Sunday, November 22, 2015

Fun with Zigbee Wireless - Part II (Hardware)

By Tony Lee

Introduction

In our previous zigbee article, we covered ZigBee usage and history:

This time, let's explore some hardware.  Keep in mind though that this is just one possible hardware platform that can be used.  The hardware will also vary depending on the frequency you are targeting.  As mentioned in our previous article, these are the applicable ZigBee frequencies:
  • 2.4 GHz - Worldwide
  • 915 MHz - US/AUS
  • 868 MHz - Europe
  • 784 MHz – China

For the rest of this article, we will be targeting the 2.4 GHz frequency range—thus our hardware will reflect this decision.

The 2.4 GHz range along 802.11 overlap is shown below:


Figure 1: Source https://www.digi.com/wiki/developer/index.php/Channels,_Zigbee


Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

Hardware

Our test environment consists of an unnamed home automation system and a ZigBee power outlet.  This really could have been any ZigBee devices which range from thermostats to light bulbs to deadbolts.

The attack hardware consists of the following:


The only component used for actual attacks in the list above is the Atmel RZUSBSTICK.  We included two RZUSBSTICKs so we could launch the attack with one stick and monitor with the other.  The rest of the components below the first line item are used in the firmware flashing process.  Unfortunately much of the available software requires custom firmware—hence the AVR Dragon and other components.

The hardware list provided is the bare minimum to complete the activities outlined in this series, however there is one “nice to have” item that may save you a little frustration:  a USB extension/stand (one per RZUSBSTICK).  The reason for this is due to some instability with some of the software, thus there will be times where you will need to reseat the RZUSBSTICK.  Most of the time this can be done virtually via VMWare or Virtual box, however, there may be times when this must be done physically.  Since the RZUSBSTICKs are fragile, these stands will help prevent you from handling the PCB itself.  Instead you can disconnect the stand from the PC and have the same effect.  These stands run about $3.22 on Amazon and are well worth the price. 



Attack Environment

Both Ubuntu 14.04.3 and Kali Linux (version 1.1 and 2.0) detect the RZUSBSTICK and load the appropriate drivers.  Both virtualbox and VMWare were used to virtualize Ubuntu and Kali.  Out of all of the combinations, it appears that Kali 2.0 running on virtualbox was the most reliable environment.

Before:

root@kali:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub


After:

root@kali:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 005: ID 03eb:210a Atmel Corp.
Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Conclusion


This article outlined the hardware we will use to examine the 2.4 GHz ZigBee frequency range.  The next article will cover software options that are available to match the Atmel RZUSBSTICK.  Keep in mind this is just one possible hardware platform.  We would love to hear about experiences with other gear as well.  Feel free to leave comments in the section below.  

No comments:

Post a Comment