research-article

Security Analysis of the KNX Smart Building Protocol

Authors:

Malte Küppers,

Georg Neugebauer,

Sacha HackAuthors Info & Claims

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

Article No.: 87, Pages 1 - 7

https://doi.org/10.1145/3600160.3605167

Published: 29 August 2023 Publication History

Abstract

KNX is a protocol for smart building automation, e.g., for automated heating, air conditioning, or lighting. This paper analyses and evaluates state-of-the-art KNX devices from manufacturers Merten, Gira and Siemens with respect to security. On the one hand, it is investigated if publicly known vulnerabilities like insecure storage of passwords in software, unencrypted communication, or denial-of-service attacks, can be reproduced in new devices. On the other hand, the security is analyzed in general, leading to the discovery of a previously unknown and high risk vulnerability related to so-called BCU (authentication) keys.

References

[1]

Thomas Hansemann and Christof Hübner. 2021. Gebäudeautomation: Kommunikationssysteme mit EIB/KNX; LON und BACnet. Carl Hanser Verlag München. Fourth Edition. ISBN: 978-3-446-46286-1

[2]

Thomas Hassler. 2014. Datensicherheit in KNX. Diploma Thesis. Technical University Vienna. Retrieved April 22, 2023 from https://web.archive.org/web/20220204175948id_/https://repositum.tuwien.at/bitstream/20.500.12708/3065/2/Hassler%20Thomas%20-%202014%20-%20Datensicherheit%20in%20KNX.pdf

[3]

Robert Gützkow. 2022. Security Analysis of the KNXnet/IP Secure Protocol. Master Thesis, Humboldt University Berlin. Retrieved April 22, 2023 from https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2022-01/SAR-PR-2022-01_.pdf

[4]

KNX Association. 2013. The KNX Standard v2.1. Retrieved April 22, 2023 from https://my.knx.org/de/shop/knxspecifications

[5]

Gira Giersiepen GmbH & Co. KG. GIRA Datenblatt. Retrieved April 22, 2023 from https://katalog.gira.de/de_DE/download.html?artikelnr=208900

[6]

KNX Association. 2020. Details. Retrieved April 22, 2023 from https://support.knx.org/hc/de/articles/115003353249-Details

[7]

KNX Association. 2021. KNX-Secure-Position-Paper. Retrieved April 22, 2023 from https://www.knx.org/wAssets/docs/downloads/Marketing/Flyers/KNX-Secure-Position-Paper/KNX-Secure-Position-Paper_de.pdf

[8]

Microsoft Learn. Dokumentation: PasswordDeriveBytes Klasse. Retrieved April 22, 2023 from https://learn.microsoft.com/de-de/dotnet/api/system.security.cryptography.passwordderivebytes?view=net-6.0

[9]

Russ Housley. 2009. Cryptographic Message Syntax (CMS). RFC 5652

[10]

Johannes Goltz. 2018. Sicherheitsanalyse von Gebäudeautomationsnetzen auf Feldbusebene am Beispiel von KNX. Master Thesis, University Rostock. 2018. Retrieved April 22, 2023 from http://eprints.iuk.informatik.uni-rostock.de/689/1/Masterarbeit_Goltz.pdf

[11]

Kelly Jackson Higgins. 2021. Lights Out: Cyberattacks Shut Down Building Automation Systems. Dark Reading. Retrieved April 22, 2023 from https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems

[12]

GitHub. Robertguetzkow/ets5-password-recovery. Retrieved April 22, 2023 from https://github.com/robertguetzkow/ets5-password-recovery

[13]

GitHub. De4dot/de4dot. Retrieved April 22, 2023 from https://github.com/de4dot/de4dot

[14]

Microsoft Learn. Dokumentation: HMACSHA256 Klasse. Retrieved April 22, 2023 from https://learn.microsoft.com/de-de/dotnet/api/system.security.cryptography.hmacsha256?view=net-6.0

[15]

KNX Association. 2017. Datenpunkttyp. Retrieved April 22, 2023 from https://support.knx.org/hc/de/articles/115001133744-Datenpunkttyp

[16]

GitHub. takeshixx/knxmap. Retrieved April 22, 2023 from https://github.com/takeshixx/knxmap

[17]

GitHub. knxd/knxd. Retrieved April 22, 2023 from https://github.com/knxd/knxd

[18]

KNX Association. KNX Grundlagenwissen. Retrieved April 22, 2023 from https://www.knx.org/wAssets/docs/downloads/Marketing/Flyers/KNX-Basics/KNX-Basics_de.pdf

[19]

Global Forum of Incident Response and Security Teams (FIRST). Common Vulnerability Scoring System v3.1: Specification Document. Retrieved April 22, 2023 from https://www.first.org/cvss/v3.1/specification-document

Cited By

Aljaffan NAlhazzaa LAlbahli A(2023)Utilizing Reusable Test-Ready Models of Smart Home Systems for Testing KNX Devices2023 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI62032.2023.00257(1558-1564)Online publication date: 13-Dec-2023
https://doi.org/10.1109/CSCI62032.2023.00257

Index Terms

Security Analysis of the KNX Smart Building Protocol
1. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Fragility of the Robust Security Network: 802.11 Denial of Service
ACNS '09: Proceedings of the 7th International Conference on Applied Cryptography and Network Security

The upcoming 802.11w amendment to the 802.11 standard eliminates the 802.11 deauthentication and disassociation Denial of Service (DoS) vulnerabilities. This paper presents two other DoS vulnerabilities: one vulnerability in draft 802.11w ...
A Practical Attack Against a KNX-based Building Automation System
ICS-CSR 2014: Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014

Building automation systems rely heavily on general-purpose computers and communication protocols, which are often affected by security vulnerabilities. In this paper, we first analyze the attack surface of a real building automation system - based on ...
An Active Security Protocol against DoS Attacks
ISCC '02: Proceedings of the Seventh International Symposium on Computers and Communications (ISCC'02)

Denial of Service (DoS) attacks represent, in today's Internet, one of the most complex issues to address. A session is under a DoS attack if it cannot achieve its intended throughput due to the misbehavior of other sessions. Many research studies dealt ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

August 2023

1440 pages

ISBN:9798400707728

DOI:10.1145/3600160

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2023

ARES 2023: The 18th International Conference on Availability, Reliability and Security

August 29 - September 1, 2023

Benevento, Italy

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
50
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)1

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Aljaffan NAlhazzaa LAlbahli A(2023)Utilizing Reusable Test-Ready Models of Smart Home Systems for Testing KNX Devices2023 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI62032.2023.00257(1558-1564)Online publication date: 13-Dec-2023
https://doi.org/10.1109/CSCI62032.2023.00257

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents