{"id":1213,"date":"2023-04-11T15:32:44","date_gmt":"2023-04-11T12:32:44","guid":{"rendered":"https:\/\/zerontek.com\/zt\/?p=1213"},"modified":"2023-04-12T13:28:07","modified_gmt":"2023-04-12T10:28:07","slug":"ot-hunt-knx","status":"publish","type":"post","link":"https:\/\/zerontek.com\/zt\/2023\/04\/11\/ot-hunt-knx\/","title":{"rendered":"OT Hunt: KNX"},"content":{"rendered":"\n

This is the 5th topic of \u201cOT Hunt<\/a>\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The following keywords\/dorks I used to search for KNX on Shodan search engine, please check out my ICS dorks project<\/a> at GitHub:<\/p>\n\n\n\n

knx port:3671<\/code><\/pre>\n\n\n\n
This search yielded 12,842 online KNX devices. The results also showed \u201cICS\u201d tag for each device (based on Shodan) . Some KNX devices are linked to  Loxone Miniserver . I found 187 KNX Miniserver devices on Shodan. KNX and Miniserver are used for home and building automation systems just like BACnet . The difference are : KNX is a decentralized communication protocol used mainly in Europe, while  BACnet is a centralized communication protocol used mainly in North America.<\/p>\n\n\n\n
KNX protocol is generally secure if implemented correctly. It supports encryption and authentication mechanisms to protect communication between devices. <\/p>\n\n\n\n
I found an interesting  scanner for KNX written in python called KNXmap:<\/p>\n\n\n\n
https:\/\/github.com\/takeshixx\/knxmap<\/a><\/code><\/pre>\n\n\n\n
The results showed that some  Loxone Miniserver (KNX) servers have many open ports\/surfaces such as 21 , 80 . The common port for KNX is:<\/p>\n\n\n\n
3671 UDP<\/code><\/pre>\n\n\n\n
Loxone Miniserveris devices with firmware before 11.1 are vulnerable and is listed on National Vulnerable Database (NVD)<\/a>. There is a risky vulnerability (Improper Authentication) with a CVSS v3 score of 9.8. This vulnerability allows an attacker to spoof these devices and obtain an unauthenticated cloud service.  There are also other security issues such as the default credentials <\/strong> (admin\/admin), they should be changed , and some versions suffer from FTP server security vulnerability according to  Loxone. My research showed that there are up-to-date versions while there are also older versions available online. <\/p>\n\n\n\n
I found web servers (interfaces) for some of these devices , the interfaces are used for managing  settings and controlling the system . It could be also controlled via  the Loxone App.<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
This is the 5th topic of \u201cOT Hunt\u201d. These topics expose ICS\/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS\/OT vendors to secure their their assets\u2019 attack surfaces. The following keywords\/dorks […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[170,161,178,4,45,3,46,130,202,81,168,48,23,5],"tags":[7,13,6,12,47,20,27],"class_list":["post-1213","post","type-post","status-publish","format-standard","hentry","category-attack-surface","category-bacnet","category-chatgpt","category-cyber-security","category-ics-protocols","category-ics-security","category-ics-tools","category-insecure-by-design","category-knx","category-osint","category-ot-hunt","category-ot-security","category-shodan","category-vendors","tag-cyber-security","tag-ics","tag-ics-security","tag-ot","tag-ot-security","tag-shodan","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1213"}],"version-history":[{"count":23,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1213\/revisions"}],"predecessor-version":[{"id":1239,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1213\/revisions\/1239"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}