Text size
  • Small
  • Medium
  • Large
  • Standard
  • Blue text on blue
  • High contrast (Yellow text on black)
  • Blue text on beige

    A Practical Attack Against a KNX-based Building Automation System

    2nd International Symposium for ICS & SCADA Cyber Security Research 2014 (ICS-CSR 2014)

    St Pölten, Austria, 11-12 September 2014


    Alessio Antonini, Federico Maggi & Stefano Zanero



    Building automation systems rely heavily on general-purpose computers and communication protocols, which are often affected by security vulnerabilities. In this paper, we first analyze the attack surface of a real building automation system - based on the widely used KNX protocol-connected to a general-purpose IP network. To this end, we analyze the vulnerabilities of KNX-based networks highlighted by previous research work, which, however,did not corroborate their findings with experimental results. To verify the practical exploitability of these vulnerabilities and their potential impact, we implement a full-fledged testbed infrastructure that reproduces the typical deployment of a building automation system. On this testbed, we show the feasibility of a practical attack that leverages and combines the aforementioned vulnerabilities. We show the ease of reverse engineering the vendor-specific components of the KNX protocol. Our attack leverages the IP-to-KNX connectivity to send arbitrary commands which are executed by the actuators. We conclude that the vulnerabilities highlighted by previous work are effectively exploitable in practice, with severe results. Although we use KNX as a target, our work can be generalized to other communication protocols, often characterized by similar issues. Finally, we analyze the countermeasures proposed in previous literature and reveal the limitations that prevent their adoption in practice. We suggest a practical stopgap measure to protect real KNX-based BASs from our attack.


    PDF file PDF Version of this Paper 841(kb)

    ICS-CSR 2014: International Symposium for ICS & SCADA Cyber Security Research cover

    Print copies of ICS-CSR 2014
    ISBN 978-1-78017-286-6
    RRP £85

    Available from the BCS bookshop