KNX Protocol

MonitorCVSS 7.5ICS-CERT ICSA-23-236-01Aug 24, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

KNX devices using Connection Authorization Option 1 Style without a BCU Key set can be exploited by attackers with network access to lock out legitimate users. Once access is restricted, there is no built-in recovery mechanism to restore user access to the device. This affects all versions of susceptible KNX devices, and no firmware patch is available from the vendor. The vulnerability has been observed in active exploitation. The only protective measure is to set a BCU Key during project configuration before deployment and to isolate KNX networks from Internet and untrusted network access.

What this means

What could happen

An attacker who gains access to a KNX device without a BCU Key set can lock out legitimate users from that device with no built-in recovery method, potentially disrupting building automation and control functions.

Who's at risk

Building automation integrators, installers, facility managers, and building owners who deploy KNX-based control systems are affected. This includes anyone managing smart building infrastructure, climate control systems, lighting automation, or occupancy-based building controls that rely on KNX devices.

How it could be exploited

An attacker with network access to a KNX device configured with Connection Authorization Option 1 Style and no BCU Key can authenticate and change the device settings to deny legitimate access. This locks out administrators and operators from the device without a straightforward reset procedure.

Prerequisites

Network access to the KNX device
KNX device using Connection Authorization Option 1 Style
No BCU Key currently set on the target device

Remotely exploitableNo authentication required when BCU Key not setLow attack complexityNo patch availableActively exploited in the wildAffects building automation and control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set: *All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSet the BCU Key in every KNX project before commissioning, and include the BCU Key in project documentation handed over to building owner

HARDENINGIsolate KNX networks behind firewalls and ensure they are not reachable from the Internet or business networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGReview and follow the KNX Secure Checklist to implement recommended IT security guidelines for KNX deployments

HARDENINGIf remote access to KNX devices is required, enforce it only through secure VPN connections and keep VPN software updated

CVEs (1)

CVE-2023-4346

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d6c5ef81-90c3-4cdb-98c4-485b68a1767e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.