Fun with ZigBee Wireless - Part I (Background)

By Tony Lee

Introduction

In our previous articles, we have covered quite a bit of 802.11 hacking:

WEP:  http://securitysynapse.blogspot.com/2013/12/wireless-pentesting-on-cheap-kali-tl.html

WPA-PSK:  http://securitysynapse.blogspot.com/2014/01/wireless-pentesting-on-cheap-kali-tl.html

Hidden SSID:  http://securitysynapse.blogspot.com/2014/01/wireless-pentesting-on-cheap-kali-hiddenSSID.html

MAC Filtering:  http://securitysynapse.blogspot.com/2014/02/wireless-pentesting-on-cheap-kali-MACFiltering.html

WPA-Enterprise Part I:  http://securitysynapse.blogspot.com/2014/02/wireless-pentesting-on-cheap-kali-WPAEntPartI.html

WPA-Enterprise Part II: http://securitysynapse.blogspot.com/2014/03/wireless-pentesting-on-cheap-kali-WPAEntPartII.html

This time, let's explore a different wireless medium: ZigBee! In this series we will look at the following:

• Why Zigbee matters
• Background/history
• Hardware
• Software
• Passive attacks
• Firmware upgrades
• Active attacks

A good deal of research has already been completed -- so we give a head nod to all that have pioneered this space. But there truly is nothing like trying it yourself. A warning to the weary:  The documentation at times is lacking (unless source code counts). But hopefully this series will give you some key tidbits that will help you on your way to getting up and running faster.

Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

Why ZigBee matters

The primary reason why ZigBee matters is because you can control the physical environment through a wireless medium. This mostly applies to embedded device applications -- such as home automation/Internet of Things (IoT), but it can also apply to more sensitive applications such as SCADA equipment.

Here are some categories and examples of how ZigBee is used in the world around you:

• Sensors: Temperature, humidity, water
• Control: Lighting, HVAC, appliances, power
• SCADA specific: Smart meters/water/gas

Figure 1:  The Zen Thermostat is an example of a ZigBee capable device

Figure 2:  Diagram of ZigBee Alliance smart meters

The most interesting thing about wireless technologies is that vendors are usually very proud in announcing details of their usage--to the extent that they even include the protocols, protection, and chosen frequency.

Quick Background

ZigBee is a IEEE 802.15.4-based specification designed to create Personal Area Networks (PANs). This PAN differs from others such as Bluetooth because it is designed to be simpler and cheaper. ZigBee is also designed to have lower power consumption. In fact, the battery must last at least 2 years in order to meet ZigBee certification standards. However, much of the home automation devices seem to have 5+ year battery life. The transmission distance is anywhere from 10-100 meters (or more if you consider the built-in mesh support).

Brief History

ZigBee has been around for quite some time.  In fact, over a decade.  The following three bullets summarize the major advancements.  For more information, visit the ZigBee wiki page found here:  https://en.wikipedia.org/wiki/ZigBee

• 2004:  IEEE 802.15.4 ratified
• Zigbee-2006:   added encryption support
• Zigbee-2007 Zigbee-PRO:  Compatible with 2006, “Trust center” security model, etc.

Frequencies

The first ZigBee frequency consideration largely depends on geographic location.  Aside from location, the application (based on signal propagation) can help determine the chosen frequency.  For example, much of the home automation/IoT space uses the 2.4 GHz range and some outdoor applications tend to use the 915 MHz range.  Geographically, the frequencies are assigned as follows:

• 2.4 GHz - Worldwide
• 915 MHz - US/AUS
• 868 MHz - Europe
• 784 MHz - China

Encryption

ZigBee uses 128-bit AES encryption.  Two keys are used for communication.  A network key is shared by everyone and used for broadcast traffic, while a link key is unique per 2 devices.  Both network and link keys are established through a Master key—thus key distribution is critical to security.

Attack Goals

When looking at this space from a security perspective it is important to establish the attack goals.  Here are just a few possible goals along with examples:

• Read sensitive data
• Ex:  Proprietary data, processes, etc.
• Inject incorrect information
• Ex:  Report false information
• Replay commands
• Ex:  Increase, decrease
• Denial of service
• Ex:  Stop reporting data
• Leverage connected networks
• Ex:  Breach an internal network using ZigBee

Conclusion

This article outlined why we are examining ZigBee and provides some background to include usage, history, and frequency ranges and encryption.  The next article will cover one of the many hardware options.