BACnet

Login portal for Mediphyd HVAC.

Looking for BACnet devices.

Setup ARP spoof between the controller and unknown device.

Filtering traffic to investigate the unknown device.

Viewing the NPDU layer.

Viewing the APDU in other packets reveals that the present value fluctuates in a range. The can raise a suspicion that the value could be measuring temperature.

BACnet Rogue Master

This tool returns the same information we found in Wireshark, the id of the device and the analog input id.

Read all properties of an object.

Avenue of attack is to write a low temperature value to the sensor, which would then convince the air conditioning system that it does not ever need to run since it is already cold.

This doesn’t work because AnalogInputs are read only. But is it possible to set the OutOfService to true which makes it writable.

We can now convince the air-conditioning system that it is 0 degrees and overhead the server.