DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet
Our reference | DIVD-2022-00061 |
Case lead | Pepijn van der Stap |
Researcher(s) |
|
CVE(s) |
|
Product | KNXNet/IP gateways (various) |
Versions | N/A |
Recommendation | Close the port(s) that are used for KNXNet/IP communication, often port 3671. If you are using a KNXNet/IP gateway, ensure that it is not accessible from the internet. |
Workaround | If you are using a KNXNet/IP gateway, make sure that it is not accessible via the internet, for example by re-configuring the router to announce these routes only to the local network. |
Status | Closed |
Last modified | 01 Jun 2024 18:35 CEST |
Summary
KNXNet is a protocol that is used to control home automation systems. It is used in many countries, including the Netherlands, Germany, France, and the United Kingdom. The protocol is used to control lights, heating, and other devices in a home. The protocol is also used in industrial automation systems. The protocol is used in many different ways, including via a KNXNet/IP router, which is a device that connects to a local network and allows KNXNet devices to communicate with each other.
Often, KNX is set up by a professional installer. The parties that are responsible for the KNXNet/IP gateway might have left the port that is used for KNXNet/IP communication open to the internet. This means that anyone can connect to the KNXNet/IP gateway and control the devices that are connected to it. This can be used to control lights, heating, and other devices in a home. It can also be used to control industrial automation systems.
Configuration is often done via ETS, a software application that is used to configure KNXNet devices. However, after the professional installer has set it up, the port should simply be closed; access it no longer needed. However, this is often not done which leads the KNXNet/IP interface publicly accessible on the internet.
This is a problem because it is possible to connect to the KNXNet/IP interface and to control the KNX devices that are connected to it. For attackers, it is possible to connect to an interface built on top of the KNXNet protocol and to control KNX devices that are connected to it.
This is a very serious security issue, because it means that it is possible to control devices in a home or in an industrial environment without the owner’s permission; a form of unauthorized access.
Computest released a report about these issues. DIVD has been working with Computest to investigate the possibility of informing parties of security issues in their home automation systems.
We were able to reproduce the issue and have been able to find a way to scan for vulnerable KNXNet/IP gateways. We will be informing parties with insecure home automation systems about this issue, in order to help them to secure their automation systems and to prevent unauthorized access to e.g. heating systems, lights, and other devices.
What you can do
We advise you to contact your installer to make sure that the KNXNet/IP interface is no longer accessible via the internet and that the port(s) are closed.
If you set up your home automation system yourself, make sure that the KNXNet/IP interface is not accessible via the internet and that the port(s) are closed.
As described in ISO 22510:2019 the only way to properly secure KNX devices is for the protocol to reside in your local network. Port translation is not needed after the initial setup. If you are using a KNXNet/IP interface, make sure that it is not accessible via the internet, for example by re-configuring your router to announce these routes only to the local network.
What we are doing
We are actively scanning the internet for vulnerable KNXNet/IP interfaces and will notify system owners via the listed abuse contacts if we find any.
Timeline
Date | Description |
---|---|
08 Feb 2022 | DIVD begins to act on Computest’s report about insecure (home) automation systems (KNXNet standard) |
10 Feb 2022 | DIVD receives in depth support from Computest to further investigate the protocol and its vulnerabilities |
01 Apr 2022 | DIVD encounters some inconveniences with the KNXNet protocol and its scanning infrastructure |
01 Jun 2022 | DIVD starts again with the preliminary research on the KNXNet protocol |
02 Dec 2022 | DIVD releases a first version of this case file and starts scanning for vulnerable parties |
31 May 2023 | DIVD started notifying vulnerable parties |
01 Jun 2024 | Case closed |
More information
- Computest report
- ISO 22510:2019
- Institute of Automation, Vienna University of Technology
- Humboldt University of Berlin Institute of Computer Science