KNX Association statement about the security ‘leak’ in a Shenzhen KNX hotel installation and about KNX security in general
(The article referring to the security leak was published in Wired – Here’s How Easy It Could Be for Hackers to Control Your Hotel Room)
The cradle of the KNX system lies as far back as the nineties, where security issues were not such a hot topic as they are today. In the recent years, KNX and its members have considerably invested in the improvement of the KNX Standard with data security mechanism, which has materialized in an updated KNX Standard with authentication and encryption methods, including also the possibility to even further secure a KNX/IP link. Such data security would allow to secure also runtime communication (data integrity, authentication and freshness).
First of all, please bear in mind that KNX has since quite some time the necessary mechanisms in devices to ensure that these can be protected against unauthorized re-programming. In other words, at installation time, every device can be locked for further access by a configuration tool by means of a password: if the password does not match, access to the device is denied and re-configuration is not possible. So, with the digital “butler” device as available in the hotel rooms in Shenzhen, it would in this case be impossible to reprogram the hotel installation. Also KNXnet/IP routers could be protected in such way.
The way the researcher has forced himself into the KNX network in the hotel in Shenzhen was in other words clearly limited to runtime communication and was done via an KNX IP link.
- Clearly the same WIFI was used for the guest free internet access as for the building automation communication: it is essential that separate Wi-Fi networks are used for these purposes, one for public access of which the key can be known and one for communication between the digital butler and the hotel room, with a key that is not revealed. In latter case, the researcher would first have had to hack his way into the Wi-Fi, before he could have achieved anything via KNX IP.
- As a next way of preventing that unauthorized sources force their way into a KNX installation via an IP link is to ensure in the IP network that only the fixed MAC addresses of the iPads on which the digital butler was installed are able to transmit via a KNXnet/IP Router into the KNX network. On top of that, it should be prevented that unauthorized software is installed on the iPads.
- To be aware of any possible replay attacks even after implementing the above measures, a good KNX visualization system should be installed to monitor runtime communication, in this way detecting abnormal runtime communication.
Also to be borne in mind is the fact that KNX runtime communication makes use of untyped information, this means that without the availability of the project data, address and data information can be seen, but cannot be interpreted. It is therefore not surprising that the researcher had to invest “a couple of days” to “figure out the codes” in the hotel installation. A simply “passer-by” would have a hard time achieving the same result.
KNXnet/IP routers moreover in their parameter settings allow to block broadcast and point to point communication traffic to KNX devices in the network, in this way again preventing that via the IP link an attempt is made to reprogram the devices.
Do not hesitate to learn more about secure KNX installations at our monthly webinar see www.knx.org/knx-en/training/knx-eacademy/webinars/Secure-KNX-Installations/index.php