Hallo,

ab und an finden wir noch ein neues:

00000101

Mit besten Grüßen.

Auch hier der Vollständigkeit halber: Diese BCU-Passwörter konnten wir im Rahmen der Wiederherstellung nach dem großen "BCU-PW-Hack" auslesen.
Die oberen vier waren am häufigsten vergeben.

Vielleicht hilft das dem einen oder anderen.

Mit besten Grüßen.

ich nenne meine freundin seit diesem artikel VPN!

die Glocken hängen nicht mehr direkt am Internet, sondern sind nur noch über ein Virtual Private Network (VPN) im internen Netz zu erreichen.

Sorry,... .. ich kann nicht mehr!!!!!! hihihihihihihihi..... ....

Nö, habs erst aus dem Radio erfahren....

Wurdest Du auch geweckt?

https://www.golem.de/news/unsichere-...03-163935.html

Yeah, you are right ... "honeypot" is not the best word to describe what I had in mind ... Specialized data logger describes it better ...

for my opinion, a honeypot is something, thats attracts the intruder. but your device is invisible, a specialized data logger, so honeypot is perhaps the wrong name. but anyway an interresting idea! for a commercial product the device should have an user-friendly interface for read out, i.e. an usb interface.

and i‘m highly impressed about your work!

Well, it is very possible I am reinventing the wheel, if such loggers already exist (but I do enjoy this conversation because I am learning new things).
My honeypot device (which at the end of the day is just an exercise for learning more about the subject) would not "exist" on the bus .. it would not have an address of its own, and as such it cannot be locked itself.
Being a custom firmware, I can decide what features I implement in it (maybe a commercial device already exists that has these exact features):
- It only listens (think of the "promiscuous mode" of Ethernet interfaces when tcpdump-ing ) for any and all messages it can see, and I can indeed implement whatever filters I want in it (programming messages or otherwise; in this case, just take the passwords and log them to a persistant storage).
- no one can lock it (no one can even address something to it and no one will ever receive something from it, because it has no address to speak of)
- no one can read anything that was logged in it unless you take it apart and read its memory via JTAG/ICSP (inconvenient, but this is only limited by the 5133 hardware I am using ... had I killed a 5142 I could have used its display for a nice UI while also ensuring that only someone with physical access to the device has access to the logged data; making custom hardware, or just using an Arduino connected to a bus coupler 3 allows for whatever UI to ensure secure access to the logged data)

Your planned honeypot device is nothing else than a logging device specialized for KNX programming messages and with a new password in it. Or do I mix up something?

I'm not sure, if general logging would also log such programming messages. A lot of devices exist already on the market performing general logging of KNX messages.

Not only that it works only in the particular case when the passwords are the same on all devices, it also needs many device to even begin to work (if you have 10-20 devices, it would take waaay longer) and the devices need to have this particular layout with bcu coupler and comms at a decently high baudrate. And even if you have all this, it still takes a long time
.
Following good security practices is always recommended!

For what is worth, I am thinking of even creating a honeypot-like device: during my investigation I killed a 5133 device, but only by mistakenly deleting its firmware (yeah, it was my first time with JTAG also ... 🤦‍♂️ ... ICSP is my go-to programming method for Atmel). I am pretty sure that with the information I have now, I could make my own firmware for this device that only needs to listen (never transmit) and just intercept M_SetKeyRequest frames (for any destination) and save the parsed key into a circular buffer in eeprom or in the flash itself. Then, there would be a method to recover the last couple of hundred keys (maybe even thousands) that this device has "seen" on the particular branch of the bus it was connected to (by taking it apart again an reading its memory; since the chip was already erased, the lock bits are also cleared). This could be useful if the system was attacked, or the password was simply lost/set by mistake. This device would not be part of the "active" system; it would only be connected somewhere on the bus, and be left to it's own business (a secure location would be highly recommended) ...
So, to put it simple, I would be implementing a simple KNX sniffer, and for this I only need to write some software (the dead 5133 would be the hardware)
If you are interested in this, I can give updates when (and if!) this works at all.

Thanks for sharing and I‘m very impressed by your reverse engineering skills.

This highly parallelized bruteforcing attack does however only work, if the password is the same. Luckily in this case the password was the same on all devices.

As this might not always be the case, it is important to follow the recommendations of the KNXA: https://www.knx.org/knx-en/for-profe...cyber-attacks/

spechless...

... krass

Impressive way to start into the KNX world and a great first post in this forum. Thanks a lot.
Regards, Florian