Report DIVD-2022-00005 - Exposed BACnet Devices
Written on 20 May 2023 by Gerard Janssen
Case lead:
Ruben Uithol
Researchers:
Artur Miron
,
Patrick Hulshof
,
Ruben Uithol
Case file: DIVD-2022-00005
During the process of conducting vulnerability scans focused on the Log4J vulnerability, the DIVD discovered numerous Siemens systems that exposed the BACnet protocol via an unsecured port.
BACnet, or Building Automation and Control Networks, is a widely adopted communication protocol designed for building automation and control systems. Established as an international standard by the American Society of Heating, Refrigerating, and Air-Conditioning Engineers (ASHRAE), BACnet facilitates communication and interoperability between devices and systems used in areas such as heating, ventilation, air-conditioning (HVAC), lighting, access, and fire detection. It is employed worldwide in commercial, industrial, and residential buildings to ensure effective and efficient building management.
These systems might be at risk of unauthorized access or manipulation by threat actors. Communication can be unencrypted and without proper authentication mechanisms, making it potentially vulnerable to interception or tampering. An exposed BACnet port also increases the attack surface of the Siemens systems, potentially allowing attackers to gain access to other parts of the network and causing further damage.
The unintended exposure of BACnet ports poses potential security threats and may open the door to unauthorized access to essential building infrastructure. In our initial investigation, we used Shodan to explore BACnet-port 47808. The search revealed a total of 29,736 systems were exposed. Following this, we conducted a scan and found 12,572 vulnerable BACnet systems. The respective owners of these systems were promptly notified and provided with strategic advice to restrict access to their BACnet controllers.
Timeline
Date | Description |
22 Dec 2021 | Discovery of open BACnet devices |
05 Jan 2022 | First scan |
29 Jan 2022 | Case opened |
08 Feb 2022 | DIVD starts first round of notifications |
01 Apr 2022 | Case closed |
Links
https://csirt.divd.nl/cases/DIVD-2022-00005/
https://www.dragos.com/blog/industry-news/assessing-the-bacnet-control-system-vulnerability/
https://www.cisa.gov/news-events/ics-advisories/icsa-17-285-05