bms is destroyed
play

BMS is destroyed by "smart button" About me I am working at - PowerPoint PPT Presentation

Apr 25, 2023 •27 likes •757 views

BMS is destroyed by "smart button" About me I am working at Specialize in ICS security of embedded devices Dedicate a lot of time to programming industrial controllers for ICS Took part in smart home development projects 2

  1. BMS is destroyed by "smart button"

  2. About me I am working at • Specialize in ICS security of embedded devices • Dedicate a lot of time to programming industrial controllers for ICS • Took part in smart home development projects 2

  3. Content • What is BMS • Introduction to KNX • Ideal world • Real world 3 BMS is destroyed by "smart button"

  4. News about cyber attack on BMS 4 BMS is destroyed by "smart button"

  5. What is BMS 5 BMS is destroyed by "smart button"

  6. What is BMS B uilding M anagement S ystem - BMS Management level PLC / HMI Automation level Field level sensors actuators 6 BMS is destroyed by "smart button"

  7. Main objectives of BMS Reduce power consumption Control operation of different systems Ensure visitors’ comfort 7 BMS is destroyed by "smart button"

  8. Environment is BMS 8 BMS is destroyed by "smart button"

  9. Environment of KNX Al Maktoum International Airport Welt Museum Wien Asia Square 9 BMS is destroyed by "smart button"

  10. Environment of KNX Indoor presence detection Room Thermostat Heating, Ventilation and Air Conditioning …. Transponder reader 10 BMS is destroyed by "smart button"

  11. Environment of KNX ABB KNX solutions for hotel applications 11 BMS is destroyed by "smart button"

  12. Introduction to KNX 12

  13. Physical communication media KNX - TP KNXnet/IP (Twisted pair) 9600 bit/s KNX - PL KNX - RF Power Line (PL110) 16384 bit/s 1200 bit/s 868 MHz 13 BMS is destroyed by "smart button"

  14. KNX address space max 15 areas 1 area – max 15 lines 1 line – max 255 nodes 14 BMS is destroyed by "smart button"

  15. KNX-TP frame 15 BMS is destroyed by "smart button"

  16. KNX-TP frame Control byte 16 BMS is destroyed by "smart button"

  17. KNX-TP frame Source address node line area 17 BMS is destroyed by "smart button"

  18. KNX-TP frame Receiver address It depends on Group Address Style 18 BMS is destroyed by "smart button"

  19. KNX-TP frame Receiver address It depends on Group Address Style 19 BMS is destroyed by "smart button"

  20. KNX-TP frame NPCI 20 BMS is destroyed by "smart button"

  21. KNX-TP frame TPCI / APCI 21 BMS is destroyed by "smart button"

  22. KNX-TP frame 22 BMS is destroyed by "smart button"

  23. KNXnet/IP frame 1 byte 1 byte 2 bytes 2 bytes Multicast @ 224.0.23.12:3671 23 BMS is destroyed by "smart button"

  24. KNXnet/IP frame Second Control Byte In KNXnet/IP 24 BMS is destroyed by "smart button"

  25. Ideal world 25

  26. KNX Position Paper on Data Security and Privacy 26 BMS is destroyed by "smart button"

  27. KNX Position Paper on Data Security and Privacy 27 BMS is destroyed by "smart button"

  28. KNX Position Paper on Data Security and Privacy 1 2 ETS5 provides security connection HOWEVER … 28 BMS is destroyed by "smart button"

  29. Real world 29

  30. Expectations and reality ETS5 provides security connection 30 BMS is destroyed by "smart button"

  31. Shodan, Censys , … 31 BMS is destroyed by "smart button"

  32. How to connect to KNX TP stand-alone device “smart” transceiver (NCN5120 or E981.03) Design self-transceiver 32 BMS is destroyed by "smart button"

  33. Tools to work with KNX ETS software Press button to switch “Program mode” Commit/configure node 33 BMS is destroyed by "smart button"

  34. Tools to work with KNX pwnknx Ethernet (via IP gateway) Ethernet/Wi-Fi (based on esp32) connection KNX-TP (based on esp32) https://github.com/Xarlan/pwnknx 34 BMS is destroyed by "smart button"

  35. Tools to work with KNX pwnknx • sniff To get information about number line, address format, which used • To find all nodes in a line, because ETS5 sometimes can’t display all scan of them • read Read configuration from node (APCI “memory read”) • write W rite configuration to node (APCI “memory write”) • set_key Set the authorization key (APCI “Escape” + extended APCI bits ) 35 BMS is destroyed by "smart button"

  36. Attack to field level Connect anywhere to KNX TP 1 floor • Listen the traffic and slightly understand the type of devices 2 floor • Replay attack 3 floor Ethernet KNX-TP 36 BMS is destroyed by "smart button"

  37. Attack to field level • Discover KNX-TP segment 1 floor • Manage nodes in current KNX-TP segment 2 floor 3 floor Lock Ethernet KNX-TP 37 BMS is destroyed by "smart button"

  38. Attack to field level • Use APCI “Read memory” to get info 1 floor IP 192.168.1.222 Mask 255.255.255.255 Gateway 2 floor 192.168.1.1 Status router Lock or Unlock … 3 floor Lock Ethernet KNX-TP 38 BMS is destroyed by "smart button"

  39. Attack to field level 1 floor • Use APCI “Write memory” to change 2 floor the configuration node or IP router 3 floor Lock Ethernet KNX-TP 39 BMS is destroyed by "smart button"

  40. Attack to field level 1 floor • Use APCI “Write memory” to change 2 floor the configuration node or IP router 3 floor Unlock Ethernet KNX-TP 40 BMS is destroyed by "smart button"

  41. Attack to field level 1 floor • Discover and manage all nodes in 2 floor KNX-TP & KNXnet/IP 3 floor Unlock Ethernet KNX-TP 41 BMS is destroyed by "smart button"

  42. Attack to field level • APCI “User Message” we can to send up to 69 bytes, not 15 bytes, some router can transfer 69 bytes form knx-tp to KNXnetIP • Padding for Ethernet frame for some KNX IP router don’t forget about 42 BMS is destroyed by "smart button"

  43. Attack to field level • No needed to switch to “program mode” in ETS5 you need switch to “program mode” to change configuration of node in real life – use APCI “memory read/write” without “key authorization” • APCI “Escape” + Key authorization use to “memory access- protection” However, some nodes can confirm that the authorization key was changed, but in reality nothing happened!!! 43 BMS is destroyed by "smart button"

  44. Update firmware via KNX-TP KNXnet/IP KNX-TP 44 BMS is destroyed by "smart button"

  45. Update firmware via KNX-TP KNXnet/IP KNX-TP 45 BMS is destroyed by "smart button"

  46. Update firmware via KNX-TP KNXnet/IP KNX-TP 46 BMS is destroyed by "smart button"

  47. Update firmware via KNX-TP KNXnet/IP KNX-TP 47 BMS is destroyed by "smart button"

  48. Update firmware via KNX-TP How to update firmware on IP router from field side ? Use APCI “User Message” • to read firmware: • to write firmware: APCI = 0x2C0 (User Message) APCI = 0x2C2 (User Memory Write) Data = [0xXX, …, 0xXX] Data = [0xXX, …, 0xXX] where where 0xXX – the part of firmware 0xXX – the part of firmware 48 BMS is destroyed by "smart button"

  49. Update firmware How to get control over the device Connect to the Ethernet Run “vendor name” Update Tool Update 49 BMS is destroyed by "smart button"

  50. Inside the IP router Possible MCU: Possible OS: • • ATmega128 Nut/OS • Linux • AT91SAM9G20 • • NXP LPC2366 Custom firmware Possible transceiver: • FZE1066 • EIB-TP-UART-IC • E981.03 50 BMS is destroyed by "smart button"

  51. Attack to Automation level Linx 150  programmable automation stations  program connectivity functions to concurrently integrate: CEA ‐ 709 (LonMark Systems); • • BACnet; • KNX; • Modbus; M ‐ Bus • 51 BMS is destroyed by "smart button"

  52. External interfaces Linx 150 microSD Manual control USB Ethernet 52 BMS is destroyed by "smart button"

  53. Connecting to the Linx 150 Linx 150 Serial 38,400 bps / 8 data bits / no parity / 1 stop bit / no handshake Manual Ethernet • http web server • ftp • ssh • … 53 BMS is destroyed by "smart button"

  54. Manual connection You can do anything!!! 54 BMS is destroyed by "smart button"

  55. HTTP web Linx 150 A lot of information for guest 55 BMS is destroyed by "smart button"

  56. HTTP web Linx 150 Account: admin Password : loytec4u Don’t forget, that the communication happens via HTTP, FTP 56 BMS is destroyed by "smart button"

  57. HTTP web Linx 150 min: 1 symbol max: 15 symbols 57 BMS is destroyed by "smart button"

  58. Bruteforce Analyze /etc/init.d/S35firewall and other network settings rules in iptables NOT fail2ban sshguard if you miss - engage in brute force 58 BMS is destroyed by "smart button"

  59. Step aside 59 BMS is destroyed by "smart button"

  60. Inside firmware image Linx 150 linx_at91_6_4_6_20190213_1030.dl Download from official web site https://www.loytec.com/de/support/download/linx-150 60 BMS is destroyed by "smart button"

  61. Inside firmware image Linx 150 linx_at91_6_4_6_20190213_1030.dl A lot of Debian package + Loytec package 61 BMS is destroyed by "smart button"

Recommend

#20 The South is destroyed The Civil War ended April 9, 1865. Much of the factories,

#20 The South is destroyed The Civil War ended April 9, 1865. Much of the factories,

#20 The South is destroyed The Civil War ended April 9, 1865. Much of the factories, railroads, and farm land in the South was destroyed by the Civil War. The South would need to be rebuilt. This rebuilding of the South was called

459 views • 32 slides
Hosea 4:6 My people are destroyed for lack of knowledge: Because you have rejected

Hosea 4:6 My people are destroyed for lack of knowledge: Because you have rejected

Hosea 4:6 My people are destroyed for lack of knowledge: Because you have rejected knowledge Overview Count the Kicks was born in 2007. It is a stillbirth prevention campaign that encourages expectant parents to track their babys

532 views • 25 slides
Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave

Paradox of Death The last enemy to be destroyed is death 1 Corinthians 15:26 Grave of Lily and James Potter Death is bad Despite its inevitability, we spend massive amounts of time, money, and effort, trying to fight death

437 views • 17 slides
Housing Tai U.N. Office for the Coordination of Humanitarian Affairs stated that Israel

Housing Tai U.N. Office for the Coordination of Humanitarian Affairs stated that Israel

Housing Tai U.N. Office for the Coordination of Humanitarian Affairs stated that Israel destroyed 590 Palestinian buildings in the West Bank, including East Jerusalem in 2014 displacing 1,177 people. In January 2015 Israel destroyed 77

349 views • 6 slides
Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st Temple Destroyed by Nebuchadnezar 586 BC 2nd Temple Destroyed by Titus Legions 70 AD Bar Kochvah Revolt was Crushed 132 Rome Plowed & Salted

302 views • 13 slides
Lessons from the Storm Building (and Rebuilding) Strong, Sustainable, and Disaster Resilient

Lessons from the Storm Building (and Rebuilding) Strong, Sustainable, and Disaster Resilient

Lessons from the Storm Building (and Rebuilding) Strong, Sustainable, and Disaster Resilient Communities Arkadelphia Tornado March 1, 1997 F-4 Tornado 60 Blocks of the downtown area destroyed Destroyed: 76 mobile homes 70 single

624 views • 23 slides
The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a

The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a

The Hidden City The Hidden City Decay: To be slowly destroyed by natural processes and enter a state of ruin. Starting off.. St Fagans Llandaff Cathedral Laura Edgar www.lauraedgar.co.uk A little bit of history.. First ever Bute Docks,

661 views • 20 slides
Offshore Mariculture Conference 2016 2050= 9.3 Billion people We have destroyed land and produced

Offshore Mariculture Conference 2016 2050= 9.3 Billion people We have destroyed land and produced

Offshore Mariculture Conference 2016 2050= 9.3 Billion people We have destroyed land and produced Climate change Consuming resources and arable land...On the other hand, we have plenty of water space that we could transform into a productive

177 views • 17 slides
+ + A B A B A B A B S 8( s ) + O 2( g ) SO 2( g ) MnO 2 H 2 O 2 ( l ) H 2 O ( l ) + O

+ + A B A B A B A B S 8( s ) + O 2( g ) SO 2( g ) MnO 2 H 2 O 2 ( l ) H 2 O ( l ) + O

Chemical RXN: Rearrangement of atoms Atoms neither created nor destroyed Chemical reactions Evidence a chemical RXN has occurred: Color change Solid forms (precipitate) Gas is produced Heat generated State subscripts

304 views • 4 slides
C YC LON E D IN E O RE PA IR W ORK S C A S E S T UD Y 16/10/17 C YC LO NE DINEO Cyclone Dineo

C YC LON E D IN E O RE PA IR W ORK S C A S E S T UD Y 16/10/17 C YC LO NE DINEO Cyclone Dineo

C YC LON E D IN E O RE PA IR W ORK S C A S E S T UD Y 16/10/17 C YC LO NE DINEO Cyclone Dineo hit Mozambique on the 15 th of February 2017 Around 20,000 homes were destroyed and approximately 130,000 people affected. Responding to

508 views • 13 slides
Okanagan Mountain Park Fire (Kelowna, BC, 2003) 64000 acres, $33.8 million,239 homes destroyed N

Okanagan Mountain Park Fire (Kelowna, BC, 2003) 64000 acres, $33.8 million,239 homes destroyed N

V ISUALIZING W ILDFIRE N ARRATIVES LAS 2015 D ECEMBER 2, 2015 C HRISTOPHER G. H EALEY B RANDA N OWELL AJ F AAS N ORTH C AROLINA S TATE U NIVERSITY S AN J OSE S TATE U NIVERSITY SIC PARVIS MAGNA NC STATE UNIVERSITY

529 views • 26 slides
What Were You Thinking?! ?!?! What are you thinking? 1 Samuel 27:14 But David thought to

What Were You Thinking?! ?!?! What are you thinking? 1 Samuel 27:14 But David thought to

What Were You Thinking?! ?!?! What are you thinking? 1 Samuel 27:14 But David thought to himself, One of these days I will be destroyed by the hand of Saul. The best thing I can do is to escape to the land of the Philistines. Then

533 views • 25 slides
What does it mean to be a new testament church in our current reality? Problem THE COVID-19

What does it mean to be a new testament church in our current reality? Problem THE COVID-19

What does it mean to be a new testament church in our current reality? Problem THE COVID-19 PANDEMIC HAS DESTROYED THE 3 BASIC METRICS MANY NORTH AMERICAN CHURCHES USE TO MEASURE SUCCESS: Buildings - Physical campuses are empty Bodies -

382 views • 16 slides
Contam ination Charging Charge balance in the sam ple Electrons cannot be I b I b I b

Contam ination Charging Charge balance in the sam ple Electrons cannot be I b I b I b

Contam ination Charging Charge balance in the sam ple Electrons cannot be I b I b I b created or destroyed so currents at a point must sum to zero. The current flow to earth I sc is the difference between sc the in and out

287 views • 27 slides
Lecture 25: Anthropogenic Changes: Oceans pick up HW 7, 10 older HW outside *** check your

Lecture 25: Anthropogenic Changes: Oceans pick up HW 7, 10 older HW outside *** check your

Lecture 25: Anthropogenic Changes: Oceans pick up HW 7, 10 older HW outside *** check your grades online! *** HW9/aqu trip 1 will be destroyed today 2 office hours: tomorrow, next MONDAY 2 discussion sessions this week (none next week)

460 views • 13 slides
VEGETATION MANAGEMENT 1 19-0630 1 of 20 Why Are We Here? Fire danger seems to be increasing

VEGETATION MANAGEMENT 1 19-0630 1 of 20 Why Are We Here? Fire danger seems to be increasing

VEGETATION MANAGEMENT 1 19-0630 1 of 20 Why Are We Here? Fire danger seems to be increasing 15 of the largest 20 fires in California have happened since 2000 Since 2007, the County has seen major fires that have destroyed structures

539 views • 20 slides
to your home church! Not Ashamed 2 Timothy 1:8-12, 15-18 Do not be ashamed Join

to your home church! Not Ashamed 2 Timothy 1:8-12, 15-18 Do not be ashamed Join

Welcome to your home church! Not Ashamed 2 Timothy 1:8-12, 15-18 Do not be ashamed Join me in suffering for the gospel I. Do Not be Ashamed of the Message 1. He saved us (9a) 2. He called us (9a-10a) 3. He destroyed the power

286 views • 7 slides
Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time Environment The static source code requires considerable support to be executed on a computer Data objects must be created and destroyed

590 views • 42 slides
Energy Essential Knowledge Objectives 4.A.6 (a-d, g) 4.B.4 (b) Matter and Energy Energy

Energy Essential Knowledge Objectives 4.A.6 (a-d, g) 4.B.4 (b) Matter and Energy Energy

Ecosystems and Energy Essential Knowledge Objectives 4.A.6 (a-d, g) 4.B.4 (b) Matter and Energy Energy enters, flows through, and exits an ecosystem Matter cannot be created or destroyed, but it can change form (recycled) law of

520 views • 27 slides
Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5

Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5

Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5 Computer controlled medical X-ray 7 billion dollar rocket was destroyed after 40 treatments secs (6/4/1996) Six people died/injured due to

354 views • 23 slides
AUSTRALIA 1606 William Jansz - first European to see Australia 1788 Feb. 3 First Christian

AUSTRALIA 1606 William Jansz - first European to see Australia 1788 Feb. 3 First Christian

AUSTRALIA 1606 William Jansz - first European to see Australia 1788 Feb. 3 First Christian service is held. First female convicts land debauchery and riots immediately follow. Feb. 6 1798 Oct. 1 First Sydney church is destroyed by a

455 views • 7 slides
Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M

Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M

Textile Cultural tradition and their Preservation, Promotion and development By: Rosalia M Soares Facts Many collection of the National collection have been lost, stolen, sold and destroyed during the time of conflict; Tais plays a

484 views • 25 slides
>> ECOCIDE UNI UNITE TED NA NATIONS ONS The Rome Statute of the International Crime

>> ECOCIDE UNI UNITE TED NA NATIONS ONS The Rome Statute of the International Crime

ECOC OCIDE In World War II people have been killed systematically on a large scale >> GENOCIDE Now our planet is being destroyed systematically on a large scale >> ECOCIDE UNI UNITE TED NA NATIONS ONS The Rome Statute of

595 views • 56 slides
for the Halfway House Granite Dome Johan van der Waals Why do we end up with bleeding

for the Halfway House Granite Dome Johan van der Waals Why do we end up with bleeding

The Development of a Detailed Wetland Management Guideline for the Halfway House Granite Dome Johan van der Waals Why do we end up with bleeding wetlands? 2008 09 07 Why do we end up with destroyed wetlands? 2009 11 12 Pan African

501 views • 32 slides

More recommend