On Automating BACnet Device Discovery and Property Identification

BACnet is the most popular inter-communication protocol in building automation systems (BAS) and has been deployed in a large scale. It is critical to scan and perform risk analysis of a BAS. Existing work identifies BACnet devices in a manual way and does not further discover their properties. In this paper, we design and implement an automatic tool to identify a BACnet device at a given IP and enumerate both standard and vendor-defined BACnet objects and properties. We applied our tool to a testbed real-world BAS system on a university campus and successfully validated the tool’s effectiveness. Our tool is the first of its kind for risk assessment of the BAS, e.g., automatically scanning open smart buildings on the Internet. The video at https://youtu.be/YUfO8GQILxQ demonstrates that our toolkit may be used to remotely move a damper controlling a building’s Heating, ventilation, and air conditioning (HVAC) system from the Internet and justifies the importance of using our tool for penetration testing of a BAS.