building automation (in)security
TRANSCRIPT
![Page 1: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/1.jpg)
visibility | detection | control
Building Automation
(In)Security
Dr. Elisa Costante – Head of Research
Dr. Mario Dagrada – Senior Security Researcher
![Page 2: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/2.jpg)
Proprietary & Confidential – www.secmatters.com 2Proprietary & Confidential – www.secmatters.com 2
SecurityMatters
University Spin-off
Located in Eindhoven
Security for ICS
visibility and detection for OT
networks
INDUSTRIAL CYBER RESILIENCE
![Page 3: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/3.jpg)
Proprietary & Confidential – www.secmatters.com 3Proprietary & Confidential – www.secmatters.com 3
About Smart Buildings
![Page 4: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/4.jpg)
Proprietary & Confidential – www.secmatters.com 4Proprietary & Confidential – www.secmatters.com 4
Building Automation Systems (BAS)
![Page 5: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/5.jpg)
Proprietary & Confidential – www.secmatters.com 5Proprietary & Confidential – www.secmatters.com 5
A look ahead: Smart Cities
![Page 6: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/6.jpg)
visibility | detection | control
but…
![Page 7: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/7.jpg)
Proprietary & Confidential – www.secmatters.com 7Proprietary & Confidential – www.secmatters.com 7
November 8, 2016 14:20
![Page 8: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/8.jpg)
Proprietary & Confidential – www.secmatters.com 8Proprietary & Confidential – www.secmatters.com 8
Why attacking Smart Buildings
CRITICAL BUILDINGS LEGACY SYSTEMS CONNECTIVITY
airports
data centers
hospitals & public spaces
60% of buildings have systems that are 20 years old
no encryption
no authentication
more connection = more vulnerabilities
default open ports
default passwords
![Page 9: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/9.jpg)
Proprietary & Confidential – www.secmatters.com 9Proprietary & Confidential – www.secmatters.com 9
Building Automation Networks (simplified)
SURVEILLANCEACCESS CONTROLHVAC
Workstation Engineering Workstation Building Management System
HMI HMI
Building Controller
BuildingController
Network Video Recorder
RoomControllers
RoomControllers
IP-Cameras
MAN
AG
EM
EN
TAU
TO
MATIO
NFIE
LD
IP-protocols:BACnet/IP, HTTP, FTP, RTP
Field Protocols (IP & non-IP): Modbus, LonTalk, BACnet MS/TP, KNX
Streaming Software
I/O connections
![Page 10: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/10.jpg)
Proprietary & Confidential – www.secmatters.com 10Proprietary & Confidential – www.secmatters.com 10
Examples of Attack & Defense scenarios
![Page 11: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/11.jpg)
Proprietary & Confidential – www.secmatters.com 11Proprietary & Confidential – www.secmatters.com 11
HVAC
Thermostats and IoT devices can be used as entry point for data exfiltration(1,2)
Increased temperature can damage data centers and labs
ATTACK
DEFENSE
1. http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T2. https://www.darkreading.com/risk/security-guard-busted-for-hacking-hospitals-hvac-patient-information-computers/d/d-id/1131436
Detect changes critical variables
Identify IT/OT undesired communications
Identify IoT devices anomalous behavior
![Page 12: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/12.jpg)
Proprietary & Confidential – www.secmatters.com 12Proprietary & Confidential – www.secmatters.com 12
Surveillance System
Using IP-cameras as botnet(1)
Turning off cameras to cover malicious physical actions
Delete recordings that could serve as evidence
ATTACK
DEFENSE
Detect default credentials
Detect dangerous services (UPnP)
Detect dangerous operations (teardown)
1. https://safeandsavvy.f-secure.com/2018/04/25/researchers-find-way-to-generate-master-keys-to-hotels/
![Page 13: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/13.jpg)
Proprietary & Confidential – www.secmatters.com 13Proprietary & Confidential – www.secmatters.com 13
Hack like a movie-star: fact or fiction?
![Page 14: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/14.jpg)
Proprietary & Confidential – www.secmatters.com 14Proprietary & Confidential – www.secmatters.com 14
Surveillance system architecture
Network switch
Storage server Local monitoring
Network video recorder
Surveillance cameras
RTSP/RTP
![Page 15: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/15.jpg)
Proprietary & Confidential – www.secmatters.com 15Proprietary & Confidential – www.secmatters.com 15
Surveillance system protocols
RTSP
Real Time Streaming Protocol, usually over TCP
Designed to control stream parameters, not deliver the data
RTP
Real-time Transport Protocol, usually over UDP
Designed for real-time transfer of audio and video data
Secure version SRTP available, but rarely used
![Page 16: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/16.jpg)
Proprietary & Confidential – www.secmatters.com 16Proprietary & Confidential – www.secmatters.com 16
Surveillance system protocols
RTSP
Real Time Streaming Protocol, usually over TCP
Designed to control stream parameters, not deliver the data
RTP
Real-time Transport Protocol, usually over UDP
Designed for real-time transfer of audio and video data
Secure version SRTP available, but rarely used
![Page 17: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/17.jpg)
Proprietary & Confidential – www.secmatters.com 17Proprietary & Confidential – www.secmatters.com 17
RTSP: establishing connection
Camera uses the RTSP protocol to establish a TCP channel with the NVR
![Page 18: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/18.jpg)
Proprietary & Confidential – www.secmatters.com 18Proprietary & Confidential – www.secmatters.com 18
RTP: streaming
RTP protocol is used for the camera to stream audio and video to the NVR
![Page 19: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/19.jpg)
Proprietary & Confidential – www.secmatters.com 19Proprietary & Confidential – www.secmatters.com 19
RTSP: keep alive
The NVR continuously exchanges <get param> messages with the camera to keep the
connection alive
![Page 20: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/20.jpg)
Proprietary & Confidential – www.secmatters.com 20Proprietary & Confidential – www.secmatters.com 20
What happens on the network
Prerequisites:
• The attacker is inside the network
• Open source tools + simple scripting
![Page 21: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/21.jpg)
Proprietary & Confidential – www.secmatters.com 21Proprietary & Confidential – www.secmatters.com 21
Attack in action – man-in-the-middle & recording
videosnarf -i dahua-eavesdrop-traffic.pcapng && ffmpeg -i H264-media-1.264 footage.avi
![Page 22: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/22.jpg)
Proprietary & Confidential – www.secmatters.com 22Proprietary & Confidential – www.secmatters.com 22
Attack in action – break communication
if (ip.proto == TCP && tcp.dst == 554) {
if (search(DATA.data, "GET\_PARAMETER")) {
replace("GET_PARAMETER","TEARDOWN"); }
}
![Page 23: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/23.jpg)
Proprietary & Confidential – www.secmatters.com 23Proprietary & Confidential – www.secmatters.com 23
Attack in action– replay recorded footage
Replayed footage(viewed by the security officer)
Real footage (hidden to the security officer)
![Page 24: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/24.jpg)
Proprietary & Confidential – www.secmatters.com 24Proprietary & Confidential – www.secmatters.com 24
Building subsystems architecture
BACnet/IP
BACnet/MS/TP
BMS
![Page 25: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/25.jpg)
Proprietary & Confidential – www.secmatters.com 25Proprietary & Confidential – www.secmatters.com 25
Surveillance system protocols
BACnet
Nr. 1 protocol for building automation
Complex, object-oriented protocol
Used by several subsystems: HVAC, lightning…
Security rarely implemented
![Page 26: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/26.jpg)
Proprietary & Confidential – www.secmatters.com 26Proprietary & Confidential – www.secmatters.com 26
Spoofing attack
BACnet/IP
BACnet/MS/TP
BMS
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet protocol (open spec) + simple scripting
router spoofing
![Page 27: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/27.jpg)
Proprietary & Confidential – www.secmatters.com 27Proprietary & Confidential – www.secmatters.com 27
Denial of Service attack
BACnet/IP
BACnet/MS/TP
BMS
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet protocol (open spec) + simple scripting
whoisiam
![Page 28: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/28.jpg)
Proprietary & Confidential – www.secmatters.com 28Proprietary & Confidential – www.secmatters.com 28
DoS attack in practice
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet + simple scripting
Router
BMS
Attacker
Switch
![Page 29: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/29.jpg)
Proprietary & Confidential – www.secmatters.com 29Proprietary & Confidential – www.secmatters.com 29
Attack Example
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet + simple scripting
![Page 30: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/30.jpg)
Proprietary & Confidential – www.secmatters.com 30Proprietary & Confidential – www.secmatters.com 30
What we are busy with
ASSET
INVENTORY
NETWORK
MONITORING
gain visibility
know your devices
new hosts and links
indicators of compromise
ANOMALY
DETECTION
THREAT
HUNTING
raw network traffic actionable information
![Page 31: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/31.jpg)
Proprietary & Confidential – www.secmatters.com 31Proprietary & Confidential – www.secmatters.com 31
Key takeaways
Landscape Visibility Detection
• See what your network devices are doing
• Assess risks, threats and vulnerabilities
• Understand the current resilience state of your network
• Catch known and unknown threats
• Pinpoint weak spots and current inefficiencies
• Gather all evidence required for incident response
• Smart building rely on legacy systems with no security in mind
• Cyber risks for smart buildings are on the rise
• Building automation networks are vulnerable
![Page 32: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/32.jpg)
Proprietary & Confidential – www.secmatters.com 32Proprietary & Confidential – www.secmatters.com 32
?
Q&A
![Page 33: Building Automation (In)Security](https://reader031.vdocuments.site/reader031/viewer/2022012504/617e6330d43d1438b62da904/html5/thumbnails/33.jpg)
visibility | detection | control @sec_matterssecuritymatters_bv
www.secmatters.com