Wireshark: BACnet security analysis

BACnet (Building Automation and Control Networking Protocol) is an ICS protocol, developed by ASHRAE (American Society of Heating,Refrigerating and Air Conditioning Engineers). Like most ICS protocols, BACnet suffers from design vulnerabilities [source 3] such as poor implementation, lack of encryption and ability to load files (firmware) into BACnet devices making it open to various attacks [source 2] such as network mapping and Dos attacks (abusing broadcast messages)…etc. BACnet devices can be found in online search engines such as Shodan , just type “port:47808” or “bacnet” in Shodan’s search bar. BACnet Firewall Router (BFR) is an open source technology that can help secure this protocol against network mapping and Dos and spoofing [Source 2] and and its ability to filter BACnet packets. In this article I have assembled a list of filters and messages that can help you towards securing your network and assets if you are using BACnet protocol.

BACnet traffic analysis helps in understanding BACnet normal and abnormal behavior in your network. It’s also useful to develop firewall/IDS/IPS rules and most importantly monitoring operation (see 1st table) and security messages (see 2nd table). BACnet traffic can be analyzed using tools such as Wireshark. I mentioned in my article “Wireshark filters for ICS protocols“that BACnet is supported by Wireshark. Check out the Wireshark filters for BACnet here. To get started quickly, here are the common filters to use in Wireshark that can aid you with your investigation:

bvlc || bacnet || bacappBACnet packets
bacnetBACnet NPDU packets
bacnet.mesgtypBACnet Network Layer (router) packets
bvlcBACnet/IP packets
bvlc.function == 0x0bBACnet/IP Broadcast packets
bacappBACnet APDU packets
bacapp.confirmed_service == 12BACnet ReadProperty packets
bacapp.confirmed_service == 15BACnet WriteProperty packets
bacapp.unconfirmed_service == 0BACnet I-Am packets
bacapp.unconfirmed_service == 8BACnet WhoIs packets
bacapp.unconfirmed_service == 2BACnet UnconfirmedCOVNotification packets
Source: 1

BACnet WhoIs packets

I-Am-Router-To-Network (0x01)
Who-Is-Router-To-Network (0x00)

So, what are the BACnet security messages that are worth watching in your network traffic ? . They can be found using this filter: bacnet.mesgtyp and see the below table for those messages’ codes. Just look for the message inside the “Network Layer Message Type” section.

0x0AChallenge-Request
0x0BSecurity-Payload
0x0CSecurity-Response
0x0DRequest-Key-Update
0x0EUpdate-Key-Set
0x0FUpdate-Distribution-Key
0x10Request-Master-Key
0x11Set-Master-Key
source: 2

References:

  1. Analyzing BACnet
  2. Securing BACnet’s Pitfalls
  3. HOW IS BACNET VULNERABLE?

Comments are closed.