How is BACnet Vulnerable?
The following 19 services & 5 features provided by the BACnet protocol offer significant vulnerabilities to attack. This is how BACnet opens the door to various attacks.File Transfer
Some BACnet devices allow the file transfer service to load new firmware, configuration or other assets which control the behavior of the device. In such cases, the device can made inoperable (possibly permanently) or it can be turned into a zombie device.Peer to Peer System
BACNet is non hierarchical. This means that any object that is writable/commandable can be written to by any other BACnet device or system. All devices are considered equal.Take Control, Alter Data, Set Points
There are no special privileges to change the present value of a BACnet object. Any device can write to the present value (and some other mandatory properties of the object) at the highest priority. The last value written is applied. This allows any device to effectively take control of BACnet objects and the physical devices they control.Time Synch
It's possible to change the date and time of a BACnet device. This will affect all scheduled operations. All devices can be set to the same, wrong time or they can be set to different dates and times.Reinitialize Device
Causes a device to restart. All outputs will be driven to the default state until they are re-commanded - which may not occur until a particular time / day has been reached if the command is scheduled.Constantly restarting a device will make it inoperable.
If the configuration or firmware of the device has been changed (This is a possible attack.) then a restart will give effect to the new firmware or configuration. If both or either have been corrupted the device may not operate as intended.Point deletion
There is a service which allows a BACnet object in a device to be deleted. The control device that the object controls will no longer be controllable. This attack will be difficult to identify.Point creation
BACnet objects can be created on the fly. Experience in this industry suggests that manufacturers do not test the limits of this capability well and thus it may be possible to corrupt a device using this attack to consume all memory on the device.Out of Service
A BACnet object can be put out of service. In the case of an output to control a field device, this means that the new commands reach the BACnet object but will have no effect on the field device. In other words, the system may think it has turned something on but the command has no effect. The same attack can be applied to inputs - in this case, the BACnet object reports the last value and is never updated with a new value from the sensor. Ie a tank may have run empty but the system thinks it's still full.Relinquish Default
A BACnet output object can be driven to a particular state or value. If the remote device driving the object releases the object then the object reverts to a default value. These default values can be changed. Eg. from off to on.Attack Alarms and Events
By repeatedly sending alarm acknowledge messages an attacker can prevent alarm notifications from reaching the operator or control room.Subscribe COV - Denial of Service attack
Subscription to a BACnet object means that the object will report its value to the subscriber by sending unsolicited notifications. It is possible to make multiple subscriptions and to have each subscription report too frequently. This results in message deluges which can consume all the bandwidth - a denial of service attack.Kill subscriptions
Subscription to a BACnet object means that the object will report its value to the subscriber by sending unsolicited notifications. By killing existing subscriptions one can prevent a device reporting changes of value to the control system. In many cases, subscriptions are used to monitor critical points so that the control / monitoring system is always up to date.BBMD infinite hop flood
BBMD is BACNet’s technology for allowing messages from a device on one subnet to reach a device on another subnet. It is possible to create additional BBMD or to reconfigure existing ones so that they form a circular message system. Each one sends a message to the other which causes it to send a message back to the first causing a message flood which consumes all bandwidth.BBMD Corruption - add , remove
BBMD is BACNet’s technology for allowing messages from a device on one subnet to reach a device on another subnet. Services can be used to change the configuration of the BBMD’s resulting in system failure. This attack would be extremely hard to identify.Alter Schedules
Many HVAC operations are scheduled. Schedules can easily be changed.Max APDU is writable
The APDU is a measure of how much data/commands can be carried in a single message. Conceivably it's possible to change this value to one too small to allow any messages to be received.Add SSL keys
There is a service to add an SSL Key which would make the task of detecting a hack hard even though it doesn't make the hack easier.Restart Notification Recipient List
If a device restarts it can notify other devices. This service is most often used by the other devices to re-subscribe to COV, Alarm and Event notifications. By defeating the restart notice and by unsubscribing other devices, a hack can ensure that other devices work with obsolete data.
Other elements of BACnet that are vulnerable -UDP Vulnerability
BACnet uses the UDP Protocol for Transport Layer of its Ethernet messaging system. This Protocol does not use acknowledgements. Packets are sent and assumed to have arrived. This could be a dangerous assumption if they are critical alarms.Lack of Encryption.
Almost all products on the market do not support Encryption. Devices already in service using BACNet which do not support encryption are especially vulnerable since the manufacturer might not (be able to) provide firmware updates.Obsolete Operating Systems and Firmware
Devices already in service using BACnet may be using operating systems whose encryption has been hacked or which have other vulnerabilities. The same risk applies to firmware. Hacked firmware or firmware with known vulnerabilities may already be in service.Poor Implementations
Each vendor may have implemented the protocol as an independent project using their own standards, design, skills, quality assurance and testing systems. Some have done a poor job. For example: one manufacturer allows a single broadcast message to delete the configuration and then restart the device. This is a severe risk.Open Source Implementations
Many vendors have used the open source stack. There are a number of known vulnerabilities in various versions. Those vulnerable versions may be in service in currently installed devices.
Next: Contact Us