Dominik Schneider, Wojtek Przibylla | ERNW GmbH

IoT and Industry 4.0 (In-) Security

#whoarewe

Dominik Schneider, Pentester

Wojtek Przibylla, Pentester

Contact:

ERNW GmbH

Wojtek Przibylla

Carl-Bosch-Str. 4

69115 Heidelberg

Mail: wprzibylla@ernw.de, dschneider@ernw.de

Road Map

• History of Automation and IoT

• IoT and Industry 4.0

• Attacks in the wild

• Smart Homes

– KNX

• Conclusion

Timeline of Automation and IoT

1832 1900 1980 1990 1996 1998 2002 2010 2015 2020

Remote controlled boat

Nikola Tesla 1832 Internet 1981 - 1993

European Installation Bus 1991

Internet of Things 1999

2nd Industrial Revolution 1870

Switchboards and

Telephone

1888

Google self driving car Year ???

June 1, 2004

1st Industrial

Revolution

3rd Industrial Revolution

Google Glass 2014

1990s

Smartphones 1994-1996

2011

Personal

Computer

1881

Smartmeter 2010

1712

1960

Internet of Things

• “Internet of Things is the network of

physical objects that contain embedded

technology to communicate and sense

or interact with their internal states or

external environments.” Wikipedia

• German initiative to create smart factories

• Attempt to computerize logistics and Machine-to-

Machine communication using IoT

• Connect embedded systems and smart production

facilities to generate a digital convergence between

industry, business and internal functions and processes.

Industry 4.0

What are those things

Abstract view

Sensor Layer

Communication Layer

Management Layer

Technical view

Sensors

• Collect and process data to determine changes of the physical status

Communication

• Identify and track data of things

• Interconnect devices - RFID/Bluetooth/Wireless/Internet

Platforms / Providers

• Aggregate and control data / things

• Provide management interfaces / UI / APIs

IoT in Numbers

• Gartner: 2020, 25 Billion Connected

"Things" Will Be in Use

Category 2013 2014 2015 2020

Automotive 96.0 189.6 372.3 3,511.1

Consumer 1,842.1 2,244.5 2.874.9 13,172.5

Generic

Business

395.2 479.4 623.9 5,158.6

Vertical

Business

698.7 836.5 1,009.4 3,164.4

Grand Total 3,032.0 3,750.0 4,880.6 25,006.6

Source:www.gartner.com/newsroom/id/2905717

IoT in Numbers II

Where does IoT already affect us?

• Industry / Science / Medical

– Supply chain management

– Factory automation

– Medical devices

– Solar installations

– Quality sensors

• Consumer market

– Mail and delivery

– Smart watches

– Smart car

– Smart homes

– Smart cities

• Military/Public Drones

Automatic weapons

Traffic sensors

Where does IoT already affect us?

• Industry / Science / Medical:

– Supply chain management

– Factory automation

– Medical devices

– Solar installations

– Quality sensors

• Military/Public applications

– Drones

– Traffic sensors

– Face recognition

• Mail and delivery

• Smartwatches

• Smartcar – Connected Car

Why is IoT so innovative/promising?

• Economic reasons: The price of sensors, processors, and networking has come way down. Since WiFi is now

widely deployed, it is relatively easy to add new networked devices to the home and office.”

– Market players see a great potential in IoT • New customers & markets

• “Make your life more comfortable”

• Mobile data plans are cheap

• IPv6 is enabling IoT

• M2M communication

– Intelligent production steps

• Almost unlimited usage scenarios…

YOU

Internet Automation

IoT

Safety Privacy

Security

What is wrong with IoT ?

• Spreading:

– You will have more than just one IoT device

increased attack surface

– Widely used software components

One bug affects several products

• Uniqueness:

– How to patch firmware ?

– Guaranteed interoperability ?

• Privacy:

– Who hast access to your “things” ?

– Where and how does all the data go ?

Types of Deployment

• Requirement: Control via the Internet

– Some kind of gateway is required

1.Direct connection to the gateway

2.Connection to the gateway via a service

provider

– The device has to be registered at a vendor for

service consumption

Potential attack surface

Attacks in the wild I

Attacks in the wild II

Attacks in the wild III

IoT Enabling Technologies

Source: Wikipedia

Protocol Power

Line

Radio-Frequency Data Rate Available

API?

Open Source

C-Bus no yes 3500 bit/s yes no

EnOcean no 902 MHz (North America) 9600 bit/s yes no

Insteon yes yes 13,165 bit/s yes no

KNX yes yes 9600 bit/s yes no

UPB yes no 480 bit/s no no

X10 yes

310 MHz (North America)

433 MHz (Europe)

20 bit/s yes no Sometimes

Zigbee no

2.4 GHz (worldwide)

915 MHz (Americas and Australia)

868 MHz (Europe)

20-250k bps yes no ?

Z-Wave no yes 250k bps yes no

SMART HOME

What is KNX?

• Technology for building home automation systems

• Developed in the 90‘s (back then known as EIB)

Advantages:

• Reduction of energy consumption and costs

• Huge amount of different devices

• Comfortable (controlling via Smartphone / Tablet / Browser)

Some numbers

• Three-quarter of all smart

homes in Germany are

equipped with KNX (in

number 237k, increasing)

• In 2020 there will be an

expected number of one

million smart homes

Taken from: http://www.bitkom.org/files/documents/BITKOM-Praesentation_Smart_Home_in_Deutschland_18_12_2014_02.pdf

Today

• More than 300 vendors are part of the

KNX Group

• Devices for nearly every scenario

• Widely used

How it works

• Address range

– 0.0.0 to 15.15.255

Max ~ 64k devices

• Physical Address

– Every device has ist own

physical address

• Group Address

– Used to connect devices to

each other

– A device can be part of one

or more group addresses

Bus system style

• All components are connected to each

other via the bus line

– Signal reaches all participants

Communication types

• TP (Twisted Pair)

• Powerline

– Communication via Power Supply System

• KNX – RF

– 868 MHz

• KNXnet

– Communication via IP driven network

Base components

• Power Supply

• Interface

(programming)

• Switch actuator

• Sensor

• Bus Line

Smart?

Web Interfaces

• Web application or app on

smartphone

• Hundreds of web interfaces

on the internet without

authentication

• Embedded webserver on

KNX devices

How to find Smart Home Visualizations?

• Like always Just Google!

• Visit vendor website for testing visualizations online

– Use the gathered information for a more specific google

search

• Make use of specific Google search filters

– inurl, intitle, …

How to find Smart Home Systems?

• Again Just Google!

• „Hilton Mainz KNX“

Smarthome Crawler

• Small Python Script with ~25 lines of Code

• Search is done via a specific URL pattern

• Required Time for /16 network about 8

Minutes with a Timeout of 0.5s

• Many Results especially on scanning static ip

address ranges ;)

KNXnet/IP

• Ability to control the

installation via IP

driven network (e.g.

Smartphone)

• On top of UDP

Nmap Script Scan

• knx-gateway-discover.nse

– Can discover multiple gateway

via one single packet

– Multicast

• knx-gateway-info.nse

– Identifies a KNX gateway on

UDP port 3671 by sending a

KNX Description Request

knx-gateway-info:

-- | Body:

-- | DIB_DEV_INFO:

-- | KNX address: 15.15.255

-- | Decive serial: 00ef2650065c

-- | Multicast address: 0.0.0.0

-- | Device friendly name: IP-Viewer

-- | DIB_SUPP_SVC_FAMILIES:

-- | KNXnet/IP Core version 1

-- | KNXnet/IP Device Management version 1

-- | KNXnet/IP Tunneling version 1

-- |_ KNXnet/IP Object Server version 1

nmap --script knx-gateway-discover -e eth0

There are even bigger installations!

• Telekom Frankfurt

• LVM Versicherung Münster (14185 Devices)

• Deutsche Börse AG Frankfurt

• Flughafen Köln Bonn

• Max-Planck-Institut Greifswald (1112 Devices)

• Mittdeldeutscher Rundfunk Leipzig (4050 Devies)

• …

The other side of the coin…

• Attack surface increases

• Web Visualizations contain common

web vulnerabilities

– XSS

– Stacktraces

– …

• Burglar 4.0

Attack Scenario

• Is there a setup that the installation can be controlled by an

attacker remotely without visualization? – YES!

• Requirements: – Physical connection to the bus (KNXnet/IP interface)

– Software for sending and receiving KNXnet/IP packets (Raspberry Pi + eibd)

– Remote Connection (UMTS Stick)

– Power Supply for Raspberry Pi (Power Bank)

Attack Setup

DEMO TIME

What about security on the bus ?

• Confidentiality?

• Integrity?

• Authentication?

Quotations from the standard

• Für KNX war und ist das Thema Sicherheit von keiner großen

Bedeutung, da man für eine Verletzung der Sicherheit lokal Zugriff auf

das Netzwerk haben muss. Im Fall von KNX TP (EIB) und KNX PL

bedeutet das, dass man dafür sogar den physikalischen Zugriff auf die

Netzwerkkabel benötigt, was in fast allen Fällen unmöglich ist, da die

Kabel innerhalb des Gebäudes oder unter der Erde verlegt sind.

• Aus diesem Grund spielen Sicherheitsaspekte für KNX-Medien auf der

Feldebene eine untergeordnete Rolle.

• Es ist eher unwahrscheinlich, dass legitimierte Benutzer eines

Netzwerks über Mittel zum Abfangen und Entschlüsseln verfügen, um

KNXnet/IP anschließend zu verfälschen, ohne die KNX-Normen

intensiv studiert zu haben.

How to secure this?

• No Bus to the outside

• Make use of bus line separation with line couplers

this requires a concept

• Ensure that the requirements in the KNX Security

Checklist are followed (KNX Association)

• Need for new specification

– Take a look at KNX secure devices!

WHAT ELSE IS OUT THERE ?

After all these new kind of devices…

EVA

„A Smarter Way to Shower“

• Messures the distance between

a person and the device.

• An App can be used to get

statistical information like water

consumption.

Smart Garden

Is there a connectivity problem?

Samsung Smart Fridge

• Exposed Gmail passwords

– MitM Attack

– Unproper Certificate

Validation

– Logfiles of Google Calendar

The Wink case

• Due to a problem on the

vendor site, the smart home

hubs stopped working

• All smart home devices

connected to the smart hub

also stopped working

Qivicon outtage

Source: http://www.heise.de/newsticker/meldung/Deutsche-Telekom-Ausfall-des-Qivicon-Servers-legt-Smart-Homes-lahm-2832456.html

News from IFA 2015

Conclusion I

• Don’t put things on the internet that are not

properly secured for it.

• But nowadays and in the future more and

more devices will be reachbale via the

Internet

Conclusion II

• We need user awareness

Does my shoe really need internet connectivity ?

• Smart devices will affect everybody

Even those who don’t use it

• Evaluate your deployment scenario

Make use of encryption and authentication

Questions ?