This is the 5th topic of “OT Hunt”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
The following keywords/dorks I used to search for KNX on Shodan search engine, please check out my ICS dorks project at GitHub:
knx port:3671This search yielded 12,842 online KNX devices. The results also showed “ICS” tag for each device (based on Shodan) . Some KNX devices are linked to Loxone Miniserver . I found 187 KNX Miniserver devices on Shodan. KNX and Miniserver are used for home and building automation systems just like BACnet . The difference are : KNX is a decentralized communication protocol used mainly in Europe, while BACnet is a centralized communication protocol used mainly in North America.
KNX protocol is generally secure if implemented correctly. It supports encryption and authentication mechanisms to protect communication between devices.
I found an interesting scanner for KNX written in python called KNXmap:
https://github.com/takeshixx/knxmapThe results showed that some Loxone Miniserver (KNX) servers have many open ports/surfaces such as 21 , 80 . The common port for KNX is:
3671 UDPLoxone Miniserveris devices with firmware before 11.1 are vulnerable and is listed on National Vulnerable Database (NVD). There is a risky vulnerability (Improper Authentication) with a CVSS v3 score of 9.8. This vulnerability allows an attacker to spoof these devices and obtain an unauthenticated cloud service. There are also other security issues such as the default credentials (admin/admin), they should be changed , and some versions suffer from FTP server security vulnerability according to Loxone. My research showed that there are up-to-date versions while there are also older versions available online.
I found web servers (interfaces) for some of these devices , the interfaces are used for managing settings and controlling the system . It could be also controlled via the Loxone App.
