or telnet here but really more about the uh backnet equivalent of those uh of those functions so you really see back in this sort of a uh complex protocol uh and it's really powerful in in the sense that this allows uh file access and also terminal services. Uh manipulating objects is possible of course reading, writing, modifying properties and there's special messages for remote device management. There's one specific function that we really love uh and it's called backnet IP broadcast management devices, BBMD and foreign device registration. That uh function within backnet is really excellent for pen testing because it actually allows you to breach uh a building automation control network from the inside on the inside although you cannot really reach it from the outside. Uh what do I mean by this? Imagine there is a scenario where uh there's a backnet device um and an internal uh private network that for maintenance purposes uh for service purposes also has maybe something like a port forwarding uh from the internet activated. So the backnet IP port would be reachable from the internet uh by port forwarding. If this device uh supports this BBMD function uh what I would be able to do is I could come from the outside register through this foreign device registration function and from that point in time on I would be able to talk to all the internal uh other backnet systems as if I work as if as if I was on the on the um internal network side. So even if you did your network security right even if there's no routing available you would be able to compromise the building automation control uh network through that function. Is that an issue? A practical issue? Unfortunately yes uh we have found nearly 3000 systems uh backnet systems in the U.S. alone which expose this dangerous um uh BBMD function. If you look at it more in a global perspective it's like 15000 uh devices out there which support this function and you see it down here it's it's a good example. So I intentionally blacked out the the the full uh uh public IP address something and uh ending with dot 124 47808 is the actual uh backnet port. If I would connect uh to the system uh and use the BBMD function I would be able to talk to 192 168 3.2 although they're not reachable from the internet through routing. So pretty pretty dangerous. And by the way uh on this uh on this screenshot you also see that that it's not only smart home or home automation systems that are on the internet with uh with backnet uh the top most screenshot or top most system here uh on showdown is from some type of city parkway access. So there's different types of systems that you actually see that are connected through backnet. As we did with K and X uh if you want to actually uh talk to specific backnet devices or um yeah abuse specific protocol functions uh maybe in the penetration test for one of your clients. Again there's different functions uh you should know uh again in different groups. For information gathering you most probably would use something like read property uh mention the read foreign device table uh if you call the initial uh routing table service uh you would get a list of the devices routing table itself back. If you are more into spoofing again register for in device or just I am or I'm router to network functions are the thing to go for. If you would like to create something like a denial of service could just do this by a large number of who is requests or maybe uh signaling uh the that uh a specific network cannot be reached through router busy to network uh services. Maybe you could try to create a routing loop through the initialize routing table or just send devices constantly into reboots through the re-initialize device command that's what I have on the next slide and therefore uh declining uh declining uh regular service to all the other clients. So here on the top left we have our legit uh building automation controller server. On the right side we have our uh Mr. Evil which is technically just another backnet uh client which requests our server to re-initialize constantly so basically we're sending a re-initialize command every 10 seconds which means that the other legit clients cannot connect or cannot do anything with it anymore. With our tests we found out that some of the devices out there um do require uh passwords or may require passwords uh depending on on on vendor to actually uh call this function or to execute this function well guess what uh you will find the password in most cases in the vendor's actual manual uh in this case the password was Jesus. So thanks Jesus for helping us. Uh I also mentioned before that those systems tend to be quite robust uh on the physical side but not so robust on the uh network side. So what we created is just a very very rudimentary uh backnet IP fuzzer using uh Scapi uh so what we did the very first layer uh we tapped into was NPDU and APDU fuzzing and you see down there uh within the very first seconds we received already a number of uh segmentation faults. So this is a screenshot uh from I think the most widely used open source implementation uh of backnet available on Sourceforge. I really hope that there's not too many devices out there which which rely on on this protocol stack in that state uh because of the stability issues uh as this uh this vulnerability at least today is still a zero day uh uh it hasn't been fixed yet at this point. So as you've seen building automation control is pretty powerful uh pretty interesting and it's quite widely deployed. Question is how how how can we fix this? Uh how can we improve the uh the overall situations? So in my opinion this is quite typical it's on the one hand a technology issue but on the second hand it's also a people and and knowledge issue. What do I mean by this? So the technology issue really is that um at least the current generation of building automation control systems still lacks this um secure by the security by design or security uh or secure by design approach that uh we've had in general IT for 15 years now that has started in generic industrial control systems I would say to a fair amount thanks to Stuxnet uh but at least uh is not the case uh in at least for for the building automation control uh sector. Why do I also claim that this is part of a a knowledge problem or people problem? Well the industry associations behind those technologies like uh ASHRAE or the the uh Kenix association responsible for those protocols at some point they recognized already that there is maybe security issues out there that that need to be addressed. So they put out guidelines and recommendations how to well uh counter those risks how to to mitigate at least some of them how to retrofit uh security uh because you cannot entirely change it uh at this point in time at least. If the guidelines actually would have been or would be adhered to then most probably we wouldn't see uh 3000 systems in the US that expose this uh BBMND function or 15,000 uh worldwide. We also did a I would say small survey among uh building automation integrators so those guys responsible for for creating and building those systems. Uh we did this in Europe uh for Kenix based uh system operators uh and integrators and I think just a very very small fraction actually had the idea that what they are doing has it has a dedicated security responsibility. Why? Because the majority of people who creates those building automation control systems are electrical engineers uh they're automation engineers they're controls engineers and not security people. However the world of course from a technology perspective had has changed. There is Kenix net IP there is backnet IP uh and therefore uh security should be addressed uh to uh to a certain extent. So from a general perspective there is holistic measures something like applying a proposed network architectures trying to reduce uh external access points so it's not as easy to just pull down maybe a uh presence detector and connecting it maybe also increase monitoring so that's like uh holistic measures and of course for each protocol there is different uh possibilities out there to deploy security proxies uh or just restrict communication paths maybe something like uh uh line address filters for instance with the uh Kenix protocol. Is that everything uh unfortunately or fortunately not so what we really did is we looked at uh two specific protocols uh Kenix net IP and backnet IP because those systems are really widely deployed throughout different regions in the world but there's many other technologies out there or protocols within building automation control systems that are definitely worthwhile to be explored so uh I really hope you got an impression and you got an interest into uh looking into building automation control systems. If you have any questions that's the end of my presentation uh I'm glad you were here and uh I really would like to invite you to come over to the ICS village we have just great systems over there if you have any questions I'll be happy to answer them just in the second next room over there. Thank you.