Shodan is a search engine similar to Google, but instead of searching for websites it searches for internet-connected devices—from routers and servers to Internet of Things (IoT) and OT devices. It can find any connected device, from thermostats and baby monitors to complex tools like SCADA systems that govern a wide range of industries, including energy, power, and transportation.

The Shodan Project’s main goal was to search for devices linked to the Internet, but its goodwill became problematic as soon as Shodan began discovering industrial supervisory control and data acquisition (SCADA) systems, security cameras, traffic lights, and other sensitive devices that shouldn’t have been publicly accessible.

A recent SHODAN query against “port:47808” returned 18,702 IPs that were running a BACnet protocol that had been exposed to the Internet. Nearly 60% of these devices were located in the US.

The BACnet Story

BACnet is a standard ASHRAE, ANSI, and ISO communications protocol, and its default traffic port is UDP/47808. It is used to build automation and control systems for applications such as heating, ventilating, and air-conditioning control, lighting control, access control, fire detection systems, and associated equipment. The BACnet protocol also provides mechanisms for computerized building automation devices to exchange information, regardless of the specific building service they perform.

Unfortunately, BACnet has also been used by cybercriminals to exploit vulnerable devices. A specially crafted BACnet packet sent to a vulnerable eBMGR device, for example, can result in arbitrary code execution that can allow a remote attacker to gain control of the targeted system.

A quick look at the SHODAN query results cited above revealed an interesting parameter called “BACnet Broadcast Management Device (BBMD).” BBMD stands for BACnet/IP Broadcast Management Device. It is used to implement BACnet IP across a large network. To put it simply, BACnet Broadcast Management Devices (BBMDs) act as a sort of forwarding service. They’re especially useful on large, complicated networks because they can forward messages from one subnetwork to another so that communications can be broadcast locally. (You can filter this data by using this query -> https://www.shodan.io/search?query=BACnet+Broadcast+Management+Device )

From a hacking perspective, however, a BBMD device that isn’t protected is a gold mine that will allow a cybercriminal to map the entire set of BACnet devices under a particular BACNET domain/organization. They can then send BACNET commands that can produce an operational disruption.

For example, if a hacker can find a vulnerable BBMD they can have full command and control without cracking the username and password. A freely available tool called BDT or BACnet Discovery Tool, can be used to query BACnet devices for collecting information and change configuration. (You can also use the NMAP BACnet scripts.)

The BACnet Protocal and Process

To demonstrate the potential damage that can be caused by targeting a BBMD system, instead of scanning a real internet device we used the BDT tool against a BACNET server simulator in our lab and found that simply by scanning the BBMD IP we were able to map the entire network and access all the other IoT/OT devices running BACNET protocol, including the ability to remotely update device configurations.

The outcomes of manipulating a device connected to a BBMD system could be potentially devastating. For example, we were able to locate a boiler sensor (see the screenshot below). If a threat actor were able to change the Boiler’s configuration (temperature, safety features) they could not only affect its operation but even cause damage in the form of an explosion.

Sourced from Fortinet

Recommended Posts