Home > Articles > Cisco Network Technology > Wireless/Optical/High Speed > ZigBee Wireless Security: A New Age Penetration Tester's Toolkit

ZigBee Wireless Security: A New Age Penetration Tester's Toolkit

Article Description

Penetration testers have been focusing on wireless technologies for over a decade now, and one protocol that can arguably be placed at the top of the list is the 802.15.4 protocol that ZigBee wireless rides on. New tools and techniques are being developed by penetration testers to validate the security and configuration of ZigBee-enabled devices. Brad Bowers takes a closer look at the ZigBee protocol, some of the attacks that have been leveraged against it, and the security tools that penetration testers can use.

Like this article? We recommend

Network Security First-Step

Network Security First-Step, 2nd Edition

$29.59 (Save 20%)

Penetration Testers Toolkit

Penetration Testers Toolkit

Now that we have discussed where ZigBee radios are being used and some of the attacks and tools that can be used against the devices, what can an Information Security professional do to help the organization deal with the onslaught of potential attacks against the business? The answer, like some many things in Information Security, is complicated.

The simple truth is that most Information Security Professionals are not typically trained to mitigate against hardware-based attacks. With that said, Information Security Professionals with experience in wireless security mitigation tactics often have the building blocks to quickly get up to speed on the various attacks and defenses used with ZigBee radios.

The first thing that an Information Security Processional needs is a collection of hardware and software tools that will help assess the environment and give them the ability to develop the traditional defense in depth.

Many of the tools that have been mentioned previously in this article have assessment and defensive capabilities that will help identify problems within a ZigBee network, but there are additional ones that deserve to be mentioned. Enter the Chibi!

Chibi Can Help

The FreakLabs's Chibi is an Arduino-compatible microcontroller with an integrated ZigBee radio build into it. The Chibi has become very popular with penetration testers and security researchers alike.

On the surface, this network device may seem ill fitted for assisting with assessing security on its ZigBee networks. Especially when you consider the fact that it was not designed to be a security tool. Those doubts fade away, however, when you take a closer look at the Chibi's capabilities and ease with which code can be developed for it.

FreakLabs is a small organization that builds open-source hardware and software with a loose focus on security. What makes these Chibi ZigBee radios special is the fact that the device is built on what the FreakLabs's team calls FreakZ, an open-source, ZigBee–compliant protocol stack. This may seem like a trivial detail, but it's actually one of the key reasons why penetration testers and security researchers are flocking to the device.

One of the biggest challenges for researchers looking into ZigBee security is the high cost and complexity of obtaining software and API code from major semiconductor providers.

Without the software that allows interaction with commercial ZigBee radios, a researcher has limited ability to develop tools or other equipment that will run on multiple manufacturers' equipment. The FreakZ protocol stack is completely open source, and all the code is readily available. This provides a fertile ground for security researchers to develop code and to help automate their ZigBee assessments.

Chibi in Action

The Chibi radio is versatile from a security assessor's perspective. Virtually every nuance of the 802.15.4 protocol stack can be manipulated and monitored to provide a comprehensive view into the network to which it's connected.

While the Chibi provides an excellent platform for interacting with ZigBee networks and performs most of the timing requirements of the radio, the majority of the magic comes from the array of tools and scripts that the security community has developed to interact with the device.

  • Scripting: Penetration testers can easily incorporate their own functionality and code into a Chibi device using the Python scripting language. Python provides a very straightforward approach for interacting with all aspects of the Chibi hardware as well as acting as a glue to provide interoperability between disparate hardware software components.
  • Python scripting support also helps provide some cross-platform compatibility between hardware devices. As an example, the KillerBee's firmware and python scripts can be modified to work on the Chibi's hardware.

  • Packet Capturing: Nothing quite gets a Security Professional's heart pumping faster than a packet capture of an attack that has been waged against their systems. This is one area where the Chibi radio with a bit of open source code shows its value against even the most expensive of commercial tools. The Chibi radio, with a piece of open source software called WSBridge, can perform a complete packet capture of all 802.15.4 frames that it's configured to listen to.
  • These packet captures can be directly imported into one's favorite packet analysis tool such as WireShark or TCPDump, which can provide a tremendous value from a security perspective! Not only does it provide an excellent method for troubleshooting technical issues, but it also offers Security Professionals a window into what's happening on their ZigBee networks.

    With a little bit of scripting, it is even possible to create a rudimentary Intrusion Detection System for a ZigBee network by send captured packets to into an Intrusion Detection System such as Snort.

  • Penetration Testing: From a Security Assessor's point of view, the Chibi radio has much of the same capabilities as the KillerBee framework discussed earlier—with several unique advantages.
  • Since the Chibi is essentially an Arudino microcontroller with a ZigBee-compliant radio embedded on it, there are lots of hardware additions that can easily be integrated to make the device an independent piece of equipment that doesn't require the direct connectivity of a computer to function.

    As an example, a Security Assessor can easily incorporate a microSD memory card and a set of batteries to the Chibi board. With the addition of a little bit of code, the Security Assessor could have a self-contained ZigBee packet inject or capturing device that can run for several days without the need to be connected to a computer. An example of this very setup was presented at the 2011 Defcon Security Conference.

Another advantage for Security Assessors is the ability to craft and transmit malformed or exotic packets to devices on a ZigBee network. Since ZigBee has minimal session and error check, the packets could cause nodes to respond inappropriately, perform an unintended function or even cause the node to crash requiring physical intervention to fix the issue. Security Assessors can use tools like the Chibi to identify these potential security concerns and help organizations proactively mitigate the risk or impact of attacks against their ZigBee networks.

6. The Wrapup | Next Section Previous Section