Zoetermeer, 18th February 2019 – Thousands of building management systems in ‘smart’ homes and offices worldwide are easily accessible to hackers. That is the conclusion of an ethical hacker at Computest, based on a security investigation into the KNX standard for home and building automation. The research shows that systems based on this standard are frequently connected to the internet. However, because these systems contain no form of authentication whatsoever, attackers can use them to operate the security, lighting, air conditioning and heating systems of homes and offices remotely. In total, there are 17,444 buildings with systems based on the KNX standard, of which 1,322 in the Netherlands. This makes the Netherlands the country with the third most locations which are vulnerable to hackers, after Germany and Spain
Security scan reveals 17,444 vulnerable locations
Firms and private individuals alike are connecting ever more systems to the internet. Linking these IoT applications together yields extra convenience but also serious risks. The study by ethical hacker Daan Keuper focused on various domotics applications based on the KNX standard. He discovered that there are 17,444 buildings and homes worldwide whose systems can be fairly easily hijacked by a hacker. Spain and Germany head the list with 1,985 and 1,768 locations, respectively. The Netherlands follows with 1,322. In this country, Amsterdam is the city with the most buildings containing KNX systems. Keuper’s security scan also revealed that building management systems based on the KNX standard have also been installed in China, the US and Russia.
Computest believes the KNX systems are generally connected to the internet by installers in order to be able configure networks remotely. In addition, the protocol is used by some mobile apps to operate domotics solutions remotely.
Responsibility for security
“If a standard is used, people generally assume that the security will be sorted too”, says Keuper. "The absence of authentication in the KNX systems shows that this is a dangerous assumption." In Computest’s view, responsibility for proper security of the system is shared by the supplier, the installer and the consumer. The consumer must be able to call the installer to account for the security of what he/she installs. The idea is that the installer does the same towards the supplier and/or other parties in the chain. As a result, the supplier and the installer will themselves become more critical as to which products they select and they are more likely to be in a position to make demands and to choose parties for whom the security of their applications is a priority.
"There is still a lot of work to be done when it comes to raising awareness in the installation sector about the risks these smart systems entail", says Petra Oldengarm, Director of Cyberveilig Nederland. “And it is important that installers know how to minimise these risks. For this reason, we are talking to representatives of the installation sector to develop activities that contribute to the awareness and knowledge level so users can trust KNX products that are being installed in their offices or homes.”
Check whether a KNX installation is secure yourself
In order to enable building managers and consumers to check whether their KNX installation is secure, Computest has created the site www.knxscan.com.