12/03/2024
By Christopher Morales-Gonzalez

The Kennedy College of Sciences, Department of Computer Science, invites you to attend a doctoral dissertation proposal defense by Christopher Morales-Gonzalez on "Towards Secure Building Automation: Analyzing Protocol Vulnerabilities and Developing an Innovative Fuzzing Tool."

Date: Friday, Dec. 6, 2024, 9:30 to 10:30 a.m.
Location: This will be an in-person defense at Wannalancit Mills (600 Suffolk St.) Suite 445.

Committee Members:
Xinwen Fu (Advisor), Ph.D., Professor, Graduate Coordinator for Ph.D. Programs Miner School of Computer & Information Sciences.
Benyuan Liu (Member), Ph.D., Professor, Director, Miner School of Computer & Information Sciences, UMass Center for Digital Health (CDH), Computer Networking Lab, CHORDS
Claire Lee (Member), Ph.D., Associate Professor, School of Criminology and Justice Studies, Center for Asian American Studies, Center for Terrorism & Security Studies

Abstract:

Building Automation Systems (BASs) are pivotal in modern infrastructure, automating key functions such as climate control, lighting and entry systems. However, many BASs rely on outdated communication protocols developed without robust security considerations, making them vulnerable to attacks. The increasing global adoption of these systems amplifies the urgency to address their security shortcomings. Current research is often fragmented, overlooking the critical interplay between BAS software, firmware, and communication protocols, leaving significant gaps in understanding the security posture of both legacy and emerging BAS technologies.

This thesis presents a comprehensive examination of BAS security, focusing on the unique challenges posed by both wired and wireless BAS networks. The study explores BASs as integrated systems, analyzing their vulnerabilities and security requirements in the context of modern automation. A detailed survey is conducted on seven widely used protocols—BACnet, EnOcean, KNX, LonWorks, Modbus, ZigBee, and Z-Wave—categorized into wired and wireless BAS communication methods. The survey identifies key weaknesses across these protocols, examines how newer secure protocols like BACnet Secure Connect and KNX Data Secure enhance security, and highlights persistent challenges. To contextualize these findings, a real-world case study demonstrates vulnerabilities in a BAS deployment and provides actionable recommendations derived from the survey. By consolidating disparate research and addressing the broader security posture of BASs, this work offers a cohesive understanding of the evolving threat landscape and identifies critical directions for future research.

In addition to the survey, this thesis introduces KNX Bus Dump, a tool designed to record and decode non-IP-based KNX traffic. This tool addresses a significant limitation in existing analysis platforms like Wireshark, which cannot process non-IP KNX traffic. By enabling developers to examine actual network communications, KNX Bus Dump provides a means to identify vulnerabilities and improve the security posture of KNX-based BAS deployments. These contributions emphasize the need for practical tools tailored to BAS-specific challenges.

While these tools and analyses address immediate needs, a critical gap remains in testing BAS systems for robustness against unknown threats. This thesis explores the paradigm shift of applying fuzzing — a method of fault discovery through unexpected inputs — to BAS protocols. Initial experiments with black-box fuzzing uncovered two significant bugs in devices released in 2023 and 2024, demonstrating the feasibility of this approach. However, traditional fuzzers lack the adaptability required for BAS protocols, which are complex and often proprietary.

To address this gap, this thesis proposes a novel tool which seeks to provide the capability to perform coverage-guided fuzzing for Java programs on a Windows system by extending the WinAFL fuzzer. As Java remains a major programming language used to create building management software — an enticing target — for example, it should be expected these systems should be thoroughly tested for software bugs. By doing this, we achieve two major goals: the first is that it will aid in the betterment of BAS security as a whole by opening an avenue. The second is providing a foundational advancement for fuzzing methodologies / tools in broader cybersecurity contexts by allowing fuzzing of Java-based programs running in Windows systems.