Hacking intelligent buildings using KNX and Zigbee networks

Read the most important news and product releases from RSA Conference 2018.

A great many of us are living, staying or working in “smart” buildings, relying on automated processes to control things like heating, ventilation, air conditioning, lighting, security and other operation systems. We expect those systems to work without a glitch and withstand attacks but, unfortunately, the security of these systems is still far from perfect.

hacking intelligent buildings

A group of researchers from Tencent Security Platform is getting ready to demonstrate just how imperfect it is at the Hack in the Box Conference next month. “The security of smart building equipment is not given enough attention at present. We would like to take this opportunity to make more people pay attention to the issue of safety of intelligent buildings, as personal security and privacy are at stake,” the team says.

Hacking KNX and Zigbee networks

Yong Yang, HuiYu Wu and YuXiang Li of the Tencent Blade Team have concentrated on probing KNX, a network communications protocol for building automation that is often used in large public places (stadiums, hotels, airports) and industrial facilities, and Zigbee, communication protocol widely used in home automation systems.

They’ve come up with a new attack method to take control of KNX network components and use that access to tamper with them. They validated the attack at a Marriott hotel, and succeeded in controlling the lighting, air conditioning, curtains and other equipment in the target hotel room.

“This attack requires physical access to the KNX device cable in the room so that we can use a KNX gateway to connect to the KNX network in the room. We used the KNX ETS software and some KNX security testing tools to complete the attack,” the team told Help Net Security.

By analyzing the KNX protocol, they found that they can modify the KNX/IP router configuration through this network cable network, without the KNX router accessing the Wi-Fi network or the external network.


Luckily, there are ways to defend against such an attack: better KNX network isolation, using the latest version of the KNX protocol with a new secure encryption mechanism, and avoiding exposing KNX cables to areas accessible to ordinary users.

Their testing of a number of devices from various manufacturers that use the Zigbee protocol for communication has also unearthed vulnerabilities. Most devices, they found, use older versions of the protocol, and those that use the latest one (v3.0) are preconfigured with a common link key for installation in order to be compatible with a wider array of Zigbee devices. Also, most devices rely on the network key to insure the security of communication.

hacking intelligent buildings

Automate the scanning and attacking of Zigbee networks

They developed a tool called “ZomBee” to automate the scanning and attacking of Zigbee networks. It runs on Raspberry Pi and automatically scans the Zigbee network in all the surrounding channels for Zigbee devices, and can attack them through a broadcast packet.

There are things users can do to foil this attack, namely close the network access function of Zigbee gateway after completing the Zigbee device pairing. Still, manufacturers are the ones that should consider implementing more security mechanisms. The researchers advise, among other things, the use of a stronger Zigbee encryption key and the implementation a security encryption algorithm in Zigbee application layer.