On the security of security extensions for IP-based KNX networks. Aljosha Judmayer

Size: px

Start display at page:

Download "On the security of security extensions for IP-based KNX networks. Aljosha Judmayer"

Rebecca Henderson
5 years ago
Views:

1 On the security of security extensions for IP-based KNX networks Aljosha Judmayer 1

2 SBA Research Area 1 (GRC): Governance, Risk and Compliance P1.1: Risk Management and Analysis P1.2: Secure BP Modeling, Simulation and Verification P1.3: Computer Security Incident Response Team P1.4: Awareness and E-Learning Area 2 (DSP): Data Security and Privacy P2.1: Privacy Enhancing Technologies P2.2: Enterprise Rights Management P2.3: Digital Preservation Area 3 (SCA): Secure Coding and Code Analysis P3.1: Malware Detection and Botnet Economics P3.2: Systems and Software Security P3.3: Digital Forensics Area 4 (HNS): Hardware and Network Security P4.1: Hardware Security and Differential Fault Analysis P4.2: Pervasive Computing P4.3: Network Security of the Future Internet

TU Vienna Thesis @ automation systems group => Paper @ 10th IEEE Workshop on Factory Communication

3 TU Vienna automation systems group => 10th IEEE Workshop on Factory Communication Systems (WFCS), 2014 Lukas Krammer (lkrammer@auto.tuwien.ac.at) Wolfgang Kastner (k@auto.tuwien.ac.at) 3

4 What the h3ck is KNX? 4

5 What the h3ck is KNX? KNX is a standard for home and building automation KoNneX Association pool of companies publish KNX Systems specification Develop the ETS (Engineering Tool Software) 5

publish KNX Systems specification (first version 2002) Develop the ETS (Engineering Tool

6 What the h3ck is KNX? KNX is a standard for home and building automation KoNneX Association pool of companies publish KNX Systems specification (first version 2002) Develop the ETS (Engineering Tool Software) Ensuring the interoperability between products, applications and systems Different physical layers e.g. : Twisted pair cable (TP1) Ethernet (IP) called KNXnet/IP 6

7 Building Automation Systems (BAS) Goal: intelligent buildings Old and busted: heating, ventilation and air conditioning (HVAC) BUS networks 7

8 Building Automation Systems (BAS) Goal: intelligent buildings Old and busted: heating, ventilation and air conditioning (HVAC) BUS networks New hotness: security and safety stuff (e.g. alarm systems, access control systems) remote management and stuff... >> connected to IP based networks <<!!!111! What can possibly go wrong? 8

Building Automation Systems (BAS) Goal: intelligent buildings Old and busted: heating, ventilation and air conditioning (HVAC) BUS networks New hotness: security and safety stuff (e.g. alarm systems, access control systems) remote management and stuff.

9 Building Automation Systems (BAS) Goal: intelligent buildings Old and busted: heating, ventilation and air conditioning (HVAC) BUS networks New hotness: security and safety stuff (e.g. alarm systems, access control systems) remote management and stuff... >> connected to IP based networks <<!!!111! What can possibly go wrong? 9 Source:

10 Security features in current/classical KNX... 10

11 Security features in current/classical KNX... Optional 4 (in words four ) byte password 11

12 Security features in current/classical KNX... Optional 4 (in words four ) byte password... transmitted in clear text 12

13 What the spec has to say... For KNX, security is a minor concern, as any breach of security requires local access to the network (KNX Systems Specification) 13

14 What the spec has to say... For KNX, security is a minor concern, as any breach of security requires local access to the network (KNX Systems Specification) Filtering KNXnet/IP datagrams from the network requires network analysis tools and expertise. The content of a KNXnet/IP message is not selfdescriptive but requires semantic knowledge... (KNX Systems Specification) 14

15 What the spec has to say... For KNX, security is a minor concern, as any breach of security requires local access to the network (KNX Systems Specification) Filtering KNXnet/IP datagrams from the network requires network analysis tools and expertise. The content of a KNXnet/IP message is not selfdescriptive but requires semantic knowledge... (KNX Systems Specification) 15

16 How does a KNX BAS look like? 16

17 How does a KNX BAS look like? GAMMA Training Kit (GTK2) Source: 17

18 How does a KNX BAS look like? Backbone lv. Field lv. 18

19 How does a KNX BAS look like? Management devices (ETS) MD MD IP Backbone WAN Backbone lv. Field lv. Interconnection devices Sensors, Actuators, and Controller devices 19

20 How does a KNX BAS look like? Management devices (ETS) KNX IP KNXnet/IP MD MD IP Backbone WAN Backbone lv. Field lv. Interconnection devices Sensors, Actuators, and Controller devices 20

21 How does a KNX BAS look like? Management devices (ETS) C MD MD IP Backbone WAN Backbone lv. USB Field lv. Interconnection devices USB interface N 148/11 * USB interface to KNX bus * Connected to wiring by pressure contacts * eibd open source software Sensors, Actuators, and Controller devices 21

22 How does a KNX BAS look like? Management devices (ETS) C MD MD IP Backbone WAN Backbone lv. USB Field lv. Interconnection devices Sensors, Actuators, and Controller devices USB interface N 148/11 * USB interface to KNX bus * Connected to wiring by pressure contacts * eibd open source software * Eavesdrop * DoS * Inject * Identify (2^16 addresses) 22

23 Example Record all traffic on bus $ eibd --listen-local=/tmp/eibhandle -t1023 usb:2:4:1:0:0 $ vbusmonitor1 local:/tmp/eibhandle Send message on to group addr. $ groupswrite local:/tmp/eibhandle 1/1/5 1 Read configuration of device $ mread local:/tmp/eibhandle AA AA B 00 0B 02 FE FE 01 FE 02 FE FE 05 FE 06 FE FE 09 FE 0A FE 0B 04 0C FE 0D FE 23

24 Example Record all traffic on bus $ eibd --listen-local=/tmp/eibhandle -t1023 usb:2:4:1:0:0 $ vbusmonitor1 local:/tmp/eibhandle Send message on to group addr. $ groupswrite local:/tmp/eibhandle 1/1/5 1 Read configuration of device $ mread local:/tmp/eibhandle AA AA B 00 0B 02 FE FE 01 FE 02 FE FE 05 FE 06 FE FE 09 FE 0A FE 0B 04 0C FE 0D FE 24

25 Example Record all traffic on bus $ eibd --listen-local=/tmp/eibhandle -t1023 usb:2:4:1:0:0 $ vbusmonitor1 local:/tmp/eibhandle Send message on to group addr. $ groupswrite local:/tmp/eibhandle 1/1/5 1 Group addr. 1/1/0 Read configuration of device $ mread local:/tmp/eibhandle AA AA B 00 0B 02 FE FE 01 FE 02 FE FE 05 FE 06 FE FE 09 FE 0A FE 0B 04 0C FE 0D FE 25

26 How does a KNX BAS look like? Management devices (ETS) MD MD IP Backbone WAN Backbone lv. * tcpdump * tcpreplay * IGMP USB Field lv. Interconnection devices Sensors, Actuators, and Controller devices USB interface N 148/11 * USB interface to KNX bus * Connected to wiring by pressure contacts * eibd open source software * Eavesdrop * Identify (2^16 addresses) * Inject * DoS 26

27 Example UDP/IP port 3671 IPv4 multicast addr d 0c 00 5e 00 0e bc 00 7e 57 f e aa 0c f e c b b a c fa a e Just record and replay... $ tcpdump -nnvvxsw switchon.cap udp port 3671 $ tcpreplay -i eth0 -v switchon.cap 27

28 How does a KNX BAS look like? IP Controller N 350E * Scheduler & timer * TIME protocol (RFC 868) C Management devices (ETS) MD MD IP Backbone WAN Backbone lv. * IGMP * tcpdump * tcpreplay USB Field lv. Interconnection devices Sensors, Actuators, and Controller devices USB interface N 148/11 * USB interface to KNX bus * Connected to wiring by pressure contacts * eibd open source software * Eavesdrop * Identify (2^16 addresses) * Inject * DoS 28

29 * fuzzer (scapy) How does a KNX BAS look like? *... IP Controller N 350E * Scheduler & timer * TIME protocol (RFC 868) C Management devices (ETS) MD MD IP Backbone WAN Backbone lv. * IGMP * tcpdump * tcpreplay USB Field lv. Interconnection devices Sensors, Actuators, and Controller devices USB interface N 148/11 * USB interface to KNX bus * Connected to wiring by pressure contacts * eibd open source software * Eavesdrop * Identify (2^16 addresses) * Inject * DoS 29

30 How about the software...? 30

31 How about the software...? 31

32 How about the software...? 32

33 What's possible in classic KNX? 33

34 The solution?: KNXnet/IP Secure Security extension to KNXnet/IP Backward compatible Draft - now available for members, not yet implemented Multicast communication (group communication) Custom version of CCM (CTR + CBC-MAC) AES block cipher Unicast communication Custom protocol ECDH + Custom version of CCM AES block cipher 34

35 Interconnection devices KNXnet/IP Secure Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Sensors, Actuators, and Controller devices 35

36 Interconnection devices KNXnet/IP Secure Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Still possible: * Eavesdrop * Inject * DoS Sensors, Actuators, and Controller devices 36

37 KNXnet/IP Secure Unicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Unicast Sensors, Actuators, and Controller devices 37

38 KNXnet/IP Secure Multicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Multicast Sensors, Actuators, and Controller devices 38

39 KNXnet/IP Secure Multicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure * No forward secrecy * No non-repudiation Sensors, Actuators, and Controller devices 39

40 KNXnet/IP Secure Multicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure * Compromise => extract key information => impersonate this => compromise group => reconfigure other hash used as a pwd! Sensors, Actuators, and Controller devices 40

41 KNXnet/IP Secure Multicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Sensors, Actuators, and Controller devices this parameter specifies the acceptance window for length of the accepting incoming multicast frames with a past timestamp (sequence identifier) * Replay traffic within latency tolerance 41

42 KNXnet/IP Secure Multicast Interconnection devices Management devices (ETS) MD IP Backbone using KNXnet/IP Secure Sensors, Actuators, and Controller devices traffic after downtime * Replay It shall under no circumstances be decremented because this would weaken the resistance against replay attacks. To achieve this, the sequence counter must be persisted during power-off conditions. Even better it should be increased during power-off conditions using an RTC 42

43 Custom AES CTR 43

44 Custom AES CTR 44

45 Custom AES CTR 45

46 CBC MAC Forgery? depends on byte order and detailed construction of and Only possible on messages which are authenticated but not encrypted 46

47 CBC MAC Forgery? 47

48 CBC MAC Forgery? 48

49 CBC MAC Forgery? 49

50 Conclusio Current/classical KNX => no security unicast / multicast (+) yes, (-) no, (~) nice try Property KNX KNXnet/IP Secure Authentication -/- ~/- Authorization -/- +/- Non-repudiation -/- -/- Integrity -/- +/~ Freshness -/- +/~ Confidentiality -/- +/~ Forward secrecy -/- +/- Availability -/- -/- 50

51 EOF 51

Bitcoin/Namecoin/*coin: On Bitcoin like protocols and their relation to other IT-Security issues

Bitcoin/Namecoin/*coin: On Bitcoin like protocols and their relation to other IT-Security issues : On Bitcoin like protocols and their relation to other IT-Security issues Aljosha Judmayer ajudmayer@sba-research.org 2014-11-07 SBA Research Area 1 (GRC): Governance, Risk and Compliance P1.1: Risk Management