Business & Technology

SHODAN Your ICS Network – The BACnet Story

By Moshe Ben Simon | October 27, 2021
Mapping the entire ICS network using a single BBMD device

Shodan is a search engine similar to Google, but instead of searching for websites it searches for internet-connected devices—from routers and servers to Internet of Things (IoT) and OT devices. It can find any connected device, from thermostats and baby monitors to complex tools like SCADA systems that govern a wide range of industries, including energy, power, and transportation.

The Shodan Project's main goal was to search for devices linked to the Internet, but its goodwill became problematic as soon as Shodan began discovering industrial supervisory control and data acquisition (SCADA) systems, security cameras, traffic lights, and other sensitive devices that shouldn't have been publicly accessible.

A recent SHODAN query against "port:47808" returned 18,702 IPs that were running a BACnet protocol that had been exposed to the Internet. Nearly 60% of these devices were located in the US.

The BACnet Story

BACnet is a standard ASHRAE, ANSI, and ISO communications protocol, and its default traffic port is UDP/47808. It is used to build automation and control systems for applications such as heating, ventilating, and air-conditioning control, lighting control, access control, fire detection systems, and associated equipment. The BACnet protocol also provides mechanisms for computerized building automation devices to exchange information, regardless of the specific building service they perform.

Unfortunately, BACnet has also been used by cybercriminals to exploit vulnerable devices. A specially crafted BACnet packet sent to a vulnerable eBMGR device, for example, can result in arbitrary code execution that can allow a remote attacker to gain control of the targeted system.

A quick look at the SHODAN query results cited above revealed an interesting parameter called "BACnet Broadcast Management Device (BBMD)." BBMD stands for BACnet/IP Broadcast Management Device. It is used to implement BACnet IP across a large network. To put it simply, BACnet Broadcast Management Devices (BBMDs) act as a sort of forwarding service. They're especially useful on large, complicated networks because they can forward messages from one subnetwork to another so that communications can be broadcast locally. (You can filter this data by using this query -> https://www.shodan.io/search?query=BACnet+Broadcast+Management+Device )

From a hacking perspective, however, a BBMD device that isn't protected is a gold mine that will allow a cybercriminal to map the entire set of BACnet devices under a particular BACNET domain/organization. They can then send BACNET commands that can produce an operational disruption.

For example, if a hacker can find a vulnerable BBMD they can have full command and control without cracking the username and password. A freely available tool called BDT or BACnet Discovery Tool, can be used to query BACnet devices for collecting information and change configuration. (You can also use the NMAP BACnet scripts.)

The BACnet Protocal and Process

To demonstrate the potential damage that can be caused by targeting a BBMD system, instead of scanning a real internet device we used the BDT tool against a BACNET server simulator in our lab and found that simply by scanning the BBMD IP we were able to map the entire network and access all the other IoT/OT devices running BACNET protocol, including the ability to remotely update device configurations.

The outcomes of manipulating a device connected to a BBMD system could be potentially devastating. For example, we were able to locate a boiler sensor (see the screenshot below). If a threat actor were able to change the Boiler’s configuration (temperature, safety features) they could not only affect its operation but even cause damage in the form of an explosion.

Mapping a BACNET device through the BBMD Server

In addition to the lack of security in the BACnet protocol, additional vendor vulnerabilities allow RCE (Remote Command Execution). For example, CVE-2019-9569 is a Buffer Overflow vulnerability in the Delta Controls enteliBUS Manager V3.40_B-571848. It allows remote unauthenticated users to execute arbitrary code and possibly cause a denial of service via unspecified vectors. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9569)

Fortinet Remediation

The combination of poor security in the protocol layer, product vulnerabilities, and access to such devices over the Internet expand the ICS (industrial control system) attack surface dramatically. To mitigate the threats detailed above, FortiGuard Labs recommends implementing the following security controls:

  • Implement Zero-Trust access (Fortinet ZTNA) to secure the network access of your employees & third-party companies. The ZTNA technology allows you to implement Multi-Factor authentication, policy-based access, and secure network channel to eliminate the attack surface threats.
  • Implement cyber-deception (FortiDeceptor ICS Decoys) that leverages ICS decoys to emulate your environment for early breach detection and response.
  • Implement a firewall (FortiGate) that uses IPS Engine (FortiGuard) that detects ICS attacks.
  • BACnet specifically- please restrict network access using the Foreign Device Table (FDT) to prevent pulling more information from the device other than simple things that are not needed to join the FDT.

Remember, SHODAN can find anything that connects directly to the Internet—and if your IoT/OT devices aren't protected, Shodan can tell hackers everything they need to know to penetrate your network.

 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.