Hacking Zigbee Devices with Attify Zigbee Framework

. 6 min read

Welcome to another blog post by Attify – your source for learning pentesting for IoT devices and Mobile applications.

In this post, we are going to introduce you to the Attify ZigBee Framework – a graphical utility which we have built to help you pentest and find vulnerabilities in ZigBee based IoT and smart devices.

About Zigbee

ZigBee is one of the most common protocols used in IoT devices in the current day. Since the arrival of ZigBee in 2004, it quickly grew in popularity to become one of the most commonly used go-to protocols for anything which needed automation or short range wireless control.

ZigBee’s additional features such low power consumption, built-in support for mesh networking and low bandwidth usage also further helped increase the adoption rates for this new technology.

As of today, it is one of the most common protocols found in IoT devices and includes popular products such as Samsung Smart Things and Philips Hue.

The ZigBee Alliance handles certification of ZigBee devices and maintains a list of products certified by it.

Due to lack of awareness around the topic of ZigBee security, you would often encounter devices based on ZigBee which don’t have even the slightest of security protections in them. The impact of these vulnerabilities could be anywhere from sniffing sensitive data in transit to taking over something like a critical infrastructure.

We hope that with this post as well as other IoT security offerings (like this kit) we can reduce the security gap in IoT products and make the IoT ecosystem a safer place.

Getting started with the Attify Zigbee Framework

Attify ZigBee Framework is a GUI wrapper around the critically acclaimed tool KillerBee by RiverLoop Security.

The AZF (Attify ZigBee Framework) makes the entire process of using KillerBee much easier for anyone who is starting out in IoT / Radio security. Over time, we are planning to add more features and extend the framework to make it more efficient in identifying vulnerabilities in ZigBee communications.

The first thing you need to do to get started with Attify ZigBee Framework is clone the GitHub repository located here – Attify ZigBee Framework GitHub Repo and run installer.sh to setup the tool.

![image-22](https://blog.attify.com/content/images/2017/04/installer.png)Running installer.sh
The installer script will also take care of the installation of KillerBee tools and other dependencies required to run the tool.

Setting up the Tool

To run the tool, go to the path where the repository was cloned and run python main.py to launch up the Attify ZigBee Framework.

python main.py

The framework is also built in a way that you can customize which tools from the KillerBee tool suite would you like to see in the GUI. To do this, you can select the list of tools from the “Settings” menu or alternatively use Ctrl + S to bring up the configuration menu.

[![Adding tools to the UI for Zigbee Security analysis](https://blog.attify.com/content/images/2017/04/adding_to_the_UI-EDITED.png)](https://blog.attify.com/content/images/2017/04/adding_to_the_UI-EDITED.png)Adding tools to the UI for Zigbee Security analysis
The KillerBee framework consists of several tools, not all of which has been implemented in the Attify ZigBee Framework yet. Now, the Attify ZigBee framework consists of the few essential tools required in ZigBee pentesting. The remaining tools would be added in the future releases of the tool. You can know more about the tools in the KillerBee suite and their functionalities [here](https://github.com/riverloopsec/killerbee/blob/master/README.md#tools).

Getting your Hands Dirty

We believe that there’s no better way to explain how things work than demonstrating the work. This is also the methodology we use in our training classes where we teach IoT Exploitation (link).

So, for this blog post, we will demonstrate the usage of Attify ZigBee Framework by using it to hack an off the shelf IoT smart bulb.

To understand and try out the following tutorial, you will need the following setup:

Tools of the Trade:

  1. Atmel RzRaven USB Stick flashed with KillerBee – You can follow the flashing process described on the KillerBee’s GitHub repo here or buy a pre-flashed version of RzRaven ready to use here.
  2. Vulnerable IoT device
  3. VM/System with Attify ZigBee Framework installed

Once you are done setting up the tool, plug in the Atmel RzRaven USB stick into your system and fire up the tool. For this demo, we will need the following tools:

  • Zbid
  • Zbstumbler
  • Zbdump
  • Zbreplay

Select the tools mentioned above from the tool configuration menu and hit save configuration  to setup the UI for this exercise.

Finding the Atmel RZRaven USB Stick

To get started, simply plug in your RZRaven USB Stick which should be detected in the zbid tab.

The zbid tab should look like something as shown below.

[![Atmel RZRaven USB for Zigbee sniffing ](https://blog.attify.com/content/images/2017/04/connecting_rzusb-EDITED.png)](https://blog.attify.com/content/images/2017/04/connecting_rzusb-EDITED.png)Atmel RZRaven USB for Zigbee sniffing

Now that we have our RzRaven USB stick connected and detected successfully in the Attify ZigBee Framework, all we need to do is figure out the channel being used by our target device and then use that information to craft further exploits.

Finding Channel of Target Device

ZigBee uses a total of 16 channels from the 2.4 GHz band for all communication purposes. The initial goal of us as a security researcher is to identify the channel being used by our target device for its communications. This is where zbstumbler comes to use.

Zbstumbler is a network discovery tool for ZigBee based devices. The way it works is that it transmits beacon request frames and displays information about the response beacon frames if any. All of this is performed while hopping between channels every two seconds. This entire process helps us find all the various ZigBee devices on any of the 16 channels.

In case you already have an idea of the channel which the device might be using for its ZigBee communication, you can also specify that individual channel to send and receive beacon request and response frames over that single channel.

[![Identifying Zigbee channel for sniffing ](https://blog.attify.com/content/images/2017/04/Zbstumbler-channel-20.png)](https://blog.attify.com/content/images/2017/04/Zbstumbler-channel-20.png)Identifying Zigbee channel for sniffing
As you can see from the screenshot above, zbstumbler was successfully able to identify a ZigBee device on channel 20.

Dumping Zigbee Packets

Once we have successfully identified the channel, the next step is to capture the packets which are being sent and received by the device.

In case you are absolutely new to security, you must also realize that packet analysis in various cases leads us to interesting findings. However, in this case, we will take an approach of capturing the packets and then replaying the same packets to cause a change in the behaviour of the device which would be determined by the packets that we replay.

To start capturing packets using the tool zbdump, let’s go ahead and pass in the following values:

  1. Interface details – This can be obtained from zbid
  2. Channel number – Channel number which we found in the previous step using zbstumbler
  3. Count – This is the optional value simply meaning the number of packets to be captured. In this case, we will set it to sniff only 100 packets.
  4. Output file name – Destination file name where the packet capture will be stored. In this case, we will save the packets to IoTbulb.pcap .
[![Capturing and Sniffing Zigbee communication](https://blog.attify.com/content/images/2017/04/capturing_zigbee_packets-edited-.png)](https://blog.attify.com/content/images/2017/04/capturing_zigbee_packets-edited-.png)Capturing and Sniffing Zigbee communication

Now that we have all the parameters entered, as soon as we hit the start capture button, it will start saving all the traffic up to 100 packets (count in our case) to the Output file.

In our case, after pressing the Start Capture button, we will use the mobile application to switch on and off the bulb, change colors and perform other actions. We then stop the capture, and the sniffed packets would be dumped in the IoTbulb.pcap file.

Replaying Zigbee packets to Control the IoT Device

Now that we have successfully captured the packets while performing actions using the mobile application, we can replay the packets to perform what is called as a Replay attack.

All captured files get stored in the pcap directory in the Attify Zigbee Framework parent folder. The zbreplay menu allows you to choose from a list of pcap files present in the pcap directory.

Go ahead and select the pcap file that we captured in the previous step, select the appropriate channel, and pick a timing delay for the replay.

Once all that is configured, hit the replay button to start replaying the packets. As this is done, you will see the bulb performing the same actions as it was asked to do during the packet capture phase.

In our case, this action was changing colors as you can see from the video below. As a note – In this case, the IoT device has no protection against replay attacks, which makes our attacks feasible.

Replaying Zigbee packets - Killer - Attify Zigbee Framework


Replay attacks are still one of the most commonly found radio based vulnerabilities in IoT devices, but that’s just the start of the kind of vulnerabilities and exploitation you can perform.

Watch the video of the entire process below.

[embedyt] https://www.youtube.com/watch?v=uivlSdqWS48&width=770&height=433&rel=0&modestbranding=1[/embedyt]

We will be putting up more videos on Attify’s YouTube channel. Subscribe to stay updated. Feel free to register issues on the GitHub repository in case you find bugs or have any feature requests.

Any contributions to the tool whether it’s code, documentation, bug reports or feature requests would be appreciated.

You can also support us and learn IoT exploitation at the same time by taking one of our IoT Exploitation learning kits shown below.

Signing off.


Attify Team

IoT Security and Penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training


analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking ghidra GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave