Using KNX-Based Building Automation and Control Systems for Data Exfiltration

Abstract

When it comes to protecting confidential and/or sensitive information, organizations have a plethora of recommendations, standards, policies and security controls at their disposal, conceived to deal with a wide variety of threats. However, most of them share the same fundamental premise: that weaknesses are inline by nature, as a consequence of infrastructure, social and/or technological gaps that can be detected, controlled, mitigated or constrained. Side channel threats are a different matter, though. Stemming from unconventional intrusion or attack vectors whose existence was inconceivable, unexpected or deemed unfeasible, their successful exploitation may provide attackers with the means to bypass and render most security controls ineffective or even useless. In this paper we address one such case: the use of a KNX-based building automation and control system to exfiltrate data from an air-gapped infrastructure. The introduction of a small device provides connectivity to the existing KNX fieldbus and enables sending data through it or even control other devices, with no interference in the operation of the building automation and control network. We validated the feasibility of this approach by means of an experimental setup, which was used to successfully evaluate two different techniques: inline bus exfiltration and optical transmission, via dimmer control. Finally, some measures for detecting and mitigating this type of attacks are proposed.