Alice’s Adventures in Smart Building Land – Novel Adventures in a Cyber Physical Environment presented at HackInTheBox 2014

by Steffen Wendzel, Sebastian Szlosarczyk,

Summary : Building automation systems (BAS) are IT components integrated in and capable to control and monitor buildings. BAS are aiming to improve the energy efficiency of houses, to increase the comfort and safety for people living or working in a building, and to decrease a building’s operation costs. Therefore, it is necessary to enable a BAS to control critical equipment like smoke detectors or physical access control components.
BAS form networks which can be interconnected with other buildings and the Internet (e.g., for remote monitoring purposes) and therefore use different protocols, especially the building automation control and network (BACnet), the European Installation Bus (EIB)/Konnex (KNX), and the Local Operating Network (LON). These protocols are linked to specific security features specified in their standards, which were improved over the time. However, even if security features are available in standards they are commonly not integrated in devices or used in practice.
In this talk, we focus on the security of BACnet, an open data communication protocol developed by ASHRAE (American Society of Heating, Refrigerating and Air Conditioning Engineers). BACnet is standardized by ANSI standard 135 and ISO standard 16-484 part 5 and 6, it is integrated into products by more than 700 vendors worldwide.
Part One: Down the Rabbit Hole – Future Botnets for Smart Buildings
We discuss the potential and use of botnets in the context of BAS. Our botnet concept and scenario is novel in the sense that it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. The smart building botnet utilizes the capabilities of a target BAS to remotely control and monitor the BAS. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques.
Part Two: Alice’s Evidence – Traffic Normalization for BACnet
A means to improve network reliability and security are traffic normalizers (also known as protocol scrubbers and known from TCP/IP networks). Traffic normalization is not available for any BAS protocol. A traffic normalizer actively modifies or drops network traffic in order to remove potentially malicious or incompliant elements regarding to a standard. Therefore, traffic normalizers analyze header elements of network packets and drop malicious packets or clear/modify suspicious bits in header fields before a network packet is forwarded. In TCP/IP networks, traffic normalization is capable to prevent various attacks on TCP/IP stacks.
As already known, BACnet devices are not robust enough to deal with abnormal traffic as protocol implementations are vulnerable against malformed packets and various forms of attacks. Such attacks can, for instance, cause a denial of service in smoke detectors or other critical BAS equipment. Due to the Internet connectivity of BACnet systems and the fact that BACnet devices can be found using the SHODAN search engine (cf., various attacks on BACnet are easy to perform.
We present the first prototype of a BACnet traffic normalizer based on Snort which we currently develop. We design our normalization to be capable to significantly increase the robustness of BAS networks by protecting BACnet network stack implementations against malformed packets and packets linked to selected attacks as well as by ensuring the compliance of BACnet messages. Our normalization rules are additionally a means to counter fuzzing attacks and to provide protection for usually seldom updated BACnet devices as patching is a challenging task in BAS.