ZigBee IEEE 802.15.4

1

• ZigBee IEEE 802.15.4 
• What it is
• a high-level communication protocol for WSNs and
  WPANs
• a M2M Area Network Technology for WLANs.
• Attributes
• Low power consumption, low-cost, low bitrate
• mesh networking standard supports 10-1000 meter
  range
• highly reliable
• stable against node failover
• global standards for interoperability
• Applications
• Home Automation, Building Automation, Smart
  Energy, Health and Fitness, 3D gaming,
  Telecommunications, Retail, Industrial Control.

2

• Security Architecture

Access Control Frame address validation MAC Layer Frame Integrity, Trust Center Architecture for Secure Network Admittance.
Authentication and Data Confidentiality Symmetric Key Encryption for Frames Confidentiality AES-CTR Authentication AES-CBC-MAC with 32,-64,128bit MAC Confidentiality Authentication AES -CCM with 32-,64-,128 bit MAC Supports PKI.
Frame Integrity Protection against tampering for data in transit MIC 32/64/128 bits based on AES-CBC-MAC
Sequential Freshness Prevention of Replay Attacks 4-Byte Frame Counter

• Common security concerns
• Long battery life of at least 2 years is a must
  to pass ZigBee certification. So
  resource-intensive security measures are avoided
  to keep power consumption low and limited.
• Interoperability among ZigBee profiles might
  force security slackening.
• ZigBee-based devices are essentially low-cost,
  thus lacking protection from physical attacks
  using serial interfaces such as GoodFet and
  BusPirate.

3
Golden Rules for Security in the Residential Mode

• Building blocks of ZigBee security Key
  establishment, key transport, frame protection
  and device management.
• Key management is all about secure
  initialization, installation, processing and
  storage of Network Keys and Link Keys.
• End-to-end Data Security Only a source and a
  destination
• device can decrypt a message using a combination
  of keys.
• The APS and NWK layers can both independently
  process the secure MAC frames with either
  encryption (confidentiality) or authentication,
  or both.
• The ZigBee Device Object (ZDO) manages security
  policies and security configuration for devices.

4
In the lab
A real world assessment environment Testing a
smart device model for lighting and temperature
control based on ZigBee Home Automation Profile

• Development Kits Xbee and Texas Instruments
• ZigBee Coordinator (ZC/ZTC) Xbee RF
  Module/CC2531 USB Dongle (0x0000)
• ZigBee End Device (ZED) Xbee RF Module/CC2530
  development board (0x6EC7)

- set up as a monitoring node, fitted with
temperature sensor, LED and LDR for light
sensing/emission and light intensity
measurement.

• ZigBee Router (ZR) Xbee RF Module/CC2530
  development board (0xCEBC)

5
ZigBee Logical Device Types and Functions
Node Types RFD Reduced Function Device FFD
Full Function Device

• ZigBee Coordinator (FFD, parent)
• starts the network, maintains neighbor and
  router lists.
• acts as Trust Center for secure node joining
  (authenticates new joiner).
• PAN Coordinator functions for network and
  security management.
• can update link key and network key
  periodically.
• transfers application packets.

• ZigBee Router (FFD)
• Allows devices to join the network
• Multi-hop communication

• ZigBee End Devices (RFD or FFD, child)
• battery-powered radios with short duty-cycles.
• sensor nodes for data sampling.
• can be routed using a ZigBee gateway.
• transfers application packets.

6

• ZigBee deployment flaws
• in Residential Mode
• Attack Vector
  Analysis
• Assessing insecure implementation risks

7
1. EAVESDROPPING FOR NETWORK DISCOVERY DEVICE
IDENTIFICATION
Network discovery Sniffing of the Unencrypted
MAC Header to identify configuration, node
addresses, stack profile and PAN IDs from Beacon
Responses sent to end devices by Coordinators and
Routers.
SENSOR NODE
Legitimate Beacon Request Frame (0x07)
Packet Capture
Spoofed Beacon Request Frame
COORDINATOR
Unencrypted Beacon Response Frame PAN ID, source
address, stack profile, stack version, and IEEE
address
EXPLOIT DEVICE
SNIFFED
8
2. REPLAY ATTACK OFFLINE MODE
The Frame Counter in the NWK layer drops replayed
packets. But the MAC layer is vulnerable to
replay of MAC command frames as the layer cannot
process an incoming frame counter.
SENSOR NODE
Legitimate Data Request
CAPTURED
COORDINATOR
Replay of the captured LED ON/OFF packets
excluding ACK frame on the channel. Delay of
1/10th of a second between each frame.
EXPLOIT DEVICE
9
3. DENIAL OF SERVICE (A). PACKET INJECTION IN
REAL-TIME
Effecting short-term unavailability of the
coordinators services for a legitimate device
by causing bandwidth consumption and node energy
draining.
Continuous packet injection to expend bandwidth.
Injecting a spoofed beacon request frame on a
loop with a 1-sec delay
COORDINATOR
EXPLOIT DEVICE
ZC does not respond to legitimate requests from
network nodes.
Node energy drain due to extended wake state
caused by its retransmission loop in anticipation
of response.
10
3. ASSOCIATION FLOOD IN REAL-TIME
Disengaging a legitimate device and preventing
rejoin using a syn flood attack. Some vendors
defend against this using device identity tables
to detect suspicious behavior.
Injecting a forged combination of association
request and data request on a loop with a 1-sec
delay
COORDINATOR
Continuous stream of Association Responses
Association table overflows, expending processing
memory.
EXPLOIT DEVICE
Coordinators Communication with legitimate nodes
is obstructed.
11
4. PAN ID CONFLICT ATTACK
Sabotaging the PAN Coordinators network
management by means of manipulation which is in
essence, the initiation of a persistent conflict
of PAN IDs.
Continuous sniffing of the network to collect
PAN IDs, extended PAN IDs and channel.
Coordinator senses PAN ID Conflict and realigns
network to a new PAN ID for every conflicting PAN
ID replayed.
EXPLOIT DEVICE 1
COORDINATOR
Nodes struggle to keep up with rapid PAN ID
rotation process which is triggered
repetitively. After a few seconds, communication
disintegrates.
Continuous broadcast replay of forged association
responses on the channel impersonating the PAN
Coordinator.
EXPLOIT DEVICE 2
12
OTA key provisioning vs. Pre-configured Keys
Network key is delivered in plaintext to end device - higher susceptibility to key sniffing. Keys are pre-installed by vendor in manufacture - unless keys are updated, knowledge of the default keys of the vendor can be used to make an illegitimate node (of the same vendor) join the network. - physical attacks often attempted.
Key rotation process is supported. Key rotation / revocation is not possible.
All data is initially encrypted with network key until link keys are derived. After device pairing, all data is encrypted with pre-installed link key.
Widely preferred for large scale deployments for ease of set up since employees need not handle activation procedures. Small deployments in home automation are more likely to use this method of key provisioning.

• Trust Center in the Residential Mode or Standard
  Security Mode maintains only the standard network
  keys.
• We deem it necessary for deployers to equip the
  TC host with enough resources to maintain a list
  of nodes and network policies to incorporate the
  resilience features of the High Security Mode to
  the extent possible while maintaining the
  low-cost factor.
• The OTA key provisioning mechanism must be
  bolstered by other security measures to reduce
  key sniffing/reuse
• vulnerabilities.
• Optimally leverage the AES-based security
  framework and Trust Center controls to harden the
  network ecosystem.

13
Best Practices

• Security at the MAC Layer
• MAC Layer only secures its own frames between
  neighboring nodes (no end-to-end protection as in
  APS layer)
• ACL-based node admission and Unsecured Mode are
  unreliable.
• MIC must be used to validate frame check sum and
  message sequence.

• Node Revival
• Association/Syn Floods and PAN ID Conflict
  Attacks aim at disengaging nodes and disrupting
• coordinator responses.
• Disconnected nodes are not immediately
  discernible.
• Set Node Join Time parameter to Always.

• Nonce Reuse
• Sequential message numbers (nonces) can help
  detect and prevent replay attacks.
• Nonces must always be distinct although the
  security key is same for two messages.
• Attackers can spoof messages by copying the same
  nonce used by a previous message.
• Save nonces in NVRAM so that status is preserved
  after a power failure.

• Preventing Physical Attacks
• Debuggers and key sniffers are used to extract
  encryption keys from firmware on any node.
• Existing key is usually not invalidated once a
  node is removed from the network
• this eases rogue entry into network.
• Tamper-proofing nodes and Out-of-band key loading
  via serial ports helps eliminate exposure to
  sniffing.

14

• About Us Aleph Tav Technologies is a security
  testing service provider founded in the year 2015
  and headquartered in Chennai, India. We strive to
  equip companies with knowledge and actionable
  insights to help them put up a winning fight
  against threats to information security. Our
  vision is to help people and enterprises embrace
  technology whilst being fully aware of the danger
  that it can pose to their credibility and
  business
• Our services include Ethical Hacking, Managed
  Security Services, Application Security, Network
  Security, Security Testing, Enterprise Security,
  Security for IoT, SCADA Security, Digital
  Forensics