Wait, what?
Are we to believe this highly motivated supergeek cracked open a hotel's furniture control system, thru a found iPad no less, and DIDN'T use this new power to have a little fun, before informing hotel staff? Yeah right.
A security consultant staying in the St Regis hotel in the Chinese city of Shenzhen got bored one night and successfully commandeered the controls of 200 rooms thanks to an insecure automation protocol. Jesus Molina, a former chair of the Trusted Computing Group and independent security consultant, was staying in the hotel and …
Hotel I stayed at in Hong Kong has a flaw in its network.
Each room has its own TP link wifi router set to have the same password in each room.
The IP addresses correspond to the floor and room number and DHCP is done on the wifi routers. Too easy to do a MITM attack there.
I also found a passwordless router in a resort on Koh Jum in Thailand...
Its common practice to have poor security in the far east.
Many (most?) WiFi hotspots throughout the world don't require a password, before WiFi people plugged directly in to the hotel guest network with a cable. All public networks whether they have a password protected router or not should be considered unsecure, that is why we have SSL and the like (although el Reg still chooses not to allow logins via HTTPS for some bizarre reason!).
Not sure why that is particularly poor security and why it is considered to only be applicable to the "far east". Would you suggest that each user is issued a client side certificate that is created by a third party trusted entity every time someone checks in?
Let's not limit this to the far East. I stayed in a boutique hotel in Geneva, and the internet was down. I reported it, and they said the IT guy would be in later. So I had a poke around at 192.168.0.1, logged in with the old gem of 'admin/admin', and reset the router. Hey presto, working wifi throughout the hotel.
The KNXnet/IP standard document does have a section on security considerations and suggests that access to networks carrying KNXnet/IP packets should be restricted. The standard document makes some laughable conclusions:
"It is quite unlikely that legitimate users of a network would have the means to intercept, decipher, and then tamper with the KNXnet/IP without excessive study of the KNX Specifications. Thus the remaining security threat is considered to be very low and does not justify mandating encryption, which would require considerable computing resources." (KNX standard document 3.8.1, section 4.4)
The KNX system essentially connects devices (e.g. blind actuators, dimmers, heating, air conditioning etc.) together using a low speed, powered serial bus. This twisted pair network can be connected to Ethernet via a gateway device - which simply translates KNXnet/IP packets into corresponding packets on the twisted pair medium. Gateways (depending on manufacturer) have limited functions to restrict access - however, to avoid this hotel's situation from arising, you'd need one gateway per room, and isolated KNX segments. There is no scope for authentication, nor blocking access to only certain devices.
The hotel's implementation is flawed - as KNX can't authenticate clients nor stop data from being injected maliciously, another layer needs to be added to this kind of control system, for instance exposing certain functions via an authenticated web interface.
Gateways (depending on manufacturer) have limited functions to restrict access - however, to avoid this hotel's situation from arising, you'd need one gateway per room, and isolated KNX segments.
What I read from his story is that the hotel indeed has one gateway per room, or a device that emulates one and does some IP address to KNX address mapping. Note that he changes the last octet of the transmitted IP address to control another room. That means he's communicating with another gateway device, which apparently has the same range of KNX addresses behind it..
For a 200-room hotel a single gateway would be sufficient, even at 8 KNX addresses for sensors and actors per room If they want a bit more flexibility, and a setup usable across hotels of several sizes with up to several hundred rooms per floor, one gateway per floor would still be fine. In which cases the control app on the iPad takes its range of KNX devices to be controlled from the IP address associated with the room. Without further security lockdown both cases would still be open to the kind of hacking as was demonstrated here, though, but now requiring modifying the target KNX address instead of the IP address.
In the case at hand, the hotel would need to start using VLANs so that the room's KNX gateway can only be seen from that particular room's access point, or the dedicated iPad.
Trust me - there would only be a handful of gateway devices for the whole hotel - each covering a number of rooms. They're simply too expensive to deploy for each room. If you wanted a physically isolated KNX network in each room, you'd need to add a power supply as well - again, the cheapest start at about £250.
KNX addressing works on the basis of individual and group addresses. For instance, each device will have an individual address, for instance 1.3.112. This is a 16-bit value on the network. A group address (e.g. 2/0/11) is assigned to each function - e.g. blind up/down, temperature reading, light level etc. - and is again a 16-bit value. Installers are encouraged to allocate these numbers logically - for instance sequentially on each floor. The configuration tool (ETS) even does this for you. So to guess the address of a different function, you simply need to change the address in the packet - chances are you'll find something useful.
What is really missing here is a communication gateway using well-understood security techniques. Instead of exposing KNXnet/IP to the masses, it would be much better to have (for instance) a web services gateway that employs user authentication and access control. KNX can never be secure - so why not use standard IT techniques to protect it?
KNX addressing works on the basis of individual and group addresses
I know. I'm using KNX at home.
If you wanted a physically isolated KNX network in each room, you'd need to add a power supply as well
Nope. You need one humongous power supply (or a couple), and a set of chokes for each physical segment.
. So to guess the address of a different function, you simply need to change the address in the packet
Read the article. He changed the IP address he was communicating with, but maybe this has been mangled in the article.
That is an unjustified slur.
Standards are expensive to buy. I wouldn't pay E1000 for the set of standards either, I'd just download some of the Open Source KNX software, but that doesn't mean that I think E1000 is unusual for an Open Standard: it just means that I already know that any ISO/IEC set of standards is 95% self-referential administrative overhead, and 5% incomprehensible.