This document discusses building automation and control (BACnet) networks in Taiwan. It begins by introducing BACnet and describing how the protocol works. It then details the results of scanning Taiwan for exposed BACnet devices, finding 48 devices from vendors like Advantech, Automated Logic, and Carel. Many of these devices had weak or default credentials, exposing their internal data and controls. The document cautions that some critical infrastructure in Taiwan, like university buildings, are connected to BACnet and have similarly weak security. It concludes by providing suggestions to better secure these important control systems.
3. $ whoami
• Stephen Hilt (@tothehilt)
• Senior threat researcher, Trend Micro
• 10 years ICS security exp
3
4. Disclaimer
• Do not probe / scan / modify the devices that you don’t own.
• Do not change any value without permission.
• It’s a matter of LIFE AND DEATH.
• Beware! Taiwanese CRIMINAL LAW.
4
Photo courtesy of
Wikimedia, CC0.
5. BACnet –
Building Automation and Control networks
5
BACnet was designed to allow communication of building automation and control
systems for applications such as heating, ventilating, and air-conditioning control,
lighting control, access control, and fire detection systems and their associated
equipment. http://en.wikipedia.org/wiki/BACnet
6. Building Automation?
6
Image from http://buildipedia.com/aec-pros/facilities-ops-maintenance/case-study-
cuyahoga-metro-housing-authority-utilizes-bas
Credit: Siemens Building Technologies
19. BACnet-discover-enumerate.nse (3)
19
| Vendor ID:
| Object-identifier:
| Firmware:
| Application Software:
| Object Name:
| Model Name:
| Location:
| Broadcast Distribution Table (BDT):
|_ Foreign Device Table (FDT): Empty Table
Vendor ID: A registered BACnet
Vendor
Object-identifier: unique
identifier of the device. If the
Object-Identifier is known, it is
possible to send commands with
BACnet client software, including
those that change values,
programs, schedules, and other
operational information on BACnet
devices.
# nmap --script BACnet-discover-enumerate.nse -sU -p 47808 140.xx.xx.xx
20. BACnet-discover-enumerate.nse (3)
20
| Vendor ID:
| Object-identifier:
| Firmware:
| Application Software:
| Object Name:
| Model Name:
| Location:
| Broadcast Distribution Table (BDT):
|_ Foreign Device Table (FDT): Empty Table
Broadcast Distribution Table
(BDT) : A list of the BACnet
Broadcast Management Devices
(BBMD) in the BACnet network.
This will identify all of the subnets
that are part of the BACnet
network.
Foreign Device Table (FDT): A
list of foreign devices registered
with the BACnet device. A foreign
device is any device that is not on
a subnet that is part of the BACnet
network, not in the BDT. Foreign
devices often are located on
external networks and could be an
attacker's IP address.
21. Map Out Connections
21
Nmap scan report for 140-xxx-xxx-xxx.n**k.edu.tw (140.xxx.xxx.xxx)
Host is up (0.00050s latency).
PORT STATE SERVICE
47808/udp open BACNet -- Building Automation and Control Networks
| bacnet-info:
| Vendor ID: Siemens Schweiz AG (Formerly: Landis & Staefa Division Europe) (7)
| Vendor Name: Siemens Building Technologies Inc.
| Object-identifier: 0
| Firmware: 3.7
| Application Software: INT0370
| Object Name: 25OC0001874
| Model Name: Insight
| Description: BACnet Device
| Location: PC
| Broadcast Distribution Table (BDT):
| 140.xxx.xxx.xxx:47808
| 140.xxx.xxx.xxx:47808
| 172.18.9.254:47808
|_ Foreign Device Table (FDT): Non-Acknowledgement (NAK)
22. FDT NAK!
22
Nmap scan report for 140-xxx-xxx-xxx.n**k.edu.tw (140.xxx.xxx.xxx)
Host is up (0.00050s latency).
PORT STATE SERVICE
47808/udp open BACNet -- Building Automation and Control Networks
| bacnet-info:
| Vendor ID: Siemens Schweiz AG (Formerly: Landis & Staefa Division Europe) (7)
| Vendor Name: Siemens Building Technologies Inc.
| Object-identifier: 0
| Firmware: 3.7
| Application Software: INT0370
| Object Name: 25OC0001874
| Model Name: Insight
| Description: BACnet Device
| Location: PC
| Broadcast Distribution Table (BDT):
| 140.xxx.xxx.xxx:47808
| 140.xxx.xxx.xxx:47808
| 172.18.9.254:47808
|_ Foreign Device Table (FDT): Non-Acknowledgement (NAK)
23. Let’s Gather MORE Information
• Systems Require you to Join the Network as a Foreign Device
to Enumerate Devices that are attached, as well as points
– Once Registered in FDT, perform a Who-is message
– Parse I-Am responses
– …
– Profit?
23
52. Other than BACnet
• 59 Ethernet/IP in TW
– N**U Library
– N**U Bio Center
– N**U Men’s Dormitory
– N**U Management Division
– ... and so on
• ModBus/TCP
• Simple Ethernet-RS422/485 Adapters
– 23 Moxa NPort in N**U
52
63. Legacy Devices (Osaki PowerMax 22)
63
Special thanks to
Chien Kuo Senior
High School.
64. Subsidies from Ministry of Education
64
MOE subsidies ~25,000 USD to schools for,
• Power consumption management system
• Building energies management system
• Improvement of air-condition controls
73. Home Automation with Arduino & RPi
73
Project at http://www.instructables.com/id/Uber-Home-Automation-w-Arduino-Pi/
74. Control System on Your Hand
74
Homepage of http://bacmove.com
Our suggestion:
These things shouldn't even be on the internet, not on the corporate network.
It’s a control system and should be treated as such.
John Catsoulis, “Design Embedded Hardware”, 2/e, O’Reilly.
Sorry that Stephen can’t be here with us due to a conflict in schedule that came up.
TW: Criminal Law.
US: Anti-terrorist
Other countries: mostly civil code
Osaki Supermax 22
Turns off air conditioner every 15 mins when power budget is exceeded.
631 pages
American Society of Heating, Refrigerating, and Air-Conditioning Engineers (ASHRAE)
ICS – Industrial Control Systems
MS/TP: Master-Slave Token-Passing
Other protocols: anybus.com
Stephen has written this when he was working for Digital Bond.
Any time a BACnet network consists of more than one subnet, each subnet must have a BACnet Broadcast Management Device (BBMD).
Each BBMD in the BACnet network has an identical Broadcast Distribution Table (BDT) that lists all of the BBMD’s in the network.
So by recovering the BDT you will learn all the subnets that have BACnet devices in the BACnet network.
NAK = We can’t join
Best free tool you can get.
Writable
Public information. Don’t hack.
研華科技
Taiwanese specialty, not frequent in other countries.
Chung Hua University
Chung Yuan University
這是幾個好的例子。希望大家都用密碼保護。
Just like an unprotected webpage. Feel free to change something.
Voltage, Power, Current, Power Factor
某大學
Do not change the value without permission.
We did not change anything during the research.
Again, we did not modify anything.
There are other brands. I haven’t studied much.
They are all talking BACnet.
Hence insecure by design.
Sweet
2 default password
Yeah, in N**U
KYZ pulse: a way of measuring electricity.
KYZ pulses are used to transmit instantaneous energy use information from the electric meter to another piece of equipment. (SSI)
KYZ pulse: a way of measuring electricity.
KYZ pulses are used to transmit instantaneous energy use information from the electric meter to another piece of equipment. (SSI)
We don’t want to cover Ethernet/IP without HMI in this talk, but please be noted it’s readable, if not writable, without a webpage.
Legacy Devices
Dump config
You can only stop it, make it sabotage. Hard to retrieve and guess what is talked over RS485.
Again, possible to sabotage, but harder to modify.
Subsidies since 2002 (if not earlier)
Just an example. I didn’t find any BACnet devices in the following schools.
Applied in 2009
A contractor presented the benefit of BACnet and other centralized monitoring devices.
Power budget, financial budget, divisions charged by usage
VRV = variable refrigerant volume
樹人醫專
台東高商
St. Mary’s Junior College of Medicine, Nursing and Management
聖母醫護管理專科學校 (宜蘭)
ICST (Information & Communication Security Technology Center)
N**U is doing well.
Around 0.5%
Before we call it a day, let’s check this home automation.
Get savings to their houses by making them more energy efficient