What is BACnet

Simulators

http://bacnet.sourceforge.net/ -> http://bacnet4linux.sourceforge.net/

Download -> UnTar then

$ make clean all
$ sudo ./bacnet4linux -D4 -m2 -p5555 -v5556 

Then access: http://localhost:8000/

Scan

Use nmap to identify the device:

$ sudo nmap --script bacnet-info -sU -p 47808 10.10.10.10

or shodan with dork:

port:47808

Exploitation

Major HVAC vendors such as Honeywell and Johnson Controls have their own proprietary network protocols, and there are also standard protocols for building automation systems. Expert familiar with these protocols say they all lack security features that would recognize and isolate bogus devices.

Consider BACnet, for Building Automation and Control network. It is an ASHRAE, ANSI, ISO 16484-5 standard. Some 842 HVAC vendors now use it. So it is probably a good candidate for testing.

typical bacnet system

BacNET can be implemented via serial or TCP/IP. We see both quite often. BacNET doesn’t usually provide for authentication or integrity validation, so once you get access to the BacNET, it’s game over for the building. And there are a variety of ways to get access to a building’s BacNET.

The BACnet protocol defines a number of services used to communicate between building devices and also 59 object types that the services act on. But only in 2016 did the BACnet committee in charge of the protocol’s definition release an addendum adding IT security concepts.

thermostat

BACnet objects have a set of properties used to exchange information with other objects. So a Pi attached to BACnet network lines would look like any other low-level node on the network. The Raspberry Pi would act as a level-two device. There’s no authentication of the command line communication between any of these devices. BACnet is peer-to-peer protocol so it can have thousands of devices trusting each other on its network. As long as the command that’s issued is valid, the device will obey it. Same problem exists on proprietary networks.