building automation (in)security
TRANSCRIPT
visibility | detection | control
Building Automation
(In)Security
Dr. Elisa Costante – Head of Research
Dr. Mario Dagrada – Senior Security Researcher
Proprietary & Confidential – www.secmatters.com 2Proprietary & Confidential – www.secmatters.com 2
SecurityMatters
University Spin-off
Located in Eindhoven
Security for ICS
visibility and detection for OT
networks
INDUSTRIAL CYBER RESILIENCE
Proprietary & Confidential – www.secmatters.com 3Proprietary & Confidential – www.secmatters.com 3
About Smart Buildings
Proprietary & Confidential – www.secmatters.com 4Proprietary & Confidential – www.secmatters.com 4
Building Automation Systems (BAS)
Proprietary & Confidential – www.secmatters.com 5Proprietary & Confidential – www.secmatters.com 5
A look ahead: Smart Cities
visibility | detection | control
but…
Proprietary & Confidential – www.secmatters.com 7Proprietary & Confidential – www.secmatters.com 7
November 8, 2016 14:20
Proprietary & Confidential – www.secmatters.com 8Proprietary & Confidential – www.secmatters.com 8
Why attacking Smart Buildings
CRITICAL BUILDINGS LEGACY SYSTEMS CONNECTIVITY
airports
data centers
hospitals & public spaces
60% of buildings have systems that are 20 years old
no encryption
no authentication
more connection = more vulnerabilities
default open ports
default passwords
Proprietary & Confidential – www.secmatters.com 9Proprietary & Confidential – www.secmatters.com 9
Building Automation Networks (simplified)
SURVEILLANCEACCESS CONTROLHVAC
Workstation Engineering Workstation Building Management System
HMI HMI
Building Controller
BuildingController
Network Video Recorder
RoomControllers
RoomControllers
IP-Cameras
MAN
AG
EM
EN
TAU
TO
MATIO
NFIE
LD
IP-protocols:BACnet/IP, HTTP, FTP, RTP
Field Protocols (IP & non-IP): Modbus, LonTalk, BACnet MS/TP, KNX
Streaming Software
I/O connections
Proprietary & Confidential – www.secmatters.com 10Proprietary & Confidential – www.secmatters.com 10
Examples of Attack & Defense scenarios
Proprietary & Confidential – www.secmatters.com 11Proprietary & Confidential – www.secmatters.com 11
HVAC
Thermostats and IoT devices can be used as entry point for data exfiltration(1,2)
Increased temperature can damage data centers and labs
ATTACK
DEFENSE
1. http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T2. https://www.darkreading.com/risk/security-guard-busted-for-hacking-hospitals-hvac-patient-information-computers/d/d-id/1131436
Detect changes critical variables
Identify IT/OT undesired communications
Identify IoT devices anomalous behavior
Proprietary & Confidential – www.secmatters.com 12Proprietary & Confidential – www.secmatters.com 12
Surveillance System
Using IP-cameras as botnet(1)
Turning off cameras to cover malicious physical actions
Delete recordings that could serve as evidence
ATTACK
DEFENSE
Detect default credentials
Detect dangerous services (UPnP)
Detect dangerous operations (teardown)
1. https://safeandsavvy.f-secure.com/2018/04/25/researchers-find-way-to-generate-master-keys-to-hotels/
Proprietary & Confidential – www.secmatters.com 13Proprietary & Confidential – www.secmatters.com 13
Hack like a movie-star: fact or fiction?
Proprietary & Confidential – www.secmatters.com 14Proprietary & Confidential – www.secmatters.com 14
Surveillance system architecture
Network switch
Storage server Local monitoring
Network video recorder
Surveillance cameras
RTSP/RTP
Proprietary & Confidential – www.secmatters.com 15Proprietary & Confidential – www.secmatters.com 15
Surveillance system protocols
RTSP
Real Time Streaming Protocol, usually over TCP
Designed to control stream parameters, not deliver the data
RTP
Real-time Transport Protocol, usually over UDP
Designed for real-time transfer of audio and video data
Secure version SRTP available, but rarely used
Proprietary & Confidential – www.secmatters.com 16Proprietary & Confidential – www.secmatters.com 16
Surveillance system protocols
RTSP
Real Time Streaming Protocol, usually over TCP
Designed to control stream parameters, not deliver the data
RTP
Real-time Transport Protocol, usually over UDP
Designed for real-time transfer of audio and video data
Secure version SRTP available, but rarely used
Proprietary & Confidential – www.secmatters.com 17Proprietary & Confidential – www.secmatters.com 17
RTSP: establishing connection
Camera uses the RTSP protocol to establish a TCP channel with the NVR
Proprietary & Confidential – www.secmatters.com 18Proprietary & Confidential – www.secmatters.com 18
RTP: streaming
RTP protocol is used for the camera to stream audio and video to the NVR
Proprietary & Confidential – www.secmatters.com 19Proprietary & Confidential – www.secmatters.com 19
RTSP: keep alive
The NVR continuously exchanges <get param> messages with the camera to keep the
connection alive
Proprietary & Confidential – www.secmatters.com 20Proprietary & Confidential – www.secmatters.com 20
What happens on the network
Prerequisites:
• The attacker is inside the network
• Open source tools + simple scripting
Proprietary & Confidential – www.secmatters.com 21Proprietary & Confidential – www.secmatters.com 21
Attack in action – man-in-the-middle & recording
videosnarf -i dahua-eavesdrop-traffic.pcapng && ffmpeg -i H264-media-1.264 footage.avi
Proprietary & Confidential – www.secmatters.com 22Proprietary & Confidential – www.secmatters.com 22
Attack in action – break communication
if (ip.proto == TCP && tcp.dst == 554) {
if (search(DATA.data, "GET\_PARAMETER")) {
replace("GET_PARAMETER","TEARDOWN"); }
}
Proprietary & Confidential – www.secmatters.com 23Proprietary & Confidential – www.secmatters.com 23
Attack in action– replay recorded footage
Replayed footage(viewed by the security officer)
Real footage (hidden to the security officer)
Proprietary & Confidential – www.secmatters.com 24Proprietary & Confidential – www.secmatters.com 24
Building subsystems architecture
BACnet/IP
BACnet/MS/TP
BMS
Proprietary & Confidential – www.secmatters.com 25Proprietary & Confidential – www.secmatters.com 25
Surveillance system protocols
BACnet
Nr. 1 protocol for building automation
Complex, object-oriented protocol
Used by several subsystems: HVAC, lightning…
Security rarely implemented
Proprietary & Confidential – www.secmatters.com 26Proprietary & Confidential – www.secmatters.com 26
Spoofing attack
BACnet/IP
BACnet/MS/TP
BMS
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet protocol (open spec) + simple scripting
router spoofing
Proprietary & Confidential – www.secmatters.com 27Proprietary & Confidential – www.secmatters.com 27
Denial of Service attack
BACnet/IP
BACnet/MS/TP
BMS
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet protocol (open spec) + simple scripting
whoisiam
Proprietary & Confidential – www.secmatters.com 28Proprietary & Confidential – www.secmatters.com 28
DoS attack in practice
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet + simple scripting
Router
BMS
Attacker
Switch
Proprietary & Confidential – www.secmatters.com 29Proprietary & Confidential – www.secmatters.com 29
Attack Example
Prerequisites:
• The attacker is inside the network
• Knowledge of BACnet + simple scripting
Proprietary & Confidential – www.secmatters.com 30Proprietary & Confidential – www.secmatters.com 30
What we are busy with
ASSET
INVENTORY
NETWORK
MONITORING
gain visibility
know your devices
new hosts and links
indicators of compromise
ANOMALY
DETECTION
THREAT
HUNTING
raw network traffic actionable information
Proprietary & Confidential – www.secmatters.com 31Proprietary & Confidential – www.secmatters.com 31
Key takeaways
Landscape Visibility Detection
• See what your network devices are doing
• Assess risks, threats and vulnerabilities
• Understand the current resilience state of your network
• Catch known and unknown threats
• Pinpoint weak spots and current inefficiencies
• Gather all evidence required for incident response
• Smart building rely on legacy systems with no security in mind
• Cyber risks for smart buildings are on the rise
• Building automation networks are vulnerable
Proprietary & Confidential – www.secmatters.com 32Proprietary & Confidential – www.secmatters.com 32
?
Q&A
visibility | detection | control @sec_matterssecuritymatters_bv
www.secmatters.com