BACnet is a communication protocol deployed for building automation and control networks. The most widely accepted networks include
BacNet/IP Device Object
Internet Protocol (BACnet/IP) and the Master-Slave Token-Passing network (BACnet MS/TP). Generally, routers are required to interconnect BACnet networks while gateways are preferred for connecting non-compliant devices to primary BACnet network. It is anticipated that 64% of building automation industry uses BACnet for effective operations. From a security perspective, it is essential to fingerprint IoT devices that used BACnet for communications. As per the standard, there should be a one BacNet device objects associated with the BacNet device. The BACnet object constitutes a number of properties related to the device itself in which certain properties are optional and other are required. From fingerprinting perspective, BacNet/IP device runs a service on UDP port 47808 and UDP port 47809. A well-crafted UDP request sent to the associated service running on the stated UDP port result in information about the BacNet device. A number of examples of different properties of BacNet device object is shown below:
Description Property: This property basically contains the information about the device and is optional in nature. Listing 1 shows the description property highlighting the presence of BACnet
Application Software Property: This property is required to revealed by the BACnet device object so that client know which software version is installed on the device. Listing 2 highlights the “Application Software” property revealing the presence of software running on the targeted BACnet device.
Model and Firmware Properties: The firmware and model name properties are the required once and could reveal the presence of BACnet device. The firmware property reveals the configured firmware on the device and model name reveals the model name of the device. Listing 3 shows that associated properties contain the information about the presence of BACnet device.
Object Name Property: This property reflects the name of the object itself. In certain scenarios, the value of this property could reveal the presence of BACnet device as shown in Listing 4.
BBMD Device Property: BACnet/IP Broadcast Management Device (BBMD) is deployed to broadcast and distribute messages throughout BACnet/IP network which constitutes a number of interconnected TCP/IP sub networks. Once the BACnet/IP messages are sent by the devices in the subnet, the associated BBMD forwards the same messages to other peer BBMDs. Once the destination BBMD received the message, the message is then re-broadcasted to the same subnet.
Listing 5 shows the response obtained from the UDP querying which highlight the presence of BDMD device.
BACnet APDU Errors: Application Protocol Data Units (APDU) constitutes the application layer specific parameters. Generally, protocol data units transfer the information in the form of units among peers in the associated network for sharing and processing of information. APDU errors can also be used to validate and verify the presence of BACnet devices in the network. Example:- the device responds back to the client with notification error messages as “BACnet ADPU Type: Error (5)”. As a result, BACnet device can be detected accordingly. Additionally, a number of BACnet device has built-in embedded HTTP web servers that can also be used to discover the devices. A number of scenarios are discussed below:
HTTP Response Header – WWW-Authenticate Realm : The “WWW-Authenticate” HTTP response headers defines the web authentication method supported by the resource on the remote location. This header is primarily used as a response received from web server or application over HTTP/HTTPS communication channel. The header constitutes of type and realm parameter. The type defines the authentication scheme whereas realm defines the description of the protected resource. Listing 6 highlights a BacNet/IP resource (or device) running over HTTP and protected with BASIC authentication and realm as “UC32.net BACnet(2)”.
HTTP Response Header- Server: The embedded web server present in number of BACnet devices can also be queried via HTTP to detect the presence of BACnet device. Listing shows that HTTP response header “Server” discloses the presence of BACnet device. Additionally, certain embedded web server also reveal information about “BACnet Network” via HTTP/1.0 request acceptance as shown in Listing 7.
Web HTML Elements: A number of HTML web elements can also disclose the presence of BACnet device. When a client sends a HTTP GET/POST request to embedded web server, web page contents are returned in addition to the HTTP response header. The elements present in the web page can reveal the information about the BACnet. Listing 8 shows that “title” element in the web page disclosing the same.
Apart from the UDP querying and HTTP traffic analysis, NetBIOS can also be used to detect the presence of
BACnet devices. A similar scenario is discussed below.
NetBIOS Traffic: NetBIOS over TCP/IP is used for obtaining information about nameservice listening on the remote target. Generally, the query is sent to UDP port 137, the server responds with the details of all the services as part of NetBIOS response. There is a name code (number) associated with the response as shown in the Listing 9 below. The numeric code “0x1e” shows the usage of browser service elections on the domain
BACNET. This information highlights the presence of BacNET device on the network.
Using the indicators discussed above, we conducted a small analytical experiment to obtain the model numbers and type of devices supporting BACnet protocol for communication. We designed our own custom script to trigger scanning fast. However, NMAP provides an associated script to perform the same activity.
Figure 1 and Figure 2 show samples of the BACnet devices collected from the output retrieved from the conducted experiment.
A number of indicators have been presented in this article to highlight the different ways to fingerprint the BACnet devices on the Internet. Fingerprinting of BACnet devices is necessary to obtain visibility into the nature of the device that is required to map the complete security posture of the device.