How a Misconfigured KNX System Lets Hackers Disrupt an Entire Building
The article examines the KNX building‑automation protocol, explains its telegram structure, and demonstrates how a poorly configured KNX network—especially via IP routers—can be exploited from a single smart switch to launch DoS, replay, and memory‑read/write attacks that compromise entire skyscraper systems.
1. The World of KNX
KNX is widely used for lighting control in stadiums, commercial buildings, and other serious building‑automation deployments. The article first shows the overall format of a KNX‑TP telegram, focusing on the TPCI and APCI fields that indicate the type of communication.
The TPCI field tells whether the telegram carries data or control information and works with a sequence number when messages are split across frames. The APCI field defines the semantic meaning of the message, with command codes such as MemoryRead , MemoryWrite , UserMessage , and Escape .
2. Research Focus
The researchers target the IP router segment of a KNX network because it bridges the KNX bus to Ethernet, exposing the building system to external networks. They construct a hard‑scenario: a hotel guest flips a wall switch that is directly connected to the KNX‑TP bus, providing a foothold for an attacker.
3. Test Environment Setup
Creating a KNX project requires the commercial ETS5 tool and physical access to put devices into programming mode. The authors built a small lab network consisting of a Gira IP router, ETS5 on a laptop, a smart button (sensor), a dimmer (actuator), and a second IP router to simulate the "switch‑then‑compromise BMS" scenario.
Because dedicated KNX‑TP transceivers are scarce, the authors connect the router directly to the KNX‑TP line and capture traffic with Wireshark, later converting the binary capture to CSV for easier analysis.
The team also wrote a custom parser that decodes each field of the binary telegram and displays a human‑readable explanation.
For device discovery, the authors built a lightweight scanner that sends high‑priority requests to each address in the x.y.0‑x.y.255 range, waiting for a response to confirm the presence of a node. This method, while slower than ETS5, reliably finds all devices on a small segment.
Each discovered device reports a two‑byte mask version, which the authors use to estimate the device’s research value and to locate the IP router within the network.
4. Denial‑of‑Service (DoS) Attacks
Understanding KNX communication enables a simple DoS attack: flooding a single node with malformed or excessive telegrams can stall the entire bus segment, potentially disabling lighting in a hotel or a stadium just before an event.
KNX also lacks replay protection. Captured telegrams can be replayed later—e.g., via a hotel’s public Wi‑Fi—to toggle lights in adjacent rooms.
The article cites Jesus Molina’s research on insecure home‑automation deployments as an external confirmation of this threat.
5. Real‑World Case: ABB Hotel Solution
The ABB installation integrates access‑control with the KNX bus. Sending a correctly crafted KNX‑TP command could, in theory, unlock a neighboring hotel room, illustrating the broader impact beyond lighting.
6. Data Leakage via Memory Read/Write
The authors extended their tool to issue MemoryRead commands. Observing KNX traffic revealed that nodes use a BCU key for authentication. By implementing the same mechanism, they obtained binary responses and eventually dumped the entire memory of an IP router (addresses 0x0‑0xFFFF).
The memory dump exposed configuration data such as IP address, subnet mask, gateway, and friendly name, as well as the multicast address used (224.0.23.12:3671 or a custom one). Crucially, they identified the byte that controls whether a telegram is forwarded to Ethernet, allowing them to determine if a message will be dropped before reaching the wider network.
After adding a MemoryWrite capability, they successfully modified that byte on an ABB router, gaining Ethernet‑side access without enabling programming mode or possessing an authorization key.
7. Cross‑Vendor Differences
Repeating the procedure on a Gira router initially failed because the router rejected the authorization key and terminated the session. By stripping the key and sending simple memory‑read requests, the router returned data, and the same write technique succeeded. The same approach worked on Siemens routers, demonstrating that ABB, Gira, and Siemens IP routers can be read and written without programming mode or keys.
With this capability, the attacker can expand to other backbone segments, launch DoS attacks, or manipulate control systems across the building.
8. Conclusion
The article provides a deep technical walkthrough of KNX’s telegram structure, the attack surface of IP routers, and practical exploitation steps—including environment setup, device scanning, DoS, replay, and cross‑vendor memory manipulation. The next part will disclose the exact hardware used.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
