In this article we will discuss Hacking ZigBee networks.
Introduction to Hacking ZigBee networks:
What is ZigBee?
The Internet of Things (IoT) is what most experts consider the next step of the Internet revolution, where physical objects are always connected to the real and virtual worlds at the same time. Connected devices now have the ability to communicate with each other over wireless channels, and ZigBee is the leading wireless communication standard applicable to IoT devices.
Thus, ZigBee is an open global wireless standard designed to address the unique needs of intelligent communication between devices. It allows a wide variety of smart home applications to connect to the Internet (e.g. cloud service) and be controlled/monitored via ZigBee-enabled remote control. Compared to other wireless standards, ZigBee seems to be the best choice for a smart home:
|ZigBee / 802.15.4||GSM||Wi-Fi / 802.11||Bluetooth / 802.15.1|
|Focus||Sensor Network / Low Power||Wide AreaVoice and Data||High Speed Internet||Device Connectivity|
|Battery Life||years||1 week||1 week||1 week|
|Bandwidth||250 Kbps||Up to 2 Mbps||Up to 54 Mbps||720 Kbps|
|Range||Up to 100 Meters||Several Kilometres||100+ Meters||10+100 Meters|
|Advantages||Low Power,Low Cost||Existing Infrastructure||Speed,Ubiquity||Convenience|
To illustrate: “ZigBee transmissions require 1/1000 or less of the power required for Wi-Fi transmission (What Smart Home and IoT Device Manufacturers Need to Know About ZigBee 3.0 by Cees Links).”
Advantages of favoring ZigBee over other standards: low consumption/long battery life, support for a significant number of nodes in a single network (up to 65,000), simplified deployment, low cost, and worldwide use.
The ZigBee standard works beyond the IEEE 802.15.4 physical radio specification. The complete ZigBee protocol stack:
ZigBee is based on either a star or a mesh topology. The mesh topology expands the reach of networks and eliminates single points of failure. Some experts deem that its reliability increases with its growth – the more devices are connected, the better.
Overall, the creators of ZigBee have ensured this, but there is ample evidence to the contrary. Factors such as cheap units, usability and compatibility take precedence over security implementation, at least that’s the opinion of several security researchers. This paper presents some breakthrough findings regarding the security of ZigBee networks.
Security issues in ZigBee
Making the ZigBee standard hack-proof is essential to ensure secure networks, frame security, key transfer, and provisioning. Security is implemented in the network and application support sublayer (APS), which is a sublayer of the application layer. Cryptographic protection is enabled when different devices in a ZigBee network communicate with each other. Therefore, it is essential that encryption keys are always properly secured. There are two types of security keys:
A network key is a 128-bit key distributed and shared between each device on a network to secure transmissions.
The link key, also 128-bit, serves as a means of securing unicast communication at the application layer and is shared only between two devices.
The security of ZigBee networks depends on the assumption that the keys are stored securely and the devices have pre-installed symmetric keys so that they will not be transmitted in an unencrypted form.
However, the exception to the general rule is the way fortresses are seized – in this case, when a new and non-preconfigured device enters the network, a single unprotected key is likely to be sent to enable encrypted communication. Therefore, the storage of encryption keys, which is critical, will endanger the security of the entire network. Despite this, the time frame for such a security compromise is seemingly narrow; a hacker could use various techniques to exploit this vulnerability (see the “Empirical Evidence of ZigBee Vulnerability” section).
Another way to break into ZigBee networks is to physically access certain types of smart home devices, such as temperature sensors and light switches. Due to their low cost and limited capabilities, it is believed that their hardware is not tamper-proof, which could be enough for an attacker to touch privileged information.
Types of theoretical attacks against ZigBee
ZigBee and the 802.15.4 protocol were designed with security in mind, but security is sometimes not well implemented by developers. Possible attacks can generally be divided into three categories: physical, key, and replay/injection.
Direct physical interaction can prove detrimental to the integrity of a targeted ZigBee network. In fact, many radios located on this network use a hard-coded encryption key loaded into RAM as soon as the device is powered up. Since the keys are distributed, flashed, on all devices in the ZigBee network, the probability of key exchange is very low. Armed with this knowledge, hackers can resort to setting up special serial interfaces on ZigBee devices to capture encryption keys moved from flash to RAM during power-up.
This exploit can be done using various low-cost and open source tools such as GoodFet and Bus Pirate: “By physically connecting to a ZigBee device via a simple serial interface such as Bus Pirate, an attacker can expose the security of the entire ZigBee network and potentially intercept and alter data.”
Remote attacks aimed at obtaining encryption keys are possible due to a methodology known as OTA (Over the Air) key delivery and pre-shared keying, which is immanent to ZigBee. OTA is typically used with more sophisticated ZigBee networks to provide better security and updates. Its security protection can be bypassed by using a device that mimics a ZigBee node and picks up the transmissions exchanged between internal devices; these packets can be analyzed or decrypted later. An attack of this kind will be almost impossible to detect. KillerBee is a toolkit combining hardware and software that efficiently captures and analyzes 802.15.4 packets.
Remote attacks are also characterized by high stealth, and the intruder can even extend the range of coverage by creating high-power transmitters or special Yagi antennas.
Replay and injection attacks
This is a key attack combined with packet replay and/or injection to trick a ZigBee device into performing unauthorized actions. ZigBee units are particularly vulnerable to these attacks because they feature a lightweight protocol design with weak replay protection. Thus, captured packets from ZigBee nodes are sent back in a replay attack scenario to make it appear as if they originated from the original node. The minimal inspection of the session by the ZigBee units will not be enough to detect the deception and the network will treat the traffic as if it came from a valid node (More about replay attacks on ZigBee networks here).
Empirical Evidence of ZigBee Vulnerability
Austrian security researchers Tobias Zillner and Sebastian Strobl of Cognosec revealed details of major security vulnerabilities in ZigBee networks at Black Hat USA 2015 in Las Vegas.
Application profiles are a unified feature of ZigBee devices manufactured by different vendors that allows all these different devices to communicate. An example of an application profile could be the ZigBee Home Automation Public Application Profile (HAPAP) designed to exchange control messages between wireless home automation applications – for example, commands to turn on/off a smart lamp or send a warning signal if an occupancy sensor detects movements.
All certified devices from each manufacturer should be able to use the standard interface and operability of this profile, but the key moment here is when an unconfigured device first joins the ZigBee network. According to Austrian experts, the way the TC link default key works poses a security threat to network key secrecy. This fallback mechanism is activated “when the connecting device is unknown or has no specific authorization associated with it”. The moment when a device connects to the ZigBee network via the default TC link key is therefore critical, as it could lead to the compromise of the network key and hence the confidentiality of all network communication.
In their report, Austrian researchers promoted SecBee – a new ZigBee security testing tool based on killerbee and scapy-radio. They deployed it to assess the security of real-life devices such as a home automation system, a ZigBee-enabled door lock, and a smart lighting solution. All three were characterized by simplified setup and use, but also by the fact that the pairing process between configured and unconfigured devices lacks security robustness. Although the time frame for sniffing a swapped network key is very limited, directing the hacking maneuver through the user level, i.e. directly attacking the user, can overcome this obstacle. The entire hacking attack develops as follows:
Signal Jamming – ZigBee is designed for energy saving and low power communication, and targeting a ZigBee channel with noise will easily disable communication;
Re-pair to restore connection
Reconfiguration – a typical ignorant user who notices a loss of connection will try to reconnect, usually by pressing a button on the remote control for example;
- Obtaining the transmitted network key – As mentioned above, if the user is successfully targeted, the hacker will use the spoofing to their advantage and sniff the key;
- The attacker takes control of the system because the entire security depends on the secrecy of the key.
The bad news doesn’t end there. The tested home automation system has no setting that can reset or change the network key used; therefore, the average user cannot lock out the intruder.
A smart lighting solution is also vulnerable to a malicious attack. Unlike the previous case, hijacking smart bulbs and connecting them to a fake network does not require knowing the active secret keys. Bulbs are always sending requests to the beacon trying to find a new network to join. By sending the “reset to factory default” command, the hacker makes the bulb search for ZigBee networks, which automatically connects to the first available network without even interacting with the user.
Additionally, this ZigBee-specific network quality can be used for localization purposes. Praetorian security expert Paul West Jauregui explains: “When [IoT devices] communicate over a wireless protocol called ZigBee, the protocol is open at the network level. Therefore, when devices start connecting, they broadcast beacon requests. We get data based on that.”
As part of the so-called “Internet of Things Map Project”, this Texas-based IT security firm has successfully created a searchable database – Shodan – the first search engine for Internet-connected devices. It might be interesting to mention that the information for Shodan is collected through a flying drone with a custom-made tracking system capable of sniffing the data transmitted by IoT devices. To illustrate its effectiveness, the researchers report that the drone was able to locate nearly 1,600 Internet-connected devices during an 18-minute flight (see a map of Austin, TX here).
Not long before Cognosec’s research was published – less than a month – Tripwire reported security flaws in smart home hubs. Smart hubs act as links to home networks to control lighting, locks and cameras.
A 2013 paper by Nitesh Dhanjani showed how Philips Hue bulbs are “highly hackable” due to their control portal, referred to as a “bridge”, which relies on a weak authentication system to exchange wireless communications with other devices. The MAC address of the bridge in its communications was easily discovered by Dhanjani when he injected malware into the bridge via a malicious website. This completed the takeover of the targeted Hue bulb – Dhanjani was able to turn the smart bulb on and off regardless of the actual position of the switch whenever he wanted.
One valuable presentation on ZigBee hacking, “I’m a Newbie, But I Can Hack ZigBee – Take Unauthorized Control of ZigBee Devices,” by Li Jun and Yang Qing from Qihoo360’s Unicorn Team, tells how a ZigBee-enabled device became a victim of hackers. using firmware-based encryption keys.
It is predicted that by 2022 there will be more than 500 smart devices per household. Home automation raises serious privacy concerns because it generates vast amounts of data that can be linked to a person. Vendors must address security and privacy issues as soon as possible to mitigate threats.
ZigBee is a reliable standard if properly applied. However, this article has shown that for some reason the reality is sometimes different. In this regard, Tobias Zillner of Cognosec concludes:
“The flaws and limitations […] discovered in ZigBee were created by the manufacturers. Companies want to create the latest and greatest products, which today means they are likely to be connected to the Internet. Simple units such as light switches must be compatible with a wide range of other devices and, unsurprisingly, little consideration is given to security requirements – most likely to keep costs low. Unfortunately, the security risk in this last-level wireless communication standard can therefore be considered very high.”
Ms. Smith summarized very well what security measures Zillner believes need to be taken on the implementation side:
- Bowers, B. (2012). ZigBee Wireless Security: A New Age Penetration Tester’s Toolkit.
- Condliffe, J. (2013). Philips Hue Light Bulbs Are Highly Hackable.
- Dhanjani, N. (2013). Hacking Lightbulbs.
- Hayes, J. (2015). Zigbee’s wireless security flaws threatens IoT devices.
- Kumar, M. (2015). How Drones Can Find and Hack Internet-of-Things Devices From the Sky.
- Leyden, J. (2015). Cyber poltergeist threat discovered in Internet of Stuff hubs.
- Links, C. (2015). What Smart Home and IoT Devices Makers Need to Know about ZigBee 3.0.
- Meyer, R. (2012). Security Issues and Vulnerability Assessment of ZigBee Enabled Home Area Network Implementations.
- Ms. Smith (2015). Researchers exploit ZigBee security flaws that compromise security of smart homes.
- Pullen, J.P. (2015). Everything You Need to Know About Smart Home Networking.
- The Register (2015). Researchers make SHODAN of the skies to probe internet-of-things.
- Zillner, T. (2015). ZigBee Exploited: The good, the bad and the ugly. Available at(10/15/2015)
- The table in this article is based on “Table 3 Wireless technology comparison” that can be found on p. 15 of “Security Issues and Vulnerability Assessment of ZigBee Enabled Home Area Network Implementations” by Roger Meyer
- In the drone image is used “Darstellung der von Taifun Haiyan betroffenen Gebäude”