ZigBee is a wireless mesh networking standard for low-power devices. It uses low data rates, low power consumption and mesh networking to connect devices over short distances. ZigBee provides security features like access control, encryption and authentication to protect wireless transmissions. However, ZigBee devices have some security vulnerabilities like weak encryption keys, replay attacks and denial of service attacks that can be exploited if not properly implemented and managed.
1. ZigBee IEEE 802.15.4
What it is:
a high-level communication protocol for WSNs and WPANs
a M2M Area Network Technology for WLANs.
Attributes:
Low power consumption, low-cost, low bitrate
mesh networking standard supports 10-1000 meter range
– highly reliable
stable against node failover
global standards for interoperability
Applications:
Home Automation, Building Automation, Smart Energy, Health and
Fitness, 3D gaming, Telecommunications, Retail, Industrial Control.
2. Security Architecture:
Access Control Frame address validation MAC Layer Frame Integrity, Trust Center Architecture for Secure
Network Admittance.
Authentication and
Data Confidentiality
Symmetric Key Encryption for
Frames
Confidentiality :AES-CTR
Authentication: AES-CBC-MAC with 32,-64,128bit MAC
Confidentiality & Authentication: AES -CCM with 32-,64-,128 bit MAC
Supports PKI.
Frame Integrity Protection against tampering for
data in transit
MIC 32/64/128 bits based on AES-CBC-MAC
Sequential Freshness Prevention of Replay Attacks 4-Byte Frame Counter
Common security concerns:
Long battery life of at least 2 years is a must to pass ZigBee certification.
So resource-intensive security measures are avoided to keep power
consumption low and limited.
Interoperability among ZigBee profiles might force security slackening.
ZigBee-based devices are essentially low-cost, thus lacking protection
from physical attacks using serial interfaces such as GoodFet and BusPirate.
3. Golden Rules for Security in the Residential Mode
• Building blocks of ZigBee security: Key establishment, key
transport, frame protection and device management.
• Key management is all about secure initialization, installation,
processing and storage of Network Keys and Link Keys.
• End-to-end Data Security – Only a source and a destination
device can decrypt a message using a combination of keys.
• The APS and NWK layers can both independently process the
secure MAC frames with either encryption (confidentiality) or
authentication, or both.
• The ZigBee Device Object (ZDO) manages security policies and
security configuration for devices.
4. A real world assessment environment:
Testing a smart device model for lighting and temperature
control based on ZigBee Home Automation Profile
Development Kits: Xbee and Texas Instruments
ZigBee Coordinator (ZC/ZTC) – Xbee RF Module/CC2531 USB Dongle (0x0000)
ZigBee End Device (ZED) – Xbee RF Module/CC2530 development board (0x6EC7)
- set up as a monitoring node, fitted with:
temperature sensor, LED and LDR for light sensing/emission
and light intensity measurement.
ZigBee Router (ZR) – Xbee RF Module/CC2530 development
board (0xCEBC)
In the lab…
5. ZigBee Logical Device Types and Functions
ZigBee Coordinator (FFD, parent)
• starts the network, maintains neighbor and router lists.
• acts as Trust Center for secure node joining (authenticates new joiner).
• PAN Coordinator functions for network and security management.
• can update link key and network key periodically.
• transfers application packets.
ZigBee Router (FFD)
• Allows devices to join the network
• Multi-hop communication
ZigBee End Devices (RFD or FFD, child)
• battery-powered radios with short duty-cycles.
• sensor nodes for data sampling.
• can be routed using a ZigBee gateway.
• transfers application packets.
Node Types
RFD – Reduced Function Device
FFD – Full Function Device
7. 1. EAVESDROPPING FOR NETWORK DISCOVERY & DEVICE IDENTIFICATION
Legitimate Beacon Request Frame (0x07)
Unencrypted Beacon
Response Frame
[PAN ID, source address,
stack profile, stack
version, and IEEE address]
SNIFFED
SENSOR NODE
Spoofed Beacon Request Frame
EXPLOIT DEVICE
Network discovery: Sniffing of the Unencrypted MAC Header to identify configuration, node addresses,
stack profile and PAN IDs from Beacon Responses sent to end devices by Coordinators and Routers.
Packet
Capture
COORDINATOR
8. Replay of the captured LED
ON/OFF packets excluding
ACK frame on the channel.
Delay of 1/10th of a second
between each frame.
2. REPLAY ATTACK – OFFLINE MODE
The Frame Counter in the NWK layer drops replayed packets.
But the MAC layer is vulnerable to replay of MAC command frames as the layer cannot
process an incoming frame counter.
EXPLOIT DEVICE
SENSOR NODE
COORDINATOR
CAPTURED
9. Injecting a spoofed beacon
request frame on a loop
with a 1-sec delay
3. DENIAL OF SERVICE
(A). PACKET INJECTION IN REAL-TIME
Effecting short-term unavailability of the coordinator’s services for a legitimate device
by causing bandwidth consumption and node energy draining.
EXPLOIT DEVICE
Continuous packet
injection to expend
bandwidth.
Node energy drain due to
extended ‘wake’ state
caused by its
retransmission loop in
anticipation of response.
ZC does not respond to
legitimate requests
from network nodes.
COORDINATOR
10. EXPLOIT DEVICE
3. ASSOCIATION FLOOD IN REAL-TIME
Injecting a forged
combination of association
request and data request
on a loop with a 1-sec delay
Disengaging a legitimate device and preventing rejoin using a syn flood attack. Some
vendors defend against this using device identity tables to detect suspicious behavior.
Continuous stream of
Association Responses Association table
overflows, expending
processing memory.
Coordinator’s
Communication with
legitimate nodes is
obstructed.
COORDINATOR
11. Nodes struggle to keep up with rapid PAN ID
rotation process which is triggered repetitively.
After a few seconds, communication
disintegrates.
Coordinator senses PAN ID Conflict and
realigns network to a new PAN ID for
every conflicting PAN ID replayed.
COORDINATOR
Continuous broadcast replay of
forged association responses on
the channel; impersonating the
PAN Coordinator.
Continuous sniffing of the network
to collect PAN IDs, extended PAN
IDs and channel.
EXPLOIT DEVICE 2
4. PAN ID CONFLICT ATTACK
Sabotaging the PAN Coordinator’s network management by means of manipulation
which is in essence, the initiation of a persistent conflict of PAN IDs.
EXPLOIT DEVICE 1
0x94ac
0x8b43
0x6335
0x72bc
12. OTA key provisioning vs. Pre-configured Keys
Network key is delivered in plaintext to end device
- higher susceptibility to key sniffing.
Keys are pre-installed by vendor in manufacture
- unless keys are updated, knowledge of the default keys of the
vendor can be used to make an illegitimate node (of the same
vendor) join the network.
- physical attacks often attempted.
Key rotation process is supported. Key rotation / revocation is not possible.
All data is initially encrypted with network key until link keys
are derived.
After device pairing, all data is encrypted with pre-installed link
key.
Widely preferred for large scale deployments for ease of set up
since employees need not handle activation procedures.
Small deployments in home automation are more likely to use
this method of key provisioning.
• Trust Center in the Residential Mode or Standard Security Mode maintains only the standard network keys.
We deem it necessary for deployers to equip the TC host with enough resources to maintain a list of nodes and
network policies to incorporate the resilience features of the High Security Mode to the extent possible while
maintaining the low-cost factor.
• The OTA key provisioning mechanism must be bolstered by other security measures to reduce key sniffing/reuse
vulnerabilities.
• Optimally leverage the AES-based security framework and Trust Center controls to harden the network ecosystem.
13. Nonce Reuse
• Sequential message numbers (nonces) can help detect and prevent replay attacks.
• Nonces must always be distinct although the security key is same for two messages.
• Attackers can spoof messages by copying the same nonce used by a previous message.
Save nonces in NVRAM so that status is preserved after a power failure.
Security at the MAC Layer
• MAC Layer only secures its own frames between neighboring nodes (no end-to-end protection as in APS layer)
• ACL-based node admission and Unsecured Mode are unreliable.
MIC must be used to validate frame check sum and message sequence.
Preventing Physical Attacks
• Debuggers and key sniffers are used to extract encryption keys from firmware on any node.
• Existing key is usually not invalidated once a node is removed from the network
– this eases rogue entry into network.
Tamper-proofing nodes and Out-of-band key loading via serial ports helps eliminate exposure to sniffing.
Best Practices
Node Revival
• Association/Syn Floods and PAN ID Conflict Attacks aim at disengaging nodes and disrupting
coordinator responses.
• Disconnected nodes are not immediately discernible.
Set Node Join Time parameter to ’Always’.