We appear to be on the path to a smarter world. A world where intelligent buildings within smart cities, linked by highly connected network infrastructure. This world promises unprecedented efficiency, automation and control over our urban environment but is also fraught with risk. A team of researchers recently highlighted this fact by hacking two of the leading building networks with relative ease.
Yong Yang, HuiYu Wu and YuXiang Li of the Tencent Blade Team first focused their attention on KNX, an established network communications protocol for building automation that has become popular in large public buildings such as stadiums, hotels, airports and industrial facilities.
They devised an innovative new attack method to seize control of KNX network components and once they gained access, they tested their ability to tamper with occupant facing elements. They chose the KNX network of a Marriott hotel to validate the attack, and once they acquired access succeeded in controlling the lighting, air conditioning, curtains and other equipment in the target hotel room.
“This attack requires physical access to the KNX device cable in the room so that we can use a KNX gateway to connect to the KNX network in the room. We used the KNX ETS software and some KNX security testing tools to complete the attack,” the researchers explained.
They then found that by analyzing the KNX protocol, they could modify the KNX/IP router configuration through this network cable network. Perhaps more significant, they could achieve this without the KNX router accessing the Wi-Fi network or the external network. It is not all bad news for buildings sporting a KNX network however, there are ways to defend against this kind of attack.
Firstly, and perhaps most obviously, buildings using KNX should strive to prevent physical access to KNX cabling by hiding and protecting cables from unauthorized personnel. Buildings should also apply better KNX network isolation and by ensuring the network is using the latest version of the KNX protocol, which includes a new secure encryption mechanism. In this way, the building can limit their exposure to malicious forces and limit the extent of access, if those forces do successfully infiltrate.
The team also set about to test the strength and defenses of the Zigbee protocol, another popular communications protocol in the smart home and building space. An immediate issue arose, most of the devices they tested used outdated versions of the Zigbee protocol, increasing their vulnerability. However, even those that use the latest version (v3.0 at the time of writing) are preconfigured with a common link key for installation in order to be compatible with a wider array of Zigbee devices. Furthermore, most Zigbee enabled devices depend on the network key to provide the security of communication.

The researchers developed a tool they humorously named “ZomBee,” which automated the process of scanning and infiltrating of Zigbee networks. The tool can run on Raspberry Pi and operates by scanning the Zigbee network in all the surrounding channels, searching for Zigbee devices, it can then attack those devices through a broadcast packet. Once again, the researchers highlighted preventative measures that can be taken but underlined the vulnerabilities when these measures were neglected.
Many of these preventative measures are common sense but must be maintained to support security efforts; remembering to close the network access function of Zigbee gateway after completing the Zigbee device pairing, for example. The Tencent team still believe that manufacturers should consider implementing more security mechanisms, however. The researchers also advise, the standard use of a stronger Zigbee encryption key and the implementation a security encryption algorithm in Zigbee application layer.
Many of the issues highlighted by the investigation come down to simple things like updating protocols more regularly and reducing access to physical infrastructure. While simple, ensuring these measures are taken consistently will require societal rather than technical changes. “The responsibility and solution to the cyber security issues in our increasingly connected world go beyond cyber security professionals to developing a new culture of security across society,” David Emm, Principal Security Researcher with Kaspersky Labs’, told Memoori in an interview last year.
After successfully infiltrating two of the most popular smart building communication protocols the team from Tencent Security Platform concluded; “The security of smart building equipment is not given enough attention at present. We would like to take this opportunity to make more people pay attention to the issue of safety of intelligent buildings, as personal security and privacy are at stake.”
[contact-form-7 id="3204" title="memoori-newsletter"]