KNX: Preventing Smart Home Hack Attacks

It is not enough to prevent access to devices or cables, especially since more and more devices are connected to the internet. Protecting the system is paramount, but how should this work?

As we learned, protection of your smart home and building automation system can be enhanced with simple tricks. However, enhancing systems does not mean that they are still not vulnerable for hackers. Before we jump into the topic about how a system can be protected, it is important to understand how the recent technologies work. Whilst most smart home systems are still relying on bus technology, more and more solutions, which go along with the Internet of Things, work with central units.

Central units have the advantage that the installation can be put in action just by simply configuring it. Depending on the user interface, the configuration can be a piece of cake.

Bus technology usually does not use a central unit, which might lead to, in the worst case scenario, to each device needing to be programmed individually. The advantage, however, is that once the system is fully configured the bus installation is very reliable.

The advantages of a central unit and/or a bus technology can be discussed, but regardless of the advantages or disadvantages, both system have one thing in common: both can be hacked! So what mechanisms, besides the traditional ones, exist?

Encryption of Telegrams
Especially in regards to the ongoing IoT discussion and the rising need to have every device connected to the internet, more and more telegrams are transmitted over the internet. With the right antenna, hackers can catch a telegram, modify it and make the house do as they want and not as the homeowners want. Of course, being aware of this, many technologies already provide a secure communication over VPN or provide https based solutions. This does help to make the communication more secure, but still, the telegram is not encrypted. Especially in light of the latest hacks on well-known online companies, such as LinkedIn or eBay, it is not unrealistic that hackers can get access to your telegrams. All in all, a secure communication does not protect your telegram from being tampered with as well.

But online transmission of telegrams is not the only entry door for hackers, especially if they can get physical access to the installation, for example, from outdoor devices, such as lamps and presence detectors. Therefore, the only way to make your installation safe, is to encrypt the telegram.

Data Secure and IP Secure:
Since 2016, an extension of the KNX technology is available free of charge, which focuses directly on security issues and how to protect your telegram from unauthorised intruders. The encryption of telegrams is done on two levels: for the communication inside the installation and one for the communication via the internet. Both levels use AES 128bit encryption technology, which was approved as a worldwide encryption standard (ISO/IEC 18033-3), ensuring best encryption mechanisms.

KNX AES Encryption Standard
AES 128bit encryption standard for securing telegrams.

Data secure encrypts the useful information in a telegram such as ‘switch’, ‘dim’ and also ‘open’ and ‘close’. By extending the telegram, the useful information is encrypted and a Message Authentication Code (MAC) is included. By not encrypting the whole telegram, the telegram is still forwarded to its according destination and also understood by the addressed recipient, which has the key to the encryption. As for the remaining unprotected elements of the telegram, they are protected by the MAC. The MAC is created according to the unencrypted information in the telegram. Once an attempt to modify the telegram is made, the MAC address would not match with the remaining telegram and the telegram becomes invalid. By using these security mechanisms, the telegram is fully protected against unauthorised intruders.

IP Secure is designed for encrypting the whole telegram, once it is transmitted via the internet (basically, when it leaves the house). By having the telegram sent out via interfaces to the world wide web, the according secure interfaces encrypt the whole telegram. After the telegram as reached its destination, it is decrypted and send further to its destination. The encryption of the whole telegram is also based on the encryption standard AES 128.

KNX IP SecureSecure communication via the internet is of the highest importance.

By encrypting the telegram inside the house via IP Secure and at the same time inside the house with Data Secure, the installation is bullet-proof for unauthorised access. Therefore, even if a hacker could get access to the installation, no matter if it is over the internet or physically, the hacker would not be able to understand the telegram and/or modify it accordingly.

This encryption is available here free of charge and can be used by all manufacturers, which is why we can expect a higher level of security in the world of smart homes. Further than that, since the telegram encryption is based on the KNX technology, these security measures can easily be implemented in existing systems, without the need to replace a whole installation.

For more information on the topic of telegram encryption, have a look here.

Learn in the next article, how you can put these security mechanisms into practise.

Article Categories