KNX professionals Andy Ellis and Julio Díaz García point out the pitfalls of an unsecure system, and how to avoid them by investing in basic IT skills.
If your KNX system is connected to the outside world, are you sure it’s secure? If not, what are the possible consequences? First, we talk to Andy Ellis about his experience of a recent event where a KNX installation was hacked. We follow this with Julio Diaz’ advice on how to avoid this situation by employing proper IT mechanisms for communication.
What happens if your system is not secure?
Andy Ellis: The first thing you would think of in terms of a breach in security is the hacker’s ability to capture data from the KNX bus. I question what someone would do with this information, but the fact is, without a secure KNX system, external sources may have access to this data.
Secondly, in an unsecure system, the possibility exists for a third party to send data to the system. With this comes potential for the programming to be corrupted, or worse still, for a particular component or components to be corrupted. Here I think it relevant to relay my experiences of recent events.
We had a call from a site that had lost all lighting control and, as it happens, heating as well. The site was well over ten years old and had been operating just fine before the event. Although a copy of the ETS file was available, there was no other documentation from the previous installer.
Establishing where the problem lies
Our first attempt to diagnose was over the phone and by email, and early indications were that there was a possible power supply or bus issue. A visit was required to take things further. A quick visual inspection showed that there were no mains breakers tripped, room controllers and switches were powered (they had active screens and or LEDs lit). The main distribution boards also had relays and dimmers with LEDs on in various states. Hmmm. So maybe it’s not a power supply problem. After checking the bus voltage and then powering down the power supply and isolating, it appears that the bus power is fine. Curious.
So what is connected to the bus? Perhaps there is a short, or some form of corruption. Further investigation shows an active IP interface and a ‘third-party logic module’ (Ethernet-connected) and connection to a third-party automation system which has lighting and heating control available on its displays. Physical disconnection of these devices has no effect on the state of the system.
So are we able to plug a laptop in and use ETS diagnostics? Well yes… and a line scan shows quite a number of active components. Upon closer inspection of the properties of individual components, we find that certain items – the ones that are not working – such as room controllers switches and dimmers have no group address table! Well that will be why they don’t work then!
Further analysis reveals that these faulty components will not accept a program download as they have ‘BCU pass’ enabled (but it’s not enabled in the program, and to the best of anybody’s knowledge, never has been). The ONLY way to re-program these items is to perform a factory reset. And guess what? A majority of the individual KNX components cannot be factory reset. The end result is a site that is totally inoperable and requires many thousands of pounds worth of new components to fix, plus of course the engineer’s/programmer’s labour.
So what caused this catastrophic failure? I don’t know, and in all probability I will never know. However, there is a very high probability that as the system had an IP interface with remote connection, some form of remote ‘attack’ took place.
Lessons learnt: firstly, does your KNX system need to be connected to the outside world? If you are considering this then what are the benefits? And if you do proceed with an IP connection, my advice would be to research and understand the full implications of a secure system. It may be that remote access into your system to retrieve data is not as concerning as malevolent remote access into your system with a view to altering the data in some way.
How to make your system is secure if you have to connect your KNX system to the outside world
Julio Díaz García: First, I must underscore the principle that KNX is an ‘open and secure’ technology. However, we must ensure that we apply the appropriate criteria and the tools that KNX Association and the ETS tool make available to us to guarantee this principle. Being able to access facilities remotely is an advantage that KNX offers and a necessity in many cases. In homes, for example, it makes life much easier for users in many aspects including supervision, remote modification of setpoints, reception of alarms and warnings, etc. For buildings, it can allow a 24/7 remote maintenance when the manager, the proprietor or the integrator needs to manage their facilities without traveling unnecessarily.
Ensuring safe access
Before commenting on what we can do to achieve a secure and remotely accessible installation, I have to stress what should NEVER be done: allowing remote access through UDP port 3671. This point is known to hackers and is equivalent to a ‘red carpet’ for these unwanted guests.
Another tool available to the integrator is the BCU Key, available for many years for all KNX devices (except the very old System-1 devices). My advice is that devices should always be programmed with a BCU key since the attacker would have to guess the password among 4.29 billion possibilities. Using the BCU key is not a nuisance for the integrator as the ETS never asks for it, if the original ETS project is being used.
To allow safe access to a KNX installation there are several possibilities:
1) Configure a VPN connection on the installation router. This is the best option but can sometimes be complex for regular integrators.
2) Use KNX IP gateways that allow the configuration of VPN secure services such as OpenVPN, ZeroTier etc.
3) Use KNX IP access devices with encrypted communication.
4) Use KNX TP devices with IP (non-KNX standard) cloud connection.
5) For medium and big installations use a BMS platform with a KNX native driver that enables the secure integration and monitoring of massive KNX installations.
These methods are aimed at avoiding the scenario described by Andy at the beginning of this article, which in my opinion is the most dangerous and currently the easiest for hackers if the appropriate measures are not taken. Additionally, the use of KNX IP Secure and KNX Data Secure devices in the facilities will solve any additional threat scenario that may arise.
Open, Secure and Connected
KNX Association offers a variety of information about the security of installations in the form of brochures, videos and webinars. In addition, KNX Training Centres offer KNX Partners and others a range of helpful courses, including KNX Advanced training and the new KNX Refresher training which include a chapter dedicated to dealing with all of the above topics. All of this is designed to ensure that KNX installations continue to be state-of-the-art, all over the world, whilst remaining open, secure and connected.
Andy Ellis is the founder and managing director of Household Automation Ltd, and its sister company Knxion Ltd, providers of building automation consultancy, design, installation and aftercare services to clients who are involved in building residential and commercial properties.
Julio Díaz is an Industrial Engineer and the owner of SAPIENX AUTOMATION, a Spanish company dedicated to engineering and consulting and a KNX++ Certified Training Centre with 25 years of experience in home and building automation and BMS solutions.