{
	"id": "86a52b58-fc8c-4ed0-bca9-0262e174d50b",
	"created_at": "2026-04-06T02:11:17.648012Z",
	"updated_at": "2026-04-10T13:11:46.834356Z",
	"deleted_at": null,
	"sha1_hash": "8abda2b6d054ac543c5f7bd5804cb5bf037b8949",
	"title": "Lights Out: Cyberattacks Shut Down Building Automation Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 922703,
	"plain_text": "Lights Out: Cyberattacks Shut Down Building Automation\r\nSystems\r\nBy Kelly Jackson Higgins\r\nPublished: 2021-12-20 · Archived: 2026-04-06 01:33:44 UTC\r\nSource: FranckBoston via Alamy Stock Photo\r\n[This story was updated on 12/27/2021 with comments from the KNX Association. They had not yet responded to\r\ninquiries when the story first posted.]\r\nA building automation engineering firm experienced a nightmare scenario: It suddenly lost contact with hundreds\r\nof its building automation system (BAS) devices — light switches, motion detectors, shutter controllers, and\r\nothers — after a rare cyberattack locked the company out of the BAS it had constructed for an office building\r\nclient.\r\nThe firm, located in Germany, discovered that three-quarters of the BAS devices in the office building system\r\nnetwork had been mysteriously purged of their \"smarts\" and locked down with the system's own digital security\r\nkey, which was now under the attackers' control. The firm had to revert to manually flipping on and off the central\r\ncircuit breakers in order to power on the lights in the building.\r\nThe BAS devices, which control and operate lighting and other functions in the office building, were basically\r\nbricked by the attackers. \"Everything was removed ... completely wiped, with no additional functionality\" for the\r\nBAS operations in the building, explains Thomas Brandstetter, co-founder and general manager of Limes Security,\r\nwhose industrial control system security firm was contacted in October by the engineering firm in the wake of the\r\nattack.\r\nhttps://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nPage 1 of 5\n\nBrandstetter's team, led by security experts Peter Panholzer and Felix Eberstaller, ultimately retrieved the hijacked\r\nBCU (bus coupling unit) key from memory in one of the victim's bricked devices, but it took some creative\r\nhacking. The engineering firm then was able to reprogram the BAS devices and get the building's lighting,\r\nwindow shutters, motion detectors, and other systems back up and running.\r\nBut the attack was no anomaly. Limes Security has since been getting reports of similar types of attacks on BAS\r\nsystems that run on KNX, a building automation system technology widely deployed in Europe. Just last week,\r\nLimes Security was contacted by another engineering firm in Europe that had suffered an eerily similar type of\r\nattack as the German firm — on a KNX BAS system that locked it out as well.\r\n\"What was interesting ... is the attackers here misused what was supposed to be a security feature, a programming\r\npassword [the BCU key] that would lock out an adversary from manipulating the components,\" Panholzer says.\r\n\"Luckily for us and the [BAS] operators so far in each of the incidents we have been involved with, the attackers\r\nset the same password for all components\" in the victims' respective BAS networks, Panholzer says. \"In theory,\r\nthere could be a different password for each and every component, and that would actually make recovery much,\r\nmuch harder.\"\r\nFor its part, KNX warns in its product support information that the BCU key security feature should be deployed\r\ncarefully for the engineering tool software (ETS): \"Use this option with care; if the password is lost, those devices\r\nshall be returned to the manufacturer. Forgotten BCU Key in the devices cannot be changed or reset externally\r\nbecause this would make the protection in ETS meaningless (of course, the manufacturers know how to do this),\"\r\nthe KNX Association vendor says on its support page.\r\nBut in reality, most manufacturers of these devices are unable to retrieve pilfered BCU keys, Panholzer notes. The\r\nGerman engineering firm initially went to its BAS device vendors for help, but the vendors informed the firm they\r\nwere unable to access the keys.\r\nThere have been other indirect reports of similar attacks on KNX-based systems, he says. \"There seems to kind of\r\nan attack wave. We're not fully aware how\" widespread it is, however, he says.\r\n\"What is apparent is that it came out of nowhere: Suddenly, there were many attacks happening that we are aware\r\nof,\" says Panholzer, who plans to present the case - which the company calls KNXlock - at the S4x22 ICS security\r\nconference next month in Miami. Limes Security declined to identify the victim organizations that have been hit\r\nin the attacks for confidentiality reasons.\r\nThere are no clues so far to trace back to the attackers. BAS systems aren't configured with any logging functions,\r\nso the attackers don't leave behind any digital footprints per se. Their attacks left no ransom notes nor signs of\r\nransomware, so it's unclear even what the endgame of the attacks was. \r\n\"My theory here is there may be a single or few sources of attackers, but we don't know for sure\" because of the\r\nlack of logs, Panholzer says.\r\nThe Limes Security researchers, meanwhile, have set up a honeypot system to see if they can lure the attackers\r\ninto going after their phony BAS as a way to gather intel on where the attacks are originating. So far, though, no\r\none has taken the bait.\r\nhttps://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nPage 2 of 5\n\nThe smart building system is an oft-forgotten attack vector that straddles the physical security and cybersecurity\r\nworlds. Building hacks thus far have been rare, with a couple of notable ones making headlines to date: a 2016\r\nransomware attack on a hotel in Austria that hit room locks, and a distributed denial-of-service attack on heating\r\nsystems in two apartment buildings in Finland in 2016.\r\nLimes Security's Brandstetter has been studying BAS vulnerabilities for a few years now. In 2017, he presented\r\nresearch at Black Hat USA on hacking BAS systems. He demonstrated scenarios of how KNX and BACnet,\r\nanother popular BAS technology standard that's used widely in the US, could be abused by attackers.\r\nIn 2018, Forescout's Elisa Costante and her team wrote test malware, including a worm, that they used to expose\r\nsoftware vulnerabilities in some 11,000 BAS devices, including protocol gateways, and programmable logic\r\ncontrollers for HVAC systems and access control. They presented their research at S4x19 in 2019. \r\nHow the Smart Building Hack Happened\r\nThe German engineering firm's BAS system was initially infiltrated via an unsecured UDP port left exposed on\r\nthe public Internet. From there, the attackers — who the Limes team believe were knowledgeable about KNX\r\narchitecture — \"unloaded\" or basically wiped the BAS devices of their functionality, and then set them with the\r\nBCU key, which they locked with a password of their own.\r\nThe BCU key in KNX is for preventing unwanted changes to a device: To make a change, you need the password\r\nto the device. The Limes team asked the engineering firm to ship them a few of their BAS devices so they could\r\nfigure out how to recover the keys. Brute-force hacking would take over a year to pull off, they concluded,\r\nbecause authentication response times are so slow with the devices. \r\n\"The BCU key is actually just a 4-byte string and eight characters,\" Panholzer explains. \"One would think 4 bytes\r\nwould be easy to brute-force, but the devices are very slow in answering\" in response, he says.\r\nThey came up with a plan to try to read from the CPU memory on the devices that hadn't set protections for their\r\nCPUs. To narrow their search, they focused on areas in memory where they thought the key would likely be\r\nstored, and brute-forced those for the password. They basically programmed three different images of the device\r\nmemory so they could locate where the address was stored. \r\n\"We could [then] limit the suspected area to a smaller pile of bytes, and fed this to the brute-force\" tool, he\r\nexplains.\r\nhttps://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nPage 3 of 5\n\nKNXimage_copy.jpg\r\nThe tools used by Limes Security researchers to recover the hijacked BCU key from the hacked BAS devices.\r\nSource: Limes Security\r\nForty-five minutes later, they unearthed the BCU key. It matched for all four devices — from different vendors\r\n— they had in hand, so they were confident it would work across all of the devices. The engineering firm typed\r\nthe BCU key into their programming software and got the BAS system back up and running within 30 minutes,\r\nafter several weeks of having to manually control lighting and other automated services in the building.\r\nSecurity Gap\r\nThe underlying theme these recent attacks underscore: Many of the professionals who install and manage BAS\r\nsystems like KNX's are not on IT or security teams. Rather, BAS systems are typically the domain of engineers\r\nand building management firms. IT and security teams rarely intersect with BAS operations, and that can be\r\nproblematic.\r\nConsider the European building management firm that contacted Limes Security last week. The victims believe\r\nthe attackers got in via an IP gateway that had been temporarily installed in the construction phase of the building.\r\nThe IP gateway \"was supposed to be removed after handing over the building,\" Panholzer notes. \"But it was\r\nforgotten and never deactivated.\"\r\nhttps://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nPage 4 of 5\n\nBrussels-based BAS vendor KNX provides specific security recommendations for organizations that deploy its\r\nsoftware and network standards. These include using a VPN for any Internet-based connections to the system,\r\nsegmenting its KNX IP Backbone network from other IP networks via VLANs, and placing a firewall between the\r\nKNX IP network and other networks.\r\n\"We found good documentation and recommendations\" by KNX on properly securing BAS systems, Panholzer\r\nsays. \"They try to include a lot of security awareness in their material.\"\r\nKNX Association CTO and CFO Joost Demarest said in an email exchange that the organization for years has\r\nbeen providing its customers with security recommendations and warnings against leaving ports open. The\r\norganization has \"repeatedly warned against such habits in KNX installations of port forwarding, amongst others\r\nvia the KNX Security Checklist and the KNX Security Position Paper,\" he said. \"Unfortunately, these habits\r\nseems to still exist in the field.\"\r\nThe company also recently launched a new security awareness campaign for its user community. \r\nFinding exposed BAS systems is as simple as a Shodan scan, notes Stephen Cobb, an independent risk researcher.\r\nThat's likely how the attackers are zeroing in on vulnerable building systems.\r\nWhile BAS attacks to date remain relatively rare, they could be lucrative for cybercriminals, he notes. \"This could\r\nbe a future area of criminal exploitation that's very serious. It has all the ingredients to be like ransomware,\" says\r\nCobb, formerly with ESET. \"Unsecured pieces out there can be found and exploited.\"\r\nRansomware and extortion attacks on a BAS could be used to target facility management companies, or more\r\nominously, hospitals, he says. Even so, there are easier methods of extortion today: \"Unsecured RDP and phishing\r\nare yielding just enough targets\" to remain the dominant attack vectors, he notes.\r\nSource: https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nhttps://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems"
	],
	"report_names": [
		"lights-out-cyberattacks-shut-down-building-automation-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775441477,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8abda2b6d054ac543c5f7bd5804cb5bf037b8949.pdf",
		"text": "https://archive.orkl.eu/8abda2b6d054ac543c5f7bd5804cb5bf037b8949.txt",
		"img": "https://archive.orkl.eu/8abda2b6d054ac543c5f7bd5804cb5bf037b8949.jpg"
	}
}