BACnet – As Seen on Shodan

As seen on Shodan logo

Ever wonder how many BACnet systems are exposed on the internet?  This is an ongoing project to analyze BACnet hosts found in the Shodan database.  Each month, results from Shodan hosts with port 47808 will be analyzed.  Monthly reports will analyze results by vendor, device model and location.

Monthly Reports

Total BACnet Devices Trend

Never Expose BACnet to the Public Internet

While the BACnet standard allowed for some basic level of security, nothing on the market today supports it.  I’m told the BTL testing labs have also never certified a device supporting this to date.  If someone can discover a device, they can start commanding objects and changing settings with freely available BACnet tools.

Results of exposing devices could range from annoying to real damage.  Turning the heat off in during a winter holiday weekend, to downloading corrupt firmware / program files bricking devices.

If remote access is required its extremely important to either use VPNs or more secure protocols to transit the public internet.

Report Details

Shodan’s report contains the IP address, banner, timestamp, host name, and location based on the IP address.  For BACnet hosts that respond, the banner will contain the instance, object name, device location, vendor name, BDT table, application / firmware version, device model and name.

Our scripts parse Shodan’s banners to do some basic classification on the host.  Hosts that responded with valid responses are considered BACnet devices.  Unknown hosts are hosts that either have invalid BACnet responses, BACnet error messages, or empty banners.  Hosts that reply with a BACnet error message are considered Unknown / Suspected BACnet devices.

After classifying the hosts, they are sorted and the occurrence each vendor and device model is calculated.  Since some control vendors have identity crises requiring additional filtering.  Honeywell for example uses “Honeywell”, “Honeywell International, Inc” and “Honeywell International Inc.”.  Vendor names reduced to alpha numeric characters with spaces removed when calculating vendor totals.  Additional rules look for the first occurrence of a vendor known to use multiple different names and all further occurrences of any variation are counted together.

Additional BACnet Security Research

Public BACnet Scanning

There are several other actors constantly scanning the internet for BACnet devices.  Using honeypots we regularly see scans from the following organizations as well as other unidentified sources.

BACnet Secure Connect

Secure Connect (BACnet/SC) may solve the security issues surrounding BACnet and is currently working through the approval process. SC uses TLS between devices, eliminates the need for BBMDs and static IPs. Final approval is expected to happen sometime in late 2019. How long it takes for manufactures to implement and release products supporting it, is anyone’s guess. It will likely be many years yet before we see widespread adoption. SC could also turn into another form of vendor lock in.

BACnet/SC White Paper
Current BACnet/SC proposal under public review

11-19 Update BACnet/SC is officially approved

Tridium Releases Niagara Security Updates

Tridium released updates for the Niagara AX & N4 platforms this week that patch security vulnerabilities, including critical JVM vulnerabilities. Without mention which versions of AX/N4 are effected, one can only assume all prior versions. When asked for more details, Tridium said Windows based hosts are at the highest risk and they are not aware of active exploits in the wild currently. That being the case, at a minimum all Windows based supervisors and soft Jaces should be patched as soon as possible.

This brings AX to version 3.8.401 and N4 to version Vykon branded platforms have this available now, third party channels will lag behind to vary degrees. Unfortunately without any further details, there is no mitigations other than patching. If your channel is behind the current release version, waiting or switching brands is the only option. If this is the case, please help move the industry forward and make your concerns known to the vendor. Customers shouldn’t have to wait months for critical security updates.

Official Announcement

7/12/18 Update

Another update may be forthcoming shortly.

8/19/18 Update

Official ICS-CERT announcement.  Disabled accounts seem to be central to this bug which may allow for remote code execution.  The CVE links seem dead as of today.

8/30/18 Update

Scanning on the open internet for exposed Tridium system increases. 

Coincidence, I think not.  If you must expose your system to the internet, its past time to update.