DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet

Summary

KNXNet is a protocol that is used to control home automation systems. It is used in many countries, including the Netherlands, Germany, France, and the United Kingdom. The protocol is used to control lights, heating, and other devices in a home. The protocol is also used in industrial automation systems. The protocol is used in many different ways, including via a KNXNet/IP router, which is a device that connects to a local network and allows KNXNet devices to communicate with each other.

Often, KNX is set up by a professional installer. The parties that are responsible for the KNXNet/IP gateway might have left the port that is used for KNXNet/IP communication open to the internet. This means that anyone can connect to the KNXNet/IP gateway and control the devices that are connected to it. This can be used to control lights, heating, and other devices in a home. It can also be used to control industrial automation systems.

Configuration is often done via ETS, a software application that is used to configure KNXNet devices. However, after the professional installer has set it up, the port should simply be closed; access it no longer needed. However, this is often not done which leads the KNXNet/IP interface publicly accessible on the internet.

This is a problem because it is possible to connect to the KNXNet/IP interface and to control the KNX devices that are connected to it. For attackers, it is possible to connect to an interface built on top of the KNXNet protocol and to control KNX devices that are connected to it.

This is a very serious security issue, because it means that it is possible to control devices in a home or in an industrial environment without the owner’s permission; a form of unauthorized access.

Computest released a report about these issues. DIVD has been working with Computest to investigate the possibility of informing parties of security issues in their home automation systems.

We were able to reproduce the issue and have been able to find a way to scan for vulnerable KNXNet/IP gateways. We will be informing parties with insecure home automation systems about this issue, in order to help them to secure their automation systems and to prevent unauthorized access to e.g. heating systems, lights, and other devices.

What you can do

We advise you to contact your installer to make sure that the KNXNet/IP interface is no longer accessible via the internet and that the port(s) are closed.

If you set up your home automation system yourself, make sure that the KNXNet/IP interface is not accessible via the internet and that the port(s) are closed.

As described in ISO 22510:2019 the only way to properly secure KNX devices is for the protocol to reside in your local network. Port translation is not needed after the initial setup. If you are using a KNXNet/IP interface, make sure that it is not accessible via the internet, for example by re-configuring your router to announce these routes only to the local network.

What we are doing

We are actively scanning the internet for vulnerable KNXNet/IP interfaces and will notify system owners via the listed abuse contacts if we find any.

Timeline

More information

• Computest report
• ISO 22510:2019
• Institute of Automation, Vienna University of Technology
• Humboldt University of Berlin Institute of Computer Science