Collapse Like A House of Cards: Hacking Building Automation System Through Fuzzing

Building Automation Systems (BAS) play a pivotal role in modern smart buildings, integrating sensors, controllers, and software to manage crucial functions such as HVAC, lighting, and more. The global smart building market is on the rise, underscoring the importance of securing BAS networks. This paper introduces the Building Automation System Evaluator (BASE), a specialized fuzzer designed to assess the security of BAS networks. BAS networks typically involve a BAS client communicating with a BAS server through BAS protocols (e.g., BACnet, KNX), each presenting unique challenges in BAS network fuzzing. These challenges encompass complex packet structures and sequencing in BAS protocols, closed-source clients with indeterminable code coverage, and unobservable server status with limited throughput. BASE automatically identifies protocol structures, dynamically instruments clients for code coverage analysis, and monitors responses for new coverage areas. Collected timestamps are used to estimate the input scan intervals of servers, optimizing throughput. We evaluated BASE on various BAS servers and clients, uncovering 13 new vulnerabilities. Furthermore, we present three attack case studies, highlighting the real-world security implications of these vulnerabilities in BAS systems, such as delayed fire detection, loss of climate control, and security breaches. We reported our findings to the respective vendors, who acknowledged the implications, and some have subsequently patched their systems based on our reports.