Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in KNX devices utilizing specific connection authorization features that could allow an attacker, through network or physical access, to lock down devices, preventing legitimate users from regaining access. The primary concern is confirming if this technology is in use within your environment and assessing the potential exposure if it is.
- Devices can be locked, blocking user access.
- Vulnerability impacts building automation systems.
- Confirm relevance and assess potential exposure.
Attack Path
How an attacker could exploit the issue
An attacker could gain access to a KNX network, either through direct network access or physical proximity to a device, to interact with the KNX installation. By exploiting a vulnerability in the connection authorization feature, they could potentially remove all connected devices and then set a new password, effectively locking users out of the system.
- Network or physical access required.
- Attackers can purge devices and set new passwords.
- Risk of unauthorized lockout and system access.
Live Threat
Current exploitation, exposure, and threat context
KNX devices utilizing Connection Authorization with Option 1 could be locked by an attacker with network or physical access, preventing legitimate users from regaining control. This lock-out occurs when an attacker purges existing devices and sets a new BCU key, which often cannot be reset without the current password. The risk is contingent on specific device implementations and security configurations.
- KNX devices with Option 1 authorization.
- Attacker purges devices, sets new BCU key.
- Device locked, preventing legitimate user access.
Operational Fix
Recommended remediation, mitigation, and detection steps
The KNX Association's Connection Authorization Option 1 can lead to devices being locked and inaccessible if exploited locally or remotely. Ownership likely resides with infrastructure or building management system teams responsible for KNX deployments, with vendor coordination for specific remediation steps. The first practical move involves identifying all KNX devices using this authorization, assessing their network reachability or criticality, and then planning remediation based on the risk of lockout.
- Confirm KNX device network exposure.
- Identify accountable system owner.
- Plan remediation and vendor coordination.