Hacking Zigbee Devices with Attify Zigbee Framework

Hacking Zigbee Devices with Attify Zigbee Framework

. 6 min read

Welcome to another blog post by Attify – your source for learning pentesting for IoT devices and Mobile applications.

In this post, we are going to introduce you to the Attify ZigBee Framework – a graphical utility which we have built to help you pentest and find vulnerabilities in ZigBee based IoT and smart devices.

About Zigbee

ZigBee is one of the most common protocols used in IoT devices in the current day. Since the arrival of ZigBee in 2004, it quickly grew in popularity to become one of the most commonly used go-to protocols for anything which needed automation or short range wireless control.

ZigBee’s additional features such low power consumption, built-in support for mesh networking and low bandwidth usage also further helped increase the adoption rates for this new technology.

As of today, it is one of the most common protocols found in IoT devices and includes popular products such as Samsung Smart Things and Philips Hue.

The ZigBee Alliance handles certification of ZigBee devices and maintains a list of products certified by it.

Due to lack of awareness around the topic of ZigBee security, you would often encounter devices based on ZigBee which don’t have even the slightest of security protections in them. The impact of these vulnerabilities could be anywhere from sniffing sensitive data in transit to taking over something like a critical infrastructure.

We hope that with this post as well as other IoT security offerings (like this kit) we can reduce the security gap in IoT products and make the IoT ecosystem a safer place.

Getting started with the Attify Zigbee Framework

Attify ZigBee Framework is a GUI wrapper around the critically acclaimed tool KillerBee by RiverLoop Security.

The AZF (Attify ZigBee Framework) makes the entire process of using KillerBee much easier for anyone who is starting out in IoT / Radio security. Over time, we are planning to add more features and extend the framework to make it more efficient in identifying vulnerabilities in ZigBee communications.

The first thing you need to do to get started with Attify ZigBee Framework is clone the GitHub repository located here – Attify ZigBee Framework GitHub Repo and run installer.sh to setup the tool.

![image-22](https://blog.attify.com/content/images/2017/04/installer.png)Running installer.sh
The installer script will also take care of the installation of KillerBee tools and other dependencies required to run the tool.

Setting up the Tool

To run the tool, go to the path where the repository was cloned and run python main.py to launch up the Attify ZigBee Framework.

python main.py

The framework is also built in a way that you can customize which tools from the KillerBee tool suite would you like to see in the GUI. To do this, you can select the list of tools from the “Settings” menu or alternatively use Ctrl + S to bring up the configuration menu.

[![Adding tools to the UI for Zigbee Security analysis](https://blog.attify.com/content/images/2017/04/adding_to_the_UI-EDITED.png)](https://blog.attify.com/content/images/2017/04/adding_to_the_UI-EDITED.png)Adding tools to the UI for Zigbee Security analysis
The KillerBee framework consists of several tools, not all of which has been implemented in the Attify ZigBee Framework yet. Now, the Attify ZigBee framework consists of the few essential tools required in ZigBee pentesting. The remaining tools would be added in the future releases of the tool. You can know more about the tools in the KillerBee suite and their functionalities [here](https://github.com/riverloopsec/killerbee/blob/master/README.md#tools).

Getting your Hands Dirty

We believe that there’s no better way to explain how things work than demonstrating the work. This is also the methodology we use in our training classes where we teach IoT Exploitation (link).

So, for this blog post, we will demonstrate the usage of Attify ZigBee Framework by using it to hack an off the shelf IoT smart bulb.

To understand and try out the following tutorial, you will need the following setup:

Tools of the Trade:

  1. Atmel RzRaven USB Stick flashed with KillerBee – You can follow the flashing process described on the KillerBee’s GitHub repo here or buy a pre-flashed version of RzRaven ready to use here.
  2. Vulnerable IoT device
  3. VM/System with Attify ZigBee Framework installed

Once you are done setting up the tool, plug in the Atmel RzRaven USB stick into your system and fire up the tool. For this demo, we will need the following tools:

  • Zbid
  • Zbstumbler
  • Zbdump
  • Zbreplay

Select the tools mentioned above from the tool configuration menu and hit save configuration  to setup the UI for this exercise.

Finding the Atmel RZRaven USB Stick

To get started, simply plug in your RZRaven USB Stick which should be detected in the zbid tab.

The zbid tab should look like something as shown below.

[![Atmel RZRaven USB for Zigbee sniffing ](https://blog.attify.com/content/images/2017/04/connecting_rzusb-EDITED.png)](https://blog.attify.com/content/images/2017/04/connecting_rzusb-EDITED.png)Atmel RZRaven USB for Zigbee sniffing

Now that we have our RzRaven USB stick connected and detected successfully in the Attify ZigBee Framework, all we need to do is figure out the channel being used by our target device and then use that information to craft further exploits.

Finding Channel of Target Device

ZigBee uses a total of 16 channels from the 2.4 GHz band for all communication purposes. The initial goal of us as a security researcher is to identify the channel being used by our target device for its communications. This is where zbstumbler comes to use.

Zbstumbler is a network discovery tool for ZigBee based devices. The way it works is that it transmits beacon request frames and displays information about the response beacon frames if any. All of this is performed while hopping between channels every two seconds. This entire process helps us find all the various ZigBee devices on any of the 16 channels.

In case you already have an idea of the channel which the device might be using for its ZigBee communication, you can also specify that individual channel to send and receive beacon request and response frames over that single channel.

[![Identifying Zigbee channel for sniffing ](https://blog.attify.com/content/images/2017/04/Zbstumbler-channel-20.png)](https://blog.attify.com/content/images/2017/04/Zbstumbler-channel-20.png)Identifying Zigbee channel for sniffing
As you can see from the screenshot above, zbstumbler was successfully able to identify a ZigBee device on channel 20.

Dumping Zigbee Packets

Once we have successfully identified the channel, the next step is to capture the packets which are being sent and received by the device.

In case you are absolutely new to security, you must also realize that packet analysis in various cases leads us to interesting findings. However, in this case, we will take an approach of capturing the packets and then replaying the same packets to cause a change in the behaviour of the device which would be determined by the packets that we replay.

To start capturing packets using the tool zbdump, let’s go ahead and pass in the following values:

  1. Interface details – This can be obtained from zbid
  2. Channel number – Channel number which we found in the previous step using zbstumbler
  3. Count – This is the optional value simply meaning the number of packets to be captured. In this case, we will set it to sniff only 100 packets.
  4. Output file name – Destination file name where the packet capture will be stored. In this case, we will save the packets to IoTbulb.pcap .
[![Capturing and Sniffing Zigbee communication](https://blog.attify.com/content/images/2017/04/capturing_zigbee_packets-edited-.png)](https://blog.attify.com/content/images/2017/04/capturing_zigbee_packets-edited-.png)Capturing and Sniffing Zigbee communication

Now that we have all the parameters entered, as soon as we hit the start capture button, it will start saving all the traffic up to 100 packets (count in our case) to the Output file.

In our case, after pressing the Start Capture button, we will use the mobile application to switch on and off the bulb, change colors and perform other actions. We then stop the capture, and the sniffed packets would be dumped in the IoTbulb.pcap file.

Replaying Zigbee packets to Control the IoT Device

Now that we have successfully captured the packets while performing actions using the mobile application, we can replay the packets to perform what is called as a Replay attack.

All captured files get stored in the pcap directory in the Attify Zigbee Framework parent folder. The zbreplay menu allows you to choose from a list of pcap files present in the pcap directory.

Go ahead and select the pcap file that we captured in the previous step, select the appropriate channel, and pick a timing delay for the replay.

Once all that is configured, hit the replay button to start replaying the packets. As this is done, you will see the bulb performing the same actions as it was asked to do during the packet capture phase.

In our case, this action was changing colors as you can see from the video below. As a note – In this case, the IoT device has no protection against replay attacks, which makes our attacks feasible.

Replaying Zigbee packets - Killer - Attify Zigbee Framework


Replay attacks are still one of the most commonly found radio based vulnerabilities in IoT devices, but that’s just the start of the kind of vulnerabilities and exploitation you can perform.

Watch the video of the entire process below.

[embedyt] https://www.youtube.com/watch?v=uivlSdqWS48&width=770&height=433&rel=0&modestbranding=1[/embedyt]

We will be putting up more videos on Attify’s YouTube channel. Subscribe to stay updated. Feel free to register issues on the GitHub repository in case you find bugs or have any feature requests.

Any contributions to the tool whether it’s code, documentation, bug reports or feature requests would be appreciated.

You can also support us and learn IoT exploitation at the same time by taking one of our IoT Exploitation learning kits shown below.

Signing off.