Skip to the content.

DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet

Our reference DIVD-2022-00061
Case lead Pepijn van der Stap
Researcher(s)
CVE(s)
  • n/a
Product KNXNet/IP gateways (various)
Versions N/A
Recommendation Close the port(s) that are used for KNXNet/IP communication, often port 3671. If you are using a KNXNet/IP gateway, ensure that it is not accessible from the internet.
Workaround If you are using a KNXNet/IP gateway, make sure that it is not accessible via the internet, for example by re-configuring the router to announce these routes only to the local network.
Status Open
Last modified 11 Dec 2022 15:16

Summary

KNXNet is a protocol that is used to control home automation systems. It is used in many countries, including the Netherlands, Germany, France, and the United Kingdom. The protocol is used to control lights, heating, and other devices in a home. The protocol is also used in industrial automation systems. The protocol is used in many different ways, including via a KNXNet/IP router, which is a device that connects to a local network and allows KNXNet devices to communicate with each other.

Often, KNX is set up by a professional installer. The parties that are responsible for the KNXNet/IP gateway might have left the port that is used for KNXNet/IP communication open to the internet. This means that anyone can connect to the KNXNet/IP gateway and control the devices that are connected to it. This can be used to control lights, heating, and other devices in a home. It can also be used to control industrial automation systems.

Configuration is often done via ETS, a software application that is used to configure KNXNet devices. However, after the professional installer has set it up, the port should simply be closed; access it no longer needed. However, this is often not done which leads the KNXNet/IP interface publicly accessible on the internet.

This is a problem because it is possible to connect to the KNXNet/IP interface and to control the KNX devices that are connected to it. For attackers, it is possible to connect to an interface built on top of the KNXNet protocol and to control KNX devices that are connected to it.

This is a very serious security issue, because it means that it is possible to control devices in a home or in an industrial environment without the owner’s permission; a form of unauthorized access.

Computest released a report about these issues. DIVD has been working with Computest to investigate the possibility of informing parties of security issues in their home automation systems.

We were able to reproduce the issue and have been able to find a way to scan for vulnerable KNXNet/IP gateways. We will be informing parties with insecure home automation systems about this issue, in order to help them to secure their automation systems and to prevent unauthorized access to e.g. heating systems, lights, and other devices.

What you can do

We advise you to contact your installer to make sure that the KNXNet/IP interface is no longer accessible via the internet and that the port(s) are closed.

If you set up your home automation system yourself, make sure that the KNXNet/IP interface is not accessible via the internet and that the port(s) are closed.

As described in ISO 22510:2019 the only way to properly secure KNX devices is for the protocol to reside in your local network. Port translation is not needed after the initial setup. If you are using a KNXNet/IP interface, make sure that it is not accessible via the internet, for example by re-configuring your router to announce these routes only to the local network.

What we are doing

We are actively scanning the internet for vulnerable KNXNet/IP interfaces and will notify system owners via the listed abuse contacts if we find any.

Timeline

Date Description
08 Feb 2022 DIVD begins to act on Computest’s report about insecure (home) automation systems (KNXNet standard)
10 Feb 2022 DIVD receives in depth support from Computest to further investigate the protocol and its vulnerabilities
01 Apr 2022 DIVD encounters some inconveniences with the KNXNet protocol and its scanning infrastructure
01 Jun 2022 DIVD starts again with the preliminary research on the KNXNet protocol
02 Dec 2022 DIVD releases a first version of this case file and starts scanning for vulnerable parties
gantt title DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00061 - KNXNet/IP gateways often left open to the internet (still open) :2022-02-08, 2023-02-14 section Events DIVD begins to act on Computest’s report about insecure (home) automation systems (KNXNet standard) : milestone, 2022-02-08, 0d DIVD receives in depth support from Computest to further investigate the protocol and its vulnerabilities : milestone, 2022-02-10, 0d DIVD encounters some inconveniences with the KNXNet protocol and its scanning infrastructure : milestone, 2022-04-01, 0d DIVD starts again with the preliminary research on the KNXNet protocol : milestone, 2022-06-01, 0d DIVD releases a first version of this case file and starts scanning for vulnerable parties : milestone, 2022-12-02, 0d

More information