Most of today’s buildings use a variety of intelligent building systems to manage a wide variety of equipment. Companies such as Siemens, ABB, and Schneider Electric have introduced their own intelligent building products. At present, the communication protocols mainly used in the intelligent building industry are the KNX protocol for the industrial field and the ZigBee protocol for the household field.
KNX is a standardized OSI-based network communications protocol for home and building automation. The KNX standard is administered by the KNX Association. KNX is often used in large public places such as stadiums, airports, luxury hotels, and some industrial facilities such as nuclear power plants, factories, etc.
In a previous study, security researchers hacked the St. Regis KNX system over the WIFI network and controlled the hotel’s lighting system. We found a new attack method where we can modify the KNX / IP router configuration and without affecting the normal use of the entire original KNX network equipment. The attack allows us to eavesdrop on KNX network traffic, or directly denied service to the entire network.
With the development Internet-of-Things, ZigBee is a major communication protocol widely used in home automation systems. In order to allow users to more easily extend the ZigBee devices, many manufacturers have taken a compatible approach to allow devices connect between different vendors. Additionally, high market competitiveness leads to short development cycle, pushing aside security requirements. Indeed, the ZigBee 3.0 standard includes stronger security with encryption, however, many manufacturers do not use this standard.
We will show the security results of multiple real-world ZigBee devices manufacturers (ABB, Samsung, Xiaomi and other manufacturers). We will also demo an attack using only an official and cheap mainstream device and show that taking over a full ZigBee network is possible.