security analysis of zigbee networks with zigator and gnu
play

Security Analysis of Zigbee Networks with Zigator and GNU Radio - PowerPoint PPT Presentation

Jul 18, 2023 •164 likes •446 views

Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University GNU Radio Conference 2020 Introduction The Zigbee protocol

  1. Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University GNU Radio Conference 2020

  2. Introduction • The Zigbee protocol enables low-rate wireless mesh networking: • It is based on the IEEE 802.15.4 standard • It is utilized by numerous smart home devices • It supports two security models: distributed and centralized Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

  3. Introduction • The Zigbee protocol enables low-rate wireless mesh networking: • It is based on the IEEE 802.15.4 standard • It is utilized by numerous smart home devices • It supports two security models: distributed and centralized • The physical security of smart home residents can be affected by the security of their Zigbee network Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

  4. Introduction • The Zigbee protocol enables low-rate wireless mesh networking: • It is based on the IEEE 802.15.4 standard • It is utilized by numerous smart home devices • It supports two security models: distributed and centralized • The physical security of smart home residents can be affected by the security of their Zigbee network • We recently studied the security consequences of the design choice to disable MAC-layer security in centralized Zigbee networks [1] [1] D.-G. Akestoridis, M. Harishankar, M. Weber, and P. Tague, “Zigator: Analyzing the security of Zigbee-enabled smart homes,” in Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) , 2020, pp. 77–88. DOI : 10.1145/3395351.3399363 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

  5. Introduction • The Zigbee protocol enables low-rate wireless mesh networking: • It is based on the IEEE 802.15.4 standard • It is utilized by numerous smart home devices • It supports two security models: distributed and centralized • The physical security of smart home residents can be affected by the security of their Zigbee network • We recently studied the security consequences of the design choice to disable MAC-layer security in centralized Zigbee networks [1] • The primary focus of this talk is on the design of our testbed [1] D.-G. Akestoridis, M. Harishankar, M. Weber, and P. Tague, “Zigator: Analyzing the security of Zigbee-enabled smart homes,” in Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) , 2020, pp. 77–88. DOI : 10.1145/3395351.3399363 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

  6. Packet Sniffing Options ATUSB (top) and RZUSBST I CK (bottom) USRP N210 with SBX daughterboard Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 3

  7. Packet Sniffing Options ATUSB (top) and RZUSBST I CK (bottom) USRP N210 with SBX daughterboard We used a USRP N210 so that we can also analyze packet jamming attacks Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 3

  8. Wireshark Profile for Zigbee Traffic Profile available at https://github.com/akestoridis/wireshark-zigbee-profile Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 4

  9. Packet Injection with GNU Radio and Scapy • We can use the gr-ieee802-15-4 [2] and gr-foo [3] modules to inject forged Zigbee packets over UDP and store captured Zigbee packets in PCAP format UHD: USRP UHD: USRP Source Sink rxin txout IEEE802.15.4 txin OQPSK PHY rxout Wireshark Connector Socket PDU File Sink GRC fl ow graphs available at https://github.com/akestoridis/grc-ieee802154 [2] B. Bloessl. (2020), gr-ieee802-15-4, [Online]. Available: https://github.com/bastibl/gr-ieee802-15-4. [3] B. Bloessl. (2020), gr-foo, [Online]. Available: https://github.com/bastibl/gr-foo. Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 5

  10. Scapy Enhancements Source: https://github.com/secdev/scapy/pull/2647 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 6

  11. Launching Attacks with an ATUSB • We modified the firmware of an ATUSB in order to enable: 1. The injection of time-critical Zigbee packets 2. The selective jamming of Zigbee packets Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 7

  12. Launching Attacks with an ATUSB • We modified the firmware of an ATUSB in order to enable: 1. The injection of time-critical Zigbee packets 2. The selective jamming of Zigbee packets • High-level description of our implementation of a selective jammer: SHR PHR MPDU Frame on Air and Interrupts RX_START Waiting for RX_START Checking Jamming Condition Transmitting Jamming Packet Waiting for RX_START FORCE_PLL_ON RX_ON . . . SLP_TR Jammer’s State and Actions Read 1 byte and then wait 32 µs to read the next byte Time Modified firmware available at https://github.com/akestoridis/atusb-attacks Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 7

  13. Packet Analysis with Zigator • Selected dependencies of Zigator: • Scapy ⇒ Parsing and forging of Zigbee packets • PyCryptodome ⇒ Implementation of the AES cipher • Scikit-learn ⇒ Training of decision tree classifiers Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 8

  14. Packet Analysis with Zigator • Selected dependencies of Zigator: • Scapy ⇒ Parsing and forging of Zigbee packets • PyCryptodome ⇒ Implementation of the AES cipher • Scikit-learn ⇒ Training of decision tree classifiers • Selected features of Zigator: • Derive preconfigured Trust Center link keys from install codes • Decrypt and verify Zigbee packets • Encrypt and authenticate Zigbee packets • Infer information from captured Zigbee packets • Inject forged packets over UDP • Launch selective jamming and spoofing attacks with an ATUSB Zigator source code available at https://github.com/akestoridis/zigator Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 8

  15. Testbed Overview Software-Defined Radio Ethernet PHY Monitoring 1 2 3 4 5 6 7 8 9 0 Zigator * # Packet Analysis USB Zigbee Network IEEE 802.15.4 USB Adapter Selective Jamming Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 9

  16. Captured I /Q Signal during an Attack 0.25 0.2 Magnitude 0.15 0.1 0.05 0 0 250 500 750 1000 1250 1500 1750 2000 2250 2500 2750 3000 Time (microseconds) Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 10

  17. CRAWDAD dataset cmu/zigbee-smarthome • We captured packets that were generated from ten commercial Zigbee devices • Our experiments lasted about 34.644 hours in total and resulted in a dataset of 571,509 valid packets • Our dataset is available to download from the CRAWDAD research data archive : • https://doi.org/10.15783/c7-nvc6-4q28 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 11

  18. Disconnecting Zigbee Devices PAN ID: 0x99aa ZR EPID: 0x1122334455667788 PAN ID: 0x99aa PAN ID: 0x99aa EPID: 0x1122334455667788 EPID: 0xfacefeedbeefcafe ZC A PAN ID: 0x99aa ZED EPID: 0x1122334455667788 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

  19. Disconnecting Zigbee Devices PAN ID: 0x99aa ZR EPID: 0x1122334455667788 1. Beacon PAN ID: 0x99aa PAN ID: 0x99aa EPID: 0x1122334455667788 EPID: 0xfacefeedbeefcafe 1. Beacon ZC A 1. Beacon PAN ID: 0x99aa ZED EPID: 0x1122334455667788 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

  20. Disconnecting Zigbee Devices PAN ID: 0x99aa ZR EPID: 0x1122334455667788 2. Network Report 1. Beacon PAN ID: 0x99aa PAN ID: 0x99aa EPID: 0x1122334455667788 EPID: 0xfacefeedbeefcafe 1. Beacon ZC A 1. Beacon PAN ID: 0x99aa ZED EPID: 0x1122334455667788 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

  21. Disconnecting Zigbee Devices PAN ID: 0x99aa ZR EPID: 0x1122334455667788 2. Network Report 3. MAC Acknowledgment 1. Beacon PAN ID: 0x99aa PAN ID: 0x99aa EPID: 0x1122334455667788 EPID: 0xfacefeedbeefcafe 1. Beacon ZC A 1. Beacon PAN ID: 0x99aa ZED EPID: 0x1122334455667788 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis,

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis,

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University ACM WiSec 2020 Motivation Smart home network security affects

867 views • 64 slides
Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for

Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for

Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for Sensor Networks Based on the IEEE 802.15.4 standard Developed by the ZigBee Alliance, www.zigbee.org IEEE 802.15.4 & ZigBee In Context

658 views • 27 slides
ZigBee for Wireless Sensor Networks ZigBee for Wireless Sensor Networks in Space and Field

ZigBee for Wireless Sensor Networks ZigBee for Wireless Sensor Networks in Space and Field

ZigBee for Wireless Sensor Networks ZigBee for Wireless Sensor Networks in Space and Field Science in Space and Field Science Mark Foster, CSC / NASA Ames Rick Alena, NASA Ames Intelligent Systems Division Discovery and Systems Health NASA

504 views • 32 slides
Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the

Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the

Stefano Chessa Zigbee Standard for wireless sensor networks Developed and promoted by the ZigBee alliance Applications: Home automation (domotics, ambient assisted living,...) Health care Consumer electronics

1.57k views • 117 slides
ZIGBEE SMART HOMES A HACKERS OPEN HOUSE ZIGBEE SMART HOMES TOBIAS ZILLNER ABOUT ME

ZIGBEE SMART HOMES A HACKERS OPEN HOUSE ZIGBEE SMART HOMES TOBIAS ZILLNER ABOUT ME

TOBIAS ZILLNER ZIGBEE SMART HOMES A HACKERS OPEN HOUSE ZIGBEE SMART HOMES TOBIAS ZILLNER ABOUT ME Senior IS Auditor @ Cognosec in Vienna Penetration Testing, Security Audits & Consulting IoT Security Research, Playing with

601 views • 56 slides
IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range -

IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range -

IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range - why somewhat wider range? Zigbee operates in the 868MHz band in Europe (915MHz in the US and Australia) Multiple channels in 2.4GHz band also

756 views • 28 slides
Surviving Wi-Fi Interference in Low Power ZigBee Networks Chieh-Jan Mike Liang, Nissanka Bodhi

Surviving Wi-Fi Interference in Low Power ZigBee Networks Chieh-Jan Mike Liang, Nissanka Bodhi

Surviving Wi-Fi Interference in Low Power ZigBee Networks Chieh-Jan Mike Liang, Nissanka Bodhi Priyantha, Jie Liu, Andreas Terzis, SenSys 2010 Simon Gerber simugerber@student.ethz.ch Mentor: Philipp Sommer 23.03.2011 Motivation More and

1.06k views • 47 slides
1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

Structure of Presentation Introduction 8 0 2.15.4 and Zigbee IEEE 812.15.4 WPAN IEEE 802.15.4 PHY IEEE 802.15.4 MAC Zigbee Routing Layer Kevin Klues Department of Computer Science and Engineering 2 Introduction Zigbee and

863 views • 6 slides
A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer

A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer

A TVWS ZigBee Prototype Cognitive Plane Control Plane Application Protocol Plane Customer API James Jody Neel Security Propagation benefits ZigBee james.neel@crtwireless.com 32- / 64- / 128-bit encryption Alliance might enable

773 views • 24 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides

IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides

IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides are adapted from presentations by Bob Heile from ZigBee Alliance, Joe Dvorak from Motorola, Geir E. Oien from NTNU, and Marco Naevve from Eaton

480 views • 34 slides
Understanding the ZigBee Stack and Application Profiles Tim Gillman and Drew Gislason There are

Understanding the ZigBee Stack and Application Profiles Tim Gillman and Drew Gislason There are

Understanding the ZigBee Stack and Application Profiles Tim Gillman and Drew Gislason There are many emerging wireless standards. Some seem to overlap in the space that they occupy in the market. ZigBee fulfills a unique space in that it is short

359 views • 9 slides
Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline

Mobile Networks Module I Part 2 Securing Vehicular Networks Prof. J.-P. Hubaux 1 Outline Motivation Threat model and specific attacks Security architecture Security analysis Certificate revocation

751 views • 43 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Creating a Simple Zigbee Communication Network using XBee ECE-480 SS13 DT2 Outline: What

Creating a Simple Zigbee Communication Network using XBee ECE-480 SS13 DT2 Outline: What

Creating a Simple Zigbee Communication Network using XBee ECE-480 SS13 DT2 Outline: What is Zigbee? Difference between XBee Products Introduce Example Project Hardware Setup Software Setup X-CTU XBee programming

744 views • 35 slides
M.Mallikarjuna Rao -200601212 V.Harish Vyas- 200601191 Presentation Outline Introduction

M.Mallikarjuna Rao -200601212 V.Harish Vyas- 200601191 Presentation Outline Introduction

M.Mallikarjuna Rao -200601212 V.Harish Vyas- 200601191 Presentation Outline Introduction What ZigBee is? What ZigBee does? The Zigbee layered Model The physical layer The MAC layer Packet Structure PHY frame

698 views • 34 slides
!"#$%&'#()*+#,*-.! +/010#+)+!*)-0! 2-((#*$3 ! 4,**)45*$!+1#*! $.-++)+!6#7%!0)-.#78 !

!"#$%&'#()*+#,*-.! +/010#+)+!*)-0! 2-((#*$3 ! 4,**)45*$!+1#*! $.-++)+!6#7%!0)-.#78 !

!"#$%&'#()*+#,*-.! +/010#+)+!*)-0! 2-((#*$3 ! 4,**)45*$!+1#*! $.-++)+!6#7%!0)-.#78 ! Patrick Charbonneau 9#()*+#,*-.!4,..-:,0-7,0+ ! Carolina Brito (Porto Alegre) Benoit Charbonneau (Waterloo) Eric Corwin (Oregon) Daan Frenkel

553 views • 19 slides
Improving Reliability of Platooning Control Messages Using Radio and Visible Light Hybrid

Improving Reliability of Platooning Control Messages Using Radio and Visible Light Hybrid

Improving Reliability of Platooning Control Messages Using Radio and Visible Light Hybrid Communication Susumu Ishihara (Shizuoka University) Vince Rabsatt, Mario Gerla (UCLA) To the direct follower Leader to followers Platooning Camera/

495 views • 22 slides
Statistical Mechanics of Jamming of frictional grains Dapeng ( Max ) Bi & Bulbul Chakraborty

Statistical Mechanics of Jamming of frictional grains Dapeng ( Max ) Bi & Bulbul Chakraborty

Statistical Mechanics of Jamming of frictional grains Dapeng ( Max ) Bi & Bulbul Chakraborty Bob Behringer & Jie Zhang, Duke University Jamming A wide variety of systems, including granular media, colloidal suspensions and molecular

713 views • 24 slides
Synthesis of Optimal Strategies Using H Y T ECH Patricia Bouyer 1 , Franck Cassez 2 , Emmanuel

Synthesis of Optimal Strategies Using H Y T ECH Patricia Bouyer 1 , Franck Cassez 2 , Emmanuel

Synthesis of Optimal Strategies Using H Y T ECH Patricia Bouyer 1 , Franck Cassez 2 , Emmanuel Fleury 3 & Kim Guldstrand Larsen 3 1 LSV, ENS-Cachan, France 2 IRCCyN, Nantes, France 3 Comp. Science. Dept., Aalborg University, Danemark Games in

1.01k views • 82 slides
Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE

Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE

From Electronic Design Automation to Automotive Design Automation Chung-Wei Lin cwlin@csie.ntu.edu.tw Assistant Professor CSIE Department National Taiwan University April 2019 Connected and Autonomous Vehicles A good application may need

616 views • 32 slides
Positioning, Navigation and Timing . a Warfighters Perspective! AVM Kym Osley AM, CSC

Positioning, Navigation and Timing . a Warfighters Perspective! AVM Kym Osley AM, CSC

Positioning, Navigation and Timing . a Warfighters Perspective! AVM Kym Osley AM, CSC , Joint Capability Group Position, Na v iga tion, a nd Tim ing a re a s essentia l a s oxy gen for our m ilita ry op era tors Briefing flow

321 views • 17 slides
Security and the Internet of Things Prashant Krishnamurthy Department of Informatics and

Security and the Internet of Things Prashant Krishnamurthy Department of Informatics and

Security and the Internet of Things Prashant Krishnamurthy Department of Informatics and Networked Systems School of Computing and Information University of Pittsburgh 1 About Faculty member in the School of Computing and Information

531 views • 27 slides
Webinar agenda Inroads to Entrepreneurship: Local strategies to support immigrant business and

Webinar agenda Inroads to Entrepreneurship: Local strategies to support immigrant business and

Webinar agenda Inroads to Entrepreneurship: Local strategies to support immigrant business and local prosperity 1. Presentation by Janet Moser, Managing Director, Immigration Services, Ignite Fredericton 2. Presentation by Reem Ali, Community

548 views • 30 slides

More recommend