Friday, December 11, 2015

Fun with Zigbee Wireless - Part V (Active attacks)

By Tony Lee

Introduction

This time, let's explore some active attacks.  Active attacks that use packet injection require flashing the RZUSBSTICK and thus firmware upgrades will also be covered in this article.
    Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

    Firmware Upgrade

    The first step in a firmware upgrade is to obtain the new image.  This could either be from Atmel, Luxoft, or in this case the KillerBee firmware from github.  

    Download
    Below we show the wget command to download the firmware and the head command to show what the firmware looks like.



    root@kali:~/tools/killerbee# wget https://raw.githubusercontent.com/riverloopsec/killerbee/master/ firmware/kb-rzusbstick-002.hex
    root@kali:~/tools/killerbee# head kb-rzusbstick-002.hex :100000000C94B4000C94D3000C94D3000C94D30043 :100010000C94D3000C94D3000C94D3000C94D30014 :100020000C94D3000C94D3000C94220E0C94D300A7 :100030000C94D3000C94D3000C94D3000C94D300F4 :100040000C943D0B0C94910B0C94FC0B0C94D30072 :100050000C947A0B0C94D3000C94D3000C94D30022 :100060000C94D3000C94D3000C94D3000C94D300C4 :100070000C94D3000C94D3000C94D3000C94D300B4 :100080000C94D3000C94D3000C94D3000C94D300A4 :100090000C94D3000C94D300E409FC062507220835



    Connections
    The image below shows all of the connections necessary to flash the RZUSBSTICK.  The Dragon programmer connects to the laptop via a USB cable.  The 100mm female to female ribbon cable connects the dragon to the 100mm to 50mm stand off adapter.  The 50 mm male to male connects the stand off adapter to the RZUSBSTICK (which is plugged into the USB stand also plugged into the laptop).  You can either solder the 50mm connector to the RZUSBSTICK or you can hold the pins at an angle to make a firm connection.  Since we were flashing multiple USB sticks, we did not solder the pins.  Note that PIN 1 is closest to the LED.




    Flash command

    We typically get this command ready prior to the hardware being connected.  That way when the hardware is connected we only need to hit the enter key.



    root@kali:~/tools/killerbee# avrdude -P usb -c dragon_jtag -p usb1287 -B 10 -U flash:w:kb-rzusbstick-002.hex avrdude: jtagmkII_initialize(): warning: OCDEN fuse not programmed, single-byte EEPROM updates not possible avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9782 avrdude: NOTE: FLASH memory has been specified, an erase cycle will be performed To disable this feature, specify the -D option. avrdude: erasing chip avrdude: jtagmkII_initialize(): warning: OCDEN fuse not programmed, single-byte EEPROM updates not possible avrdude: reading input file "kb-rzusbstick-002.hex" avrdude: input file kb-rzusbstick-002.hex auto detected as Intel Hex avrdude: writing flash (26818 bytes): Writing | ################################################## | 100% 2.99s avrdude: 26818 bytes of flash written avrdude: verifying flash memory against kb-rzusbstick-002.hex: avrdude: load data flash data from input file kb-rzusbstick-002.hex: avrdude: input file kb-rzusbstick-002.hex auto detected as Intel Hex avrdude: input file kb-rzusbstick-002.hex contains 26818 bytes avrdude: reading on-chip flash data: Reading | ################################################## | 100% 3.24s avrdude: verifying ... avrdude: 26818 bytes of flash verified avrdude: safemode: Fuses OK avrdude done. Thank you.


    avrdude options defined:
    -P port
    -c programmer-id
    -p partno
    -B bitclock
    -U Perform memory operation
    Memtype:operation:filename

    Verification

    If using lsusb, the brief information does not change.  However, use lsusb -D (ex:  lsusb -D /dev/bus/usb/001/030) to see that the iProduct and iSerial values change to the following:

    • iProduct:  KILLERB001
    • iSerial:  FFFFFFFFFFFF
    When plugging into VMware, the text changes because the iProduct value above changed.  Visually the KillerBee firmware will also change the blue light to amber on the RZUSBSTICK.


    If these changes are present the firmware upgrade was successful.

    Active attack

    In the previous passive attack article, we showed the zbid tool to list the devices.  There should be a noticeable difference now.



    Before:
    root@kali:~# zbid Monkey-patching usb.util.get_string() Dev Product String Serial Number 2:7 RZUSBSTICK 3FA0F6A01C25

    After: root@kali:~# zbid Monkey-patching usb.util.get_string() Dev Product String Serial Number 1:30 KILLERB001 FFFFFFFFFFFF



    zbstumbler
    Now that we have the KillerBee firmware image loaded, we can use more interesting tools that use active techniques for discovery--including zbstumbler.  This is a bit of a head nod to the old netstumbler tool as it can use active packets to locate networks (regardless of the channel).  As a bonus, we can also use the same card to transmit and receive.  Notice in the usage and output below that we do not need to specify a channel and the card still discovered both the hub and the outlet on channel 19.


    root@kali:# zbstumbler Monkey-patching usb.util.get_string() Warning: You are using pyUSB 1.x, support is in beta. zbstumbler: Transmitting and receiving on interface '1:24‘ New Network: PANID 0x2B55 Source 0x7A7C Ext PANID: fd:c3:43:24:23:71:f0:52 Stack Profile: ZigBee Enterprise Stack Version: ZigBee 2006/2007 Channel: 19 New Network: PANID 0x2B55 Source 0x0000 Ext PANID: fd:c3:43:24:23:71:f0:52 Stack Profile: ZigBee Enterprise Stack Version: ZigBee 2006/2007 Channel: 19



    zbwireshark
    zbwireshark allows users to sniff and review ZigBee traffic in real-time within Wireshark.  The tool creates a pipe which Wireshark then reads data from.  This tool can technically be used with the default firmware since it is passive in nature, but we found it slightly more stable after the KillerBee firmware upgrade.  There are still some stability issues either way.


    zbwireshark being used to sniff and display packets in real-time

    Sniff and Replay Packets

    Once devices are discovered (zbstumbler) and understood (zbwireshark), the it may be possible to capture traffic and then replay that traffic back to the device.  This did not work in our limited testing, but it is worth a shot.

    zbdump and zbreplay
    We already used zbdump in the previous article, however we will cover the syntax here for completion.  The new tool here is zbreply.  This tool will take the pcap from zbdump and replay it using the flashed RZUSBSTICK.  -f specifies the channel, -w specifies the name of the pcap to write the captured packets, and -r specifies the name of the pcap to read the captured packets.



    root@ubuntu:# ./zbdump -f 19 -w operating.pcap Monkey-patching usb.util.get_string() Warning: You are using pyUSB 1.x, support is in beta. zbdump: listening on '1:34', link-type DLT_IEEE802_15_4, capture size 127 bytes 54 packets captured root@ubuntu:# ./zbreplay -f 19 -r operating.pcap Monkey-patching usb.util.get_string() Warning: You are using pyUSB 1.x, support is in beta. zbreplay: retransmitting frames from 'operating.pcap' on interface '1:34' with a delay of 1.0 seconds. 27 packets transmitted



    Obtain a Key

    Similar to zbdsniff discussed in the prior article, the objective here is to obtain a key to decrypt ZigBee traffic.

    zbkey
    This tool is different from zbdsniff because it is active in nature.  Instead of passively scanning a pcap, zbkey attempts to retrieve a key by sending an associate request followed by a data request after an association response is received.

    Here are a few pro-tips when trying this attack:
    • Try attacking each device separately
    • First attack the hub
    • Then attack the child device
    • Try placing them in pairing mode
    • Try changing the hardware address



    root@kali:~# zbkey -f 19 -p 2B55 -s 0.1 -a d052a8006b550001 Monkey-patching usb.util.get_string() Warning: You are using pyUSB 1.x, support is in beta. Sending association packet... Sending data request packet... Received frame Length of packet received in associate_handle: 27 0000: 63 cc d7 55 2b 01 00 55 6b 00 a8 52 d0 01 00 55 c..U+..Uk..R...U 0010: 6b 00 a8 52 d0 02 ff ff 02 d8 eb k..R....... Association response status was not successful. Received 2. Received frame Length of packet received in associate_handle: 27 0000: 63 cc d7 55 2b 01 00 55 6b 00 a8 52 d0 01 00 55 c..U+..Uk..R...U 0010: 6b 00 a8 52 d0 02 ff ff 02 d8 eb k..R........ --snip— Sorry, we didn't hear a device respond with an association response. Do you have an active target within range?



    zbkey options defined:
    -f channel
    -p PAN ID
    -s sleep
    -a ZigBee hardware address

    Denial of Service

    When all else fails, it may be interesting to check the resiliency to denial of service.  Fortunately, the KillerBee suite has a tool for this as well.

    zbassocflood
    This tool attempts to trasmit a flood of associate requests to a target network.  It does require the PAN ID (-p), the channel (-c), and timing (-s).


    root@kali:~# zbassocflood -p 0x2b55 -c 19 -s 0.1 Monkey-patching usb.util.get_string() Warning: You are using pyUSB 1.x, support is in beta. zbassocflood: Transmitting and receiving on interface '1:34' ++++++......++++++......++++++......++++++......++++++......++++++......++++++......++++++......++++++^C Sent 102 associate requests.


    In the interest of full disclosure, we were not able to obtain a key or cause a denial of service.  More hardware and testing is required for to complete our research.

    Conclusion

    This article covered quite a bit of information including flashing the RZUSBSTICK as well as outlining the KillerBee software that can be used for active attacks against the 2.4 GHz ZigBee frequency range.  Passive attacks primarily covered sniffing and replaying, obtaining a key, and denial of service.  The following tools were covered in this article:
    • avrdude (flash)
    • zbstumbler
    • zbwireshark
    • zbdump (repeat)
    • zbreplay
    • zbkey
    • zbassocflood
    We are interested in hearing feedback from others regarding the success shown with the tools covered in this article.  Feel fee to leave feedback in the comments section below.

    While onsite testing, it may be useful to have an attack methodology flow chart to follow.  Here is one we created to help stay on track and create a repeatable process.



    Happy hacking. :)

    Tuesday, December 1, 2015

    Fun with Zigbee Wireless - Part IV (Passive attacks)

    By Tony Lee

    Introduction

    In our previous zigbee articles, we covered ZigBee usage, history, one hardware option, and a handful of software options:
    History:  http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-i.html 
    Hardware: http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-ii.html
    Software: http://securitysynapse.blogspot.com/2015/12/fun-with-zigbee-wireless-part-iii.html

    This time, let's explore some passive attacks.  This means that we will not send any packets--we will only listen to what is already being sent.  Active attacks which require packet injection require flashing the RZUSBSTICK and thus will be covered in the next article.
    Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

    List devices

    Most of the Windows software will let you know when the RZUSBSTICK is plugged in.  However, if wanting to use some of the more flexible Killerbee tools in Linux, we will need to first list the available devices.  For this, we use the zbid command.

    zbid:

    root@kali:~# zbid
    Monkey-patching usb.util.get_string() Dev Product String Serial Number 2:7 RZUSBSTICK 3FA0F6A01C25



    This should show at least one device if it is plugged in.  If nothing shows up or an error occurs do the following:

    • Check to make sure the USB stick is plugged in and a light illuminated
    • Check dmesg to check for errors
    • Reinstall Killerbee software per our instructions in the last article

    Discovery

    Now that we have a working RZUSBSTICK, let's discover some ZigBee devices use the existing firmware on the device.  Fortunately, ZigBee has a limited number of channels (11-26) because we could not find very good passive options for tools that hopped through all of the channels using this hardware.  Pro-tip:  Try channel 19 first--it is a popular default channel.

    zbfind
    One tool seemed to have a lot of promise, but we could not get it working.  zbfind is a GUI tool with passive and active network detection features and works similar to "net stumbler".  Keep in mind though that active discovery mode requires the RZUSBSTICK to be flashed with the KillerBee firmware, but even this did not help the tool function properly.  The screenshot below shows promise.



    Screenshot from:  http://www.willhackforsushi.com/

    zbopenear
    zbopenear is a very interesting tool in that it can listen (and write to pcap) on multiple channels at the same time (given enough RZUSBSTICKs).  Since there are 16 channels, it would require 16 RZUSBSTICKs to listen on all channels at the same time.  At a cost of $42.50 per stick x 16 sticks, it would be a total of $680.  This tool did work but defaulted to channel 11 (the first channel).



    root@kali:~# zbopenear  Monkey-patching usb.util.get_string() Found device at 1:3: ‘RZUSBSTICK' Assigning to channel 11. Cap1:3: Launching a capture on channel 11. Warning: You are using pyUSB 1.x, support is in beta. Capturing on '1:3' at channel 11. Result: zb_c11_20151012-1128.pcap

    Sniff and Analyze Packets

    Once devices are discovered, the last phase in the passive attack is to sniff and analyze packets.  Most of the Windows tools discussed in the last article have the ability to sniff and analyze packets as well.  In this section, we will focus on some of the KillerBee tools.

    zbdump
    zbdump is like tcpdump for ZigBee.  It can save packets in both pcap and DainTree format.  For our testing we will use pcap format so we can open it in Wireshark (which natively understands the ZigBee protocol).  The following command can be used to run zbdump.  -f specifies the channel and -w specifies the name of the pcap to write the captured packets.



    root@kali:~# zbdump -f 19 -w test.pcap zbdump: listening on '002:006', link-type DLT_IEEE802_15_4, capture size 127 bytes 66 packets captured


    After capturing some packets, we will now open the pcap in Wireshark to learn about the protocol and components.



    Good to know info
    When looking at the packet capture above there are a few things to note:

    • Source and destination fields in packet captures are assigned network IDs (think IP address)
      • Ex:  Source:  0x7a7c is the ZigBee network ID assigned when the device joined
      • Source of 0x0000 is usually a controller
    • Extended addresses are hardware addresses
      • Ex:  Extended Source:  00:0d:6f:00:04:49:7d:13
      • Instead of 48-bit (like NICs), ZigBee hardware addresses are 64-bit in length

    Obtain a Key 

    zbdsniff
    The last passive tool on the list is zbdsniff.  This tool searches pcap files for ZigBee keys.  However, we did not get any output from the file--which may indicate that there were no keys available.


    root@ubuntu:# zbdsniff operating.pcap Monkey-patching usb.util.get_string() Processing operating.pcap Processed 1 capture files.


    Conclusion

    This article outlined the KillerBee software that can be used for passive attacks against the 2.4 GHz ZigBee frequency range.  Passive attacks primarily covered sniffing and analyzing ZigBee packets.  The following tools were covered in this article:
    • zbfind
    • zbdump
    • zbopenear
    • zbdsniff
    Some of the more interesting attacks require packet injection capabilities.  For this feature we must upgrade the firmware on the RZUSBSTICK which will be covered in the next article.  We are interested in hearing feedback from others regarding the success shown with the tools covered in this article.  Feel fee to leave feedback in the comments section below.

    Wednesday, November 25, 2015

    Fun with Zigbee Wireless - Part III (Software)

    By Tony Lee

    Introduction

    In our previous zigbee articles, we covered ZigBee usage, history, and one hardware option:
    History:  http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-i.html 
    Hardware: http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-ii.html


    This time, let's explore some software options.  There are both free and commercial options available.  For this series, we focused on free (although some require email registration).  the following options are explored in this article:
    • Atmel AVR Tools - Free with email registration
    • Luxoft BitCatcher ZigBee Network Analyzer Tool - Free with email registration
    • Killerbee - Free on Github

    Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

    Atmel AVR Tools

    This software is offered for free (http://www.atmel.com/tools/RZUSBSTICK.aspx) with email registration from the same maker as our RZUSBSTICK hardware.  It runs on Windows, including a Windows 7 virtual machine which is what our environment used.  Best of all, AVR tools works with the stock firmware so there is no need to flash the RZUSBSTICK.  Included in the download is the following:

    • Windows drivers
    • rfservicesserver.exe - Command line tool that creates a socket
    • AVR Wireless Services - GUI that connects to the socket created by rfservicesserver
    The component architecture is shown below:

    RF Services Server creates the bridge between the RZUSBSTICK hardware and the software to which the user interacts.  AVR Wireless Services Suite provides the UI for human interaction.



    The screenshot above shows the software download on the left, rfservicesserver running in the command prompt on the top right, and AVR Wireless Services GUI running in the bottom right.  AVR Wireless Services provides packet history, a graphical node display, and a packet drill down feature similar to Wireshark.  Of course Atmel offers more capable software at a price, but this is not too bad of a start for a free offering.

    Luxoft BitCatcher ZigBee Network Analyzer Tool

    Luxoft offers a tool called BitCatcher (http://www.luxoft.com/embedded-systems-development/bitcatcher/) which is also free with email registration.  This tool runs in Windows (binary) and Linux (Java app).  The biggest downside is that it requires custom firmware to be loaded onto the RZUSBSTICK via a flash upgrade (will discuss in a later article).  The flash upgrade changes the hardware ID which allows a custom driver to convert USB to COM which BitCatcher then uses to interact with the hardware.

    Our setup process was the following:

    • Flashed in Linux with avrdude (Will demo in a later article)
    • Ran the BitCatcher Sniffer tool in a Windows 7 VM
      • Loaded the "Sniffer" driver
      • Added the device, connected the device, started the sniffing


    The software download is shown on the left and the BitCatcher software is shown on the right.  There is a packet timeline and drilldown functionality similar to Wireshark, but with less detail.

      Killerbee

      The last software we will mention is the Killerbee framework from Josh Wright and River Loop security.  Killerbee is a free download from github found here:  https://github.com/riverloopsec/killerbee.  Some tools work with the default Atmel firmware while some require Killerbee firmware.

      The tools that work with the default firmware:

      • zbid – List available devices
      • zbfind – GUI for Zigbee location tracking – Never got this working 
      • zbopenear - ZigBee/802.15.4 many channel listener (need 1 RZUSB per channel)
      • zbwireshark - Sends sniffed ZigBee packets to Wireshark via a named pipe
      • zbdump – tcpdump clone (libpcap or commercial Daintree SNA format)
      • zbconvert – Convert capture file formats (libpcap -> Daintree)
      • zbdsniff – Scans capture files for Zigbee encryption keys (takes a capture file)
      • zbgoodfind – Search a binary file to identify encryption key for encrypted packet

      The tools that require the killerbee firmware:
      • zbreplay – Replay network traffic from libpcap or Daintree files
      • zbscapy – scapy for ZigBee
      • zbkey – Attempts to retrieve a key by fake association and request/response
      • zbassocflood – Transmit a flood of associate requests to a target network
      Killerbee comes pre-installed with most Kali distributions, however your success will vary.  Here was our out-of-the-box experience:

      Kali 1.1:
      Exception: Unable to open device.  Ensure the device is free and plugged-in.



      Kali 2.0:

      usb.core.USBError: [Errno 110] Operation timed out

      The moral of the story here is that just because the tools are pre-installed, does not mean they will work.

      The github page recommends installing the latest version of the software anyway.  These are the steps we used in a Kali 2.0 installation:


      Setup:


      mkdir tools; cd tools
      git clone https://github.com/riverloopsec/killerbee.git
      apt-get install libgcrypt-dev
      cd killerbee
      python setup.py install

      sudo rm -rf /usr/lib/pymodules/python2.7/killerbee
      python setup.py install

      Conclusion

      This article outlined the software we will use to examine the 2.4 GHz ZigBee frequency range.  We are very appreciative for those who released free software--Atmel, Luxoft, Josh Wright and River Loop security.  Here are some general observations:

      • Atmel - Worked well and with default firmware
      • Luxoft - Worked well after the firmware upgrade and driver install
      • Killerbee - Most capable and diverse tool set by far, but had the some minor issues:
        • Some tools don't work well - but hey, they are free.
        • Most tools don't terminate well
        • Thus, after running a tool, it may be necessary to reseat the card
          • Easiest reseat method is to virtually reseat the card via VMware/Virtual box
          • If virtual reseat does not work, physical reseat will be necessary (hooray for USB stands)

      The next article will cover some potential passive attacks.

      Sunday, November 22, 2015

      Fun with Zigbee Wireless - Part II (Hardware)

      By Tony Lee

      Introduction

      In our previous zigbee article, we covered ZigBee usage and history:

      This time, let's explore some hardware.  Keep in mind though that this is just one possible hardware platform that can be used.  The hardware will also vary depending on the frequency you are targeting.  As mentioned in our previous article, these are the applicable ZigBee frequencies:
      • 2.4 GHz - Worldwide
      • 915 MHz - US/AUS
      • 868 MHz - Europe
      • 784 MHz – China

      For the rest of this article, we will be targeting the 2.4 GHz frequency range—thus our hardware will reflect this decision.

      The 2.4 GHz range along 802.11 overlap is shown below:


      Figure 1: Source https://www.digi.com/wiki/developer/index.php/Channels,_Zigbee


      Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

      Hardware

      Our test environment consists of an unnamed home automation system and a ZigBee power outlet.  This really could have been any ZigBee devices which range from thermostats to light bulbs to deadbolts.

      The attack hardware consists of the following:


      The only component used for actual attacks in the list above is the Atmel RZUSBSTICK.  We included two RZUSBSTICKs so we could launch the attack with one stick and monitor with the other.  The rest of the components below the first line item are used in the firmware flashing process.  Unfortunately much of the available software requires custom firmware—hence the AVR Dragon and other components.

      The hardware list provided is the bare minimum to complete the activities outlined in this series, however there is one “nice to have” item that may save you a little frustration:  a USB extension/stand (one per RZUSBSTICK).  The reason for this is due to some instability with some of the software, thus there will be times where you will need to reseat the RZUSBSTICK.  Most of the time this can be done virtually via VMWare or Virtual box, however, there may be times when this must be done physically.  Since the RZUSBSTICKs are fragile, these stands will help prevent you from handling the PCB itself.  Instead you can disconnect the stand from the PC and have the same effect.  These stands run about $3.22 on Amazon and are well worth the price. 



      Attack Environment

      Both Ubuntu 14.04.3 and Kali Linux (version 1.1 and 2.0) detect the RZUSBSTICK and load the appropriate drivers.  Both virtualbox and VMWare were used to virtualize Ubuntu and Kali.  Out of all of the combinations, it appears that Kali 2.0 running on virtualbox was the most reliable environment.

      Before:

      root@kali:~# lsusb
      Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
      Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
      Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
      Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
      Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub


      After:

      root@kali:~# lsusb
      Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
      Bus 002 Device 005: ID 03eb:210a Atmel Corp.
      Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
      Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
      Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
      Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

      Conclusion


      This article outlined the hardware we will use to examine the 2.4 GHz ZigBee frequency range.  The next article will cover software options that are available to match the Atmel RZUSBSTICK.  Keep in mind this is just one possible hardware platform.  We would love to hear about experiences with other gear as well.  Feel free to leave comments in the section below.  

      Sunday, November 15, 2015

      Fun with ZigBee Wireless - Part I (Background)

      By Tony Lee

      Introduction

      In our previous articles, we have covered quite a bit of 802.11 hacking:

      This time, let's explore a different wireless medium: ZigBee! In this series we will look at the following:
      • Why Zigbee matters
      • Background/history
      • Hardware
      • Software
      • Passive attacks
      • Firmware upgrades
      • Active attacks
      A good deal of research has already been completed -- so we give a head nod to all that have pioneered this space. But there truly is nothing like trying it yourself. A warning to the weary:  The documentation at times is lacking (unless source code counts). But hopefully this series will give you some key tidbits that will help you on your way to getting up and running faster.

      Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

      Why ZigBee matters

      The primary reason why ZigBee matters is because you can control the physical environment through a wireless medium. This mostly applies to embedded device applications -- such as home automation/Internet of Things (IoT), but it can also apply to more sensitive applications such as SCADA equipment.

      Here are some categories and examples of how ZigBee is used in the world around you:
      • Sensors: Temperature, humidity, water
      • Control: Lighting, HVAC, appliances, power
      • SCADA specific: Smart meters/water/gas


      Figure 1:  The Zen Thermostat is an example of a ZigBee capable device


      Figure 2:  Diagram of ZigBee Alliance smart meters



      The most interesting thing about wireless technologies is that vendors are usually very proud in announcing details of their usage--to the extent that they even include the protocols, protection, and chosen frequency.

      Quick Background

      ZigBee is a IEEE 802.15.4-based specification designed to create Personal Area Networks (PANs). This PAN differs from others such as Bluetooth because it is designed to be simpler and cheaper. ZigBee is also designed to have lower power consumption. In fact, the battery must last at least 2 years in order to meet ZigBee certification standards. However, much of the home automation devices seem to have 5+ year battery life. The transmission distance is anywhere from 10-100 meters (or more if you consider the built-in mesh support).

      Brief History
      ZigBee has been around for quite some time.  In fact, over a decade.  The following three bullets summarize the major advancements.  For more information, visit the ZigBee wiki page found here:  https://en.wikipedia.org/wiki/ZigBee
      • 2004:  IEEE 802.15.4 ratified
      • Zigbee-2006:   added encryption support
      • Zigbee-2007 Zigbee-PRO:  Compatible with 2006, “Trust center” security model, etc.

      Frequencies
      The first ZigBee frequency consideration largely depends on geographic location.  Aside from location, the application (based on signal propagation) can help determine the chosen frequency.  For example, much of the home automation/IoT space uses the 2.4 GHz range and some outdoor applications tend to use the 915 MHz range.  Geographically, the frequencies are assigned as follows:
      • 2.4 GHz - Worldwide
      • 915 MHz - US/AUS
      • 868 MHz - Europe
      • 784 MHz - China
      Encryption
      ZigBee uses 128-bit AES encryption.  Two keys are used for communication.  A network key is shared by everyone and used for broadcast traffic, while a link key is unique per 2 devices.  Both network and link keys are established through a Master key—thus key distribution is critical to security.

      Attack Goals
      When looking at this space from a security perspective it is important to establish the attack goals.  Here are just a few possible goals along with examples:
      • Read sensitive data
        • Ex:  Proprietary data, processes, etc.
      • Inject incorrect information
        • Ex:  Report false information
      • Replay commands
        • Ex:  Increase, decrease
      • Denial of service
        • Ex:  Stop reporting data
      • Leverage connected networks
        • Ex:  Breach an internal network using ZigBee

      Conclusion


      This article outlined why we are examining ZigBee and provides some background to include usage, history, and frequency ranges and encryption.  The next article will cover one of the many hardware options.