1 00:00:01,050 --> 00:00:02,810 Hello, welcome back to this course. 2 00:00:03,960 --> 00:00:13,440 I will talk in this lesson about ZigBee security and exploitation. ZigBee is maintained by the ZigBee Alliance 3 00:00:13,530 --> 00:00:24,510 and based on the IEEE 802.15.4 standard for Wireless Personal Area Network. From the ZigBee 4 00:00:24,510 --> 00:00:33,720 Alliance website, of which the slide shows a screenshot, it is possible to retrieve various technical 5 00:00:33,720 --> 00:00:36,480 in-depth material on ZigBee. 6 00:00:39,250 --> 00:00:48,280 Let's see some technical characteristics of the protocol. ZigBee uses frequencies, 2.4 GHz, 7 00:00:48,410 --> 00:00:54,990 915 MHz in USA and 868 MHz in Europe. 8 00:00:55,540 --> 00:00:59,920 It uses 16 channels, each of 2 MHz 9 00:01:00,400 --> 00:01:06,250 The data rate is 250 Kbits per second. 10 00:01:06,610 --> 00:01:12,670 It supports network and application encryption using AES 128 11 00:01:13,180 --> 00:01:21,190 And the communication range is between 75 and 100 meters indoors. 12 00:01:23,990 --> 00:01:32,330 The ZigBee protocol is used in numerous Iot devices to handle short-distance data transmissions. 13 00:01:32,960 --> 00:01:43,940 The slide provides a short list of such devices. Iot devices that use ZigBee are: devices for building automation 14 00:01:43,940 --> 00:01:53,060 and smart home, such as smart locks, smart lightning, smart thermostats, security system, etc. 15 00:01:53,510 --> 00:02:00,010 devices for smart health care, industrial control devices, etc.. 16 00:02:03,980 --> 00:02:13,410 ZigBee supports full-mesh networks with hundreds of devices for each individual network. In ZigBee devices 17 00:02:13,410 --> 00:02:15,420 operating roles are: 18 00:02:16,750 --> 00:02:18,440 ZigBee Coordinator, 19 00:02:19,180 --> 00:02:27,430 It is the most intelligent device among those available, it forms the root of a ZigBee network and can act 20 00:02:27,640 --> 00:02:30,970 as a bridge between multiple networks. 21 00:02:31,630 --> 00:02:35,660 There can be only one coordinator in each network. 22 00:02:36,130 --> 00:02:44,950 It is also capable of storing information about its network and can act as a repository for security 23 00:02:44,950 --> 00:02:53,600 keys. The coordinator stores and distributes the network keys. In a ZigBee network 24 00:02:53,620 --> 00:02:59,050 the coordinator cannot sleep and needs to be continuously powered. 25 00:03:01,290 --> 00:03:11,600 Another role is the ZigBee Router, these devices act as intermediate routers, passing data to and 26 00:03:11,600 --> 00:03:13,190 from other devices. 27 00:03:13,640 --> 00:03:22,700 In fact, there are no hardware distinctions between a ZigBee Coordinator and a Router, except that the 28 00:03:22,700 --> 00:03:30,710 coordinator is given the role of initializing the network, after which they become identical devices. 29 00:03:31,400 --> 00:03:33,600 Similar to the coordinator, 30 00:03:33,620 --> 00:03:42,710 Routers also cannot sleep as long as the network is established. And the last role is the ZigBee 31 00:03:42,710 --> 00:03:51,020 End Device. End devices include only the minimum functionalities for communicating with the parent 32 00:03:51,020 --> 00:03:53,480 node, coordinator or router. 33 00:03:53,900 --> 00:04:02,720 They cannot transmit data from other devices and therefore do not participate in the multi-hop of a message. 34 00:04:03,470 --> 00:04:12,110 They are the nodes that require the least amount of memory and therefore are often cheaper than router 35 00:04:12,500 --> 00:04:13,820 or coordinator. 36 00:04:14,390 --> 00:04:23,960 End Devices are what the customers are more familiar with, like motion sensors, contact sensors and 37 00:04:23,960 --> 00:04:25,670 smart light bulbs. 38 00:04:26,240 --> 00:04:33,620 The end devices also must join the network first to communicate with other devices. 39 00:04:34,190 --> 00:04:40,410 The end devices can enter low power mode and sleep to conserve power. 40 00:04:42,820 --> 00:04:51,100 The slide shows a graphic that visually represents the typical architecture of a ZigBee network showing 41 00:04:51,100 --> 00:04:55,800 the various ZigBee devices and the roles covered in the hierarchy. 42 00:04:58,330 --> 00:05:07,340 Here, the structure of the ZigBee protocol stack is shown, from the physical layer, media access control 43 00:05:07,370 --> 00:05:15,310 layer, regulated by the standard IEEE, up to the network and security layer and application layer 44 00:05:15,310 --> 00:05:18,670 both defined by ZigBee alliance. 45 00:05:20,790 --> 00:05:30,900 Let's see some supported security measures. ZigBee uses 128 bit AES based encryption system. 46 00:05:31,770 --> 00:05:35,790 It uses a frame counter to counteract the replay attacks. 47 00:05:36,030 --> 00:05:41,730 The receiving end point always checks the frame counter and ignores duplicate messages. 48 00:05:42,270 --> 00:05:44,250 ZigBee also supports frequency 49 00:05:44,250 --> 00:05:53,340 agility that is network is relocated in case of jamming attack. Concerning network security model 50 00:05:53,360 --> 00:06:02,820 supported by ZigBee. Two models are supported; a centralized security network and a distributed security 51 00:06:02,820 --> 00:06:03,400 network. 52 00:06:04,020 --> 00:06:11,910 They differ in how they admit new devices into the network and how they protect messages on the network. 53 00:06:12,600 --> 00:06:19,100 A distributed security model provides a less secure and simpler system. 54 00:06:19,500 --> 00:06:23,790 It has two devices types: routers and end devices. 55 00:06:25,430 --> 00:06:33,440 Here, are a router can form a distributed security network when it can't find an existing network. Each 56 00:06:33,440 --> 00:06:42,800 router can issue network keys. As more routers and devices join the network, the previous routers on 57 00:06:42,800 --> 00:06:49,880 the network send the key. To participate in distributed security networks, 58 00:06:49,880 --> 00:06:54,110 all routers and end devices must be pre-configured 59 00:06:54,120 --> 00:07:01,730 with a link key that is used to encrypt the network key when passing it from a router parent 60 00:07:02,210 --> 00:07:09,690 to a newly joined node. All the devices in the network encrypt messages with the same network key. 61 00:07:11,090 --> 00:07:15,740 A centralized security model provides higher security. 62 00:07:16,190 --> 00:07:24,710 It is also more complicated as it includes a third device type, the Trust Center (TC), which is usually 63 00:07:24,710 --> 00:07:33,770 also the network coordinator. The Trust Center forms a centralized network, configures and authenticates 64 00:07:33,770 --> 00:07:36,890 routers and devices to join a network. 65 00:07:38,600 --> 00:07:47,120 The Trust Center establishes a unique TC link key for each device on the network as they join and 66 00:07:47,120 --> 00:07:51,550 link keys for each pair of devices as requested. 67 00:07:52,940 --> 00:08:01,380 The Trust Center also determines the network key. To participate in a centralized security network model, 68 00:08:01,430 --> 00:08:09,590 all entities must be pre-configured with a link key that is used to encrypt the network key when passing it 69 00:08:09,590 --> 00:08:12,860 from the TC to a newly joined entity. 70 00:08:15,540 --> 00:08:25,170 ZigBee uses two types of encryption keys: a network key of 128 bit length, that is used for broadcasting 71 00:08:25,170 --> 00:08:34,620 communications, and is shared among all devices (nodes), and must itself be protected by encryption when 72 00:08:34,620 --> 00:08:37,080 it is passed to the joining node. 73 00:08:37,800 --> 00:08:40,230 And Link keys 74 00:08:42,000 --> 00:08:52,940 with the same length of 128 bit that is used for secure unicast communication, each one of the link keys 75 00:08:52,950 --> 00:08:56,790 is shared only between two devices. 76 00:09:00,170 --> 00:09:09,470 A vulnerability, regarding security keys, is linked to the initial phase of adding a new ZigBee device 77 00:09:09,470 --> 00:09:18,860 to a network (the pairing phase), if it is used the pre-configured global cryptographic key ZigBee-defined 78 00:09:18,920 --> 00:09:20,480 to encrypt the network key. 79 00:09:21,530 --> 00:09:28,220 The slide shows the value of the pre-configured global key ZigBee-defined. 80 00:09:31,300 --> 00:09:39,520 Has been discovered several security vulnerabilities of a ZigBee. For example, slide shows details 81 00:09:39,520 --> 00:09:43,500 about a vulnerability found by Checkpoint researchers in Philips 82 00:09:43,510 --> 00:09:47,920 Hue Bridge model 2.X not patched. 83 00:09:50,370 --> 00:09:58,950 Another vulnerability has been discovered in the ZigBee protocol implementation on Texas Instruments 84 00:09:58,950 --> 00:10:02,790 CC2538 devices. 85 00:10:05,180 --> 00:10:13,070 Here are some typical vulnerabilities found in ZigBee Iot devices that do not fully implement the security 86 00:10:13,070 --> 00:10:14,900 features of the protocol. 87 00:10:16,040 --> 00:10:26,240 And they are: the insecure storage of keys; the attacker extract the key from the chip or from the ZigBee 88 00:10:26,240 --> 00:10:35,060 network layer. The use of ZigBee predefine key for securing the initial key exchange. Insecure transport 89 00:10:35,060 --> 00:10:46,820 of the key, such as plaintext transport of the key in OTA communications. The reuse of 90 00:10:46,820 --> 00:10:52,530 initialization vectors, and no key rotation applied. 91 00:10:55,500 --> 00:11:03,720 In order to check, in a vulnerability assessment of ZigBee device, the correct use of security features 92 00:11:03,720 --> 00:11:10,560 provided by ZigBee, it is possible to use packet sniffing and analysis tools. 93 00:11:11,400 --> 00:11:17,460 The slide shows a couple of hardware devices useful for ZigBee sniffing. 94 00:11:20,620 --> 00:11:29,890 A popular software suite for ZigBee packet capture and analysis is the KillerBee project, downloadable 95 00:11:29,890 --> 00:11:31,450 from GitHub. 96 00:11:34,040 --> 00:11:43,040 The suite includes various command line tools, including the zbdump tool that allows the capture 97 00:11:43,040 --> 00:11:51,560 of ZigBee data traffic packets. Some other notable tools included in the killerbee framework include 98 00:11:52,280 --> 00:11:58,910 zbassocflood used to crash the device from too many connect to stations. 99 00:11:59,420 --> 00:12:09,050 zbdsniff used to capture ZigBee traffic and return the key if found, and zbstumbler, an active 100 00:12:09,050 --> 00:12:18,290 network discovery tool that sends beacon request frames out and returns the user information on discovered 101 00:12:18,290 --> 00:12:19,240 devices. 102 00:12:20,630 --> 00:12:24,230 The software suite can be used with supported hardware 103 00:12:24,230 --> 00:12:28,580 devices where firmware for killerbee must be flashed. 104 00:12:29,330 --> 00:12:37,460 For example, Apimote with killerbee supports, sniffing injection and jamming functionalities. 105 00:12:40,260 --> 00:12:48,780 With zbdump tool, it is possible to capture ZigBee traffic and save the data traffic in 106 00:12:48,780 --> 00:12:56,150 a file for subsequent inspection with a packet analyzer such as Wireshark. 107 00:12:57,930 --> 00:13:02,070 OK, thank you for your attention bye.