let’s talk bacnet scadasides last minute change
DESCRIPTION
Let’s Talk Bacnet SCADASIDES Last Minute Change. Michael Toecker. Mikhail Turcher , big fanci pantsie. BACNET Protocol CYBER Overview. Ooooh … Cybah Cybah Cybah Overfuncher !. Basics. BACnet is short for Building Automation and Control Network - PowerPoint PPT PresentationTRANSCRIPT
LET’S TALK BACNETSCADASIDES LAST MINUTE CHANGE
M I C H A E L T O E C K E R
Mikhail Turcher, big fanci pantsie
BACNET PROTO
COL
CYBER OVERVIEW
Ooooh… Cybah Cybah Cybah Overfuncher!
BASICSBACnet is short for Building Automation and Control Network• BACnet developed started in 1985, was adopted by ASHRAE in 1995,
and is now a major component of most Building Automation systems.• Basically, it’s a protocol used for control, monitoring, and
interoperability for automation systems used in buildings• BACnet controllers are basically PLCs, controlling HVAC, Lighting,
Security, and other systems you will find in large buildings • BACnet networks are… complicated and strange for IT folks…. More
in a few.
• Like nearly every ICS protocol, BACnet is also insecure by design• It supports encryption… It does, 56-Bit DES. Is this really encryption
anymore?• You can also set a password. Maybe. Kinda, it’s like 6 characters with no
logging, and doesn’t protect against most bacnet commands
Basi….. Sknnnnzzzz….
WE APOLO
GIZE FOR TH
E
FAULT IN TH
E SUBTITLES..
T H O S E RE S P O N S I B
L E HAV E B
E E N SA C K E D
PRIOR ART@WarezJoe
- ShmooCon 2013: How To Own A Building: Exploiting the Physical World With Bacnet- http://www.youtube.com/watch?v=d3jtmv6Y9uk
Redpoint – Bacnet Discovery NSE- http://www.digitalbond.com/blog/2014/03/26/redpoint-discover-enumerate-bacnet-devices/
Dis presentation needs more goats
A BACNET CONTROLLER Ethernet Port
Universal Inputs
RS485
Analog Outputs
Digital Inputs
POWAH!
RS232!
?
OTHER BACNET DEVICE
I tells him to Pressy the butensies!! Press them!!! He does not.
BACNET NETWORKS
BACNET OBJECTS
CHARACTERISTICS OF BACNET PACKETSADD WIREHSHARK CAPTURE
UDP 47808
WHAT YOU NEED TO COMMUNICATEYou need:1. An Instance ID – An ID that uniquely identifies a device2. Network ID – Think of it like a subnet, allows separation of
groups of devices3. The Object – A Logical construct holding the data you want
After that, you can make a request to a Specific Device on a Specific Network.
CHARACTERISTICS OF BACNET PACKETS
Object-Name Request
Magic Number0x810A
CHARACTERISTICS OF BACNET PACKETSMagic Number
0x810A
Object-Name Response
INTERESTING THINGS TO DO WITH BACNETREGISTER_FOREIGN_DEVICE()
FOREIGN DEVICE REGISTRATION
59 WILL GET YOU 505
Potential Issues:1. Requires Spoofing2. Requires ability to change port
numbers.
LOTS OF BACNET ON THE NET
FOCUSED ON THE BACNET NETWORK
This opinion is shortsighted.Here’s why….
CONCLUSIONWhy BACNET?
Cause I work on Critical Infrastructure, and it’s nice to pwn something that I don’t get yelled at for owning.Cause it’s interesting, and fun, and gets me some attention to demonstrate I know what I’m doing.Cause it can have some interesting consequences for owners and others.Why not? It’s still ICS
QUESTIONS?
Than
ks,
Mike
Heh. Goatsies. Always End with Goatsies.