1.
BACnet on the Internet

2.
Project Background
• Started in July 2018
• Goals
• Track total number of devices and trends
• Identify most common manufactures and devices
• Look for patterns
• Find and remove any sites we have involvement with
• Notify vendors we have relationships with

3.
Problems exposing BACnet on the internet
• Limited market support for BACnet security today
• White listing
• Read only / limit writable objects
• MS/TP Router with Encryption
• BFR Project – Joel Bender
• Multiple crawlers searching for BACnet
• Possible equipment downtime and damage
• Firmware tampering / bricking
• Ukrainian Power Grid Attack – 2015
• TRITON Attack Framework - 2017

4.
Problems exposing BACnet on the internet
• BACnet WAN Security Threat Assessment
• (NIST 2003)
• Amplification Threat Posed By Public BACnet
• (Tech University of Munich 2017)

5.
Scanning for BACnet
• Shodan.io
• Crawls the entire IPv4 space monthly
• Scans for well known protocols HTTP, SSH, FTP, etc
• When they find an open port, any response becomes the “banner”
HTTP/1.0 200 OK
Date: Tue, 16 Feb 2010 10:03:04 GMT
Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.1.2 mod_gzip/1.3.19.1a mod_ssl/2.8.9
OpenSSL/0.9.6g
Content-Length: 97
Content-Type: text/html

6.
Scanning for BACnet
• Shodan data
• Host IP
• Timestamp of last scan
• Banner
• Hostname lookup / reverse DNS
• Organization assigned to IP space
• Country / City (IP Geo-location)
• And more…

7.
Scanning for BACnet
• Well known protocols get special attention
• SSL
• Public cert, versions supported
• SMTP
• Supported SSL versions, server hello
• Niagara
• Versions, station name
• BACnet
• Full device object & BDT table

8.
Scanning for BACnet
Instance ID: 109100
Object Name: XXX-398 Vine St
Location: Ground Floor Boiler Room
Vendor Name: XXXXXXXXXXXXXXXXXXXXXXXXXXX
Application Software: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--|
Firmware: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--|
Model Name: XXXXXXXXXX
BACnet Broadcast Management Device (BBMD):
192.186.XXX.XXX:47808
64.250.XXX.XXX:47808
Foreign Device Table (FDT):
64.250.XXX.XXX:62738:ttl=60:timeout=88

9.
Scanning for BACnet
• Low cost to entry
• First two pages of results (~20) available with free account
• $10 per 10k results
• General reports, no cost
• Not the only source…

10.
Using Shodan results
• Working with .csv results, XML/JSON formats are also available
• With VBA in Excel the banners are parsed
• Identify BACnet hosts
• Not all hosts with 47808 open are BACnet
• Sort out manufactures with identity crisis
• XYZ Inc., XYZ Inc, XYZ Building Technologies, XYZ Industrial
• Generate totals, basic statistics and charts

11.
Results

12.
Hosts by Month

13.
Patterns to date
• Most common BACnet vendor != most common in the
market
• Most common vendors likely use BACnet for all aspects
• Programming, firmware updates, etc
• Least common vendor / device can be the most
interesting
• High number of identifiable sites
• BACnet honeypots in the wild
Metric July 2018 April 2019
Total Hosts 11,304 13,280
Vendors 112 119
Unique
Models
457 516

14.
Honeypots

15.
Honeypot Setup
• Real BMS hardware and software to simulate a real install
• Isolated playground with 47808 UDP/TCP exposed
• Raspi & passive network tap
• Full setup details
• Long term capture and collection
• Wireshark export to Excel and classify

16.
Honeypot Results
• Identified entities scanning for BACnet devices
• University of Michigan
• Alpha Strike
• Kudelski Group
• Net Systems Research
• Censys
• Rapid7
• And more…

17.
Honeypot Results
• Scanning traffic is minimal currently – 1 scan / day
• Scanning outside known actors rare
• Running realistic HP is difficult
• Firmware versions, model, vendor names, typical device instances, etc
• Geo-location IP matches any site specific naming
• Realistic sensor readings
• Do sensors react correctly to output overrides
• Many required for a solid understanding

18.
Questions?