If you are an information security professional, your spidey senses are probably tingling[md]and frankly they should! It doesn't take a lot of imagination to think about how these real-life implementations of ZigBee radios could be used by malicious actors to cause life-threatening events or significant harm to individuals or our infrastructure.
At first glance, this may seems like your traditional Fear, Uncertainty, or Doubt (FUD) about the risks associated with ZigBee radios. When you consider some of the actual attacks that have been leveraged against real organizations, however, you start to get an eye-raising dose of reality.
Attacks against ZigBee
ZigBee wireless attacks and security has attracted a lot of interest by government- and industry-security professionals as well as the hacker community. Each is looking at the security capabilities of the 802.15.4 protocol as well as how manufacturers are implementing the ZigBee radios into products and equipment. Often it is the "implementations" part of the equation that is causing most of the security risks. This is clearly evident in the types of attacks used against the devices.
ZigBee and the 802.15.4 framework it rides on were designed with security in mind, but as we have all learned, security is only effective if it's implemented properly. While there are numerous types of attacks that have been successfully leveraged against ZigBee devices, they generally fall into three categories: physical attacks, key attacks, and replay and injection attacks.
If a knowledgeable attacker can gain physical access to a device containing a ZigBee radio, chances are good that they can compromise it. What makes physical attacks so effective is being able to interact physically with the device to obtain an encryption key used by the target ZigBee network. Many ZigBee radios use a hard-coded encryption key that is loaded in RAM memory when the device is powered.
Since these keys are typically written (flashed) on all the devices in a ZigBee network, it's highly unlikely that the keys will ever be changed. Knowing this, attackers can utilize special serial interfaces on the ZigBee device to attempt to capture the encryption keys as those keys are moved from flash to RAM during power up.
The Bus Pirate and GoodFet interface boards provide support of numerous industry standard serial protocols, including 1-wire, JTAG, SPI, and asynchronous serial. Once physically connected to a ZigBee device through a simple serial interface such as a Bus Pirate, an attacker can unravel the security of an entire ZigBee network and potentially intercept and alter data.
Other forms of key attacks are possible by utilizing remote means to obtain encryption keys. ZigBee radios often use one of two encryption key methodologies to ensure that devices have the appropriate keys to talk to each other. These methodologies are known as pre-shared keying and Over the Air (OTA) key delivery. Larger, more sophisticated ZigBee networks will typically utilize OTA for security and ease of updating.
Did I say "for security"? Unfortunately, this methodology can be attacked by having a device that mimics a node on the ZigBee network and collects the network's wireless transmissions. The collected packets can be further analyzed or potentially decrypted using free and open-source equipment.
Since there is minimal session checking built into the 802.15.4 protocol and currently no intrusion-detection capabilities, this type of attack is nearly impossible to detect.
One toolset that is very effective for this type of key analysis is called the KillerBee framework, which was created by Joshua Wright, a noted wireless security expert, and has been made freely available to everyone. KillerBee is really a suite of hardware and software tools that allow sophisticated interception, analysis, and even transmission of 802.15.4 packets. The software included in KillerBee is a collection of Python scripts that are easily modified and can be built upon to create even more capabilities and interaction with ZigBee radios. The hardware portion of the framework requires a specially programmed ZigBee radio, but don't let that fool you into thinking they are hard to obtain.
While several low-cost ZigBee radios are supported, the recommended device of choice is the RZ Raven AVR, which can be obtained online for approximately $40. This puts the hardware and programs well within the reach of security researchers and malicious hackers alike.
An attacker using a combination of hardware- and software-based tools to perform their illicit actions has the obvious advantage of not needing to physically connect to the device to perform an attack. This makes it extremely unlikely that the attack will be discovered and even less likely that the attacker will be caught. To make matters worse, an attacker could use specially crafted high-powered transmitters or special Yagi antennas so the attacker could potentially be a great distance away from the devices they attempting to compromise.
Replay and Injection Attacks
One final type of attack we'll discuss can utilize key-based attacks blended with packet replay and/or injection attacks to trick the ZigBee device into performing unauthorized actions. ZigBee radios are susceptible to these types of attacks because of the lightweight design of the protocol, which has very minimal replay protection. A simple scenario will help drive the point home.
Bob, our malicious user, uses a ZigBee radio that is collecting packets transmitted from a target ZigBee network. While Bob may not be able to decode the packets per se, he knows enough about the system to know that the target node controls the water flow for a cooling system.
All Bob has to do in this case is to replay the captured packets back to other nodes on the ZigBee network mimicking the originating node. Since there is minimal session checking performed by the ZigBee radios, the network will think the traffic is legitimate and respond as if the commands came from a valid node. A spinoff of this type of attack was used at the 7th annual Mid-Atlantic Collegiate Cyber Defense Challenge. A more comprehensive write up of the event can be found here in the articles of InformIT.