Security Analysis of Zigbee Networks with Zigator and GNU Radio - - PowerPoint PPT Presentation

security analysis of zigbee networks with zigator and gnu
SMART_READER_LITE
LIVE PREVIEW

Security Analysis of Zigbee Networks with Zigator and GNU Radio - - PowerPoint PPT Presentation

Jul 18, 2023 164 likes •447 views

Security Analysis of Zigbee Networks with Zigator and GNU Radio Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University GNU Radio Conference 2020 Introduction The Zigbee protocol

slide-1
SLIDE 1

Security Analysis of Zigbee Networks with Zigator and GNU Radio

Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague

Carnegie Mellon University

GNU Radio Conference 2020

slide-2
SLIDE 2

Introduction

  • The Zigbee protocol enables low-rate wireless mesh networking:
  • It is based on the IEEE 802.15.4 standard
  • It is utilized by numerous smart home devices
  • It supports two security models: distributed and centralized

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

slide-3
SLIDE 3

Introduction

  • The Zigbee protocol enables low-rate wireless mesh networking:
  • It is based on the IEEE 802.15.4 standard
  • It is utilized by numerous smart home devices
  • It supports two security models: distributed and centralized
  • The physical security of smart home residents can be affected by the

security of their Zigbee network

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

slide-4
SLIDE 4

Introduction

  • The Zigbee protocol enables low-rate wireless mesh networking:
  • It is based on the IEEE 802.15.4 standard
  • It is utilized by numerous smart home devices
  • It supports two security models: distributed and centralized
  • The physical security of smart home residents can be affected by the

security of their Zigbee network

  • We recently studied the security consequences of the design choice to

disable MAC-layer security in centralized Zigbee networks[1]

[1] D.-G. Akestoridis, M. Harishankar, M. Weber, and P. Tague, “Zigator: Analyzing the security of Zigbee-enabled smart homes,” in Proceedings of the 13th ACM

Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2020, pp. 77–88. DOI: 10.1145/3395351.3399363 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

slide-5
SLIDE 5

Introduction

  • The Zigbee protocol enables low-rate wireless mesh networking:
  • It is based on the IEEE 802.15.4 standard
  • It is utilized by numerous smart home devices
  • It supports two security models: distributed and centralized
  • The physical security of smart home residents can be affected by the

security of their Zigbee network

  • We recently studied the security consequences of the design choice to

disable MAC-layer security in centralized Zigbee networks[1]

  • The primary focus of this talk is on the design of our testbed

[1] D.-G. Akestoridis, M. Harishankar, M. Weber, and P. Tague, “Zigator: Analyzing the security of Zigbee-enabled smart homes,” in Proceedings of the 13th ACM

Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2020, pp. 77–88. DOI: 10.1145/3395351.3399363 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 2

slide-6
SLIDE 6

Packet Sniffing Options

ATUSB (top) and RZUSBSTICK (bottom) USRP N210 with SBX daughterboard Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 3

slide-7
SLIDE 7

Packet Sniffing Options

ATUSB (top) and RZUSBSTICK (bottom) USRP N210 with SBX daughterboard

We used a USRP N210 so that we can also analyze packet jamming attacks

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 3

slide-8
SLIDE 8

Wireshark Profile for Zigbee Traffic

Profile available at https://github.com/akestoridis/wireshark-zigbee-profile

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 4

slide-9
SLIDE 9

Packet Injection with GNU Radio and Scapy

  • We can use the gr-ieee802-15-4[2] and gr-foo[3] modules to inject forged

Zigbee packets over UDP and store captured Zigbee packets in PCAP format

UHD: USRP Source IEEE802.15.4 OQPSK PHY rxin txin txout rxout UHD: USRP Sink Socket PDU Wireshark Connector File Sink

GRC flow graphs available at https://github.com/akestoridis/grc-ieee802154

[2] B. Bloessl. (2020), gr-ieee802-15-4, [Online]. Available: https://github.com/bastibl/gr-ieee802-15-4. [3] B. Bloessl. (2020), gr-foo, [Online]. Available: https://github.com/bastibl/gr-foo.

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 5

slide-10
SLIDE 10

Scapy Enhancements

Source: https://github.com/secdev/scapy/pull/2647

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 6

slide-11
SLIDE 11

Launching Attacks with an ATUSB

  • We modified the firmware of an ATUSB in order to enable:
  • 1. The injection of time-critical Zigbee packets
  • 2. The selective jamming of Zigbee packets

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 7

slide-12
SLIDE 12

Launching Attacks with an ATUSB

  • We modified the firmware of an ATUSB in order to enable:
  • 1. The injection of time-critical Zigbee packets
  • 2. The selective jamming of Zigbee packets
  • High-level description of our implementation of a selective jammer:

Frame on Air and Interrupts Jammer’s State and Actions

SHR PHR

RX_START

MPDU

Waiting for RX_START Checking Jamming Condition

. . .

Read 1 byte and then wait 32 µs to read the next byte FORCE_PLL_ON SLP_TR Transmitting Jamming Packet RX_ON Waiting for RX_START

Time

Modified firmware available at https://github.com/akestoridis/atusb-attacks

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 7

slide-13
SLIDE 13

Packet Analysis with Zigator

  • Selected dependencies of Zigator:
  • Scapy ⇒ Parsing and forging of Zigbee packets
  • PyCryptodome ⇒ Implementation of the AES cipher
  • Scikit-learn ⇒ Training of decision tree classifiers

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 8

slide-14
SLIDE 14

Packet Analysis with Zigator

  • Selected dependencies of Zigator:
  • Scapy ⇒ Parsing and forging of Zigbee packets
  • PyCryptodome ⇒ Implementation of the AES cipher
  • Scikit-learn ⇒ Training of decision tree classifiers
  • Selected features of Zigator:
  • Derive preconfigured Trust Center link keys from install codes
  • Decrypt and verify Zigbee packets
  • Encrypt and authenticate Zigbee packets
  • Infer information from captured Zigbee packets
  • Inject forged packets over UDP
  • Launch selective jamming and spoofing attacks with an ATUSB

Zigator source code available at https://github.com/akestoridis/zigator

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 8

slide-15
SLIDE 15

Testbed Overview

Zigbee Network Ethernet USB

Zigator

Packet Analysis Software-Defined Radio PHY Monitoring IEEE 802.15.4 USB Adapter Selective Jamming

1 2 3 4 5 6 7 8 9 * #

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 9

slide-16
SLIDE 16

Captured I/Q Signal during an Attack

0.05 0.1 0.15 0.2 0.25 250 500 750 1000 1250 1500 1750 2000 2250 2500 2750 3000

Magnitude Time (microseconds)

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 10

slide-17
SLIDE 17

CRAWDAD dataset cmu/zigbee-smarthome

  • We captured packets that were generated

from ten commercial Zigbee devices

  • Our experiments lasted about 34.644

hours in total and resulted in a dataset of 571,509 valid packets

  • Our dataset is available to download from

the CRAWDAD research data archive:

  • https://doi.org/10.15783/c7-nvc6-4q28

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 11

slide-18
SLIDE 18

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-19
SLIDE 19

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe

  • 1. Beacon
  • 1. Beacon
  • 1. Beacon

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-20
SLIDE 20

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe

  • 1. Beacon
  • 1. Beacon
  • 1. Beacon
  • 2. Network Report

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-21
SLIDE 21

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe

  • 1. Beacon
  • 1. Beacon
  • 1. Beacon
  • 2. Network Report
  • 3. MAC Acknowledgment

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-22
SLIDE 22

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe

  • 1. Beacon
  • 1. Beacon
  • 1. Beacon
  • 2. Network Report
  • 3. MAC Acknowledgment
  • 4. Network Update
  • 4. Network Update

4 . J a m m i n g S i g n a l 4 . J a m m i n g S i g n a l

✖ ✖

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-23
SLIDE 23

Disconnecting Zigbee Devices

ZC ZR ZED

PAN ID: 0xbbcc EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788 PAN ID: 0x99aa EPID: 0x1122334455667788

A

PAN ID: 0x99aa EPID: 0xfacefeedbeefcafe

  • 1. Beacon
  • 1. Beacon
  • 1. Beacon
  • 2. Network Report
  • 3. MAC Acknowledgment
  • 4. Network Update
  • 4. Network Update

4 . J a m m i n g S i g n a l 4 . J a m m i n g S i g n a l

✖ ✖

  • 5. PAN ID Change

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 12

slide-24
SLIDE 24

Summary of Findings and Developments

  • Options for keeping Zigbee devices disconnected:
  • Spoofing of MAC acknowledgments
  • Selective jamming of Rejoin Response commands
  • Selective jamming of beacons

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 13

slide-25
SLIDE 25

Summary of Findings and Developments

  • Options for keeping Zigbee devices disconnected:
  • Spoofing of MAC acknowledgments
  • Selective jamming of Rejoin Response commands
  • Selective jamming of beacons
  • We observed that some Zigbee Routers either did not initiate or significantly

delayed the rejoin process when Network Update commands are jammed:

  • Our SmartThings Smart Bulb did not initiate that process within 38 hours
  • Our Centralite 3-Series Smart Outlet delayed that process for about 25 minutes

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 13

slide-26
SLIDE 26

Summary of Findings and Developments

  • Options for keeping Zigbee devices disconnected:
  • Spoofing of MAC acknowledgments
  • Selective jamming of Rejoin Response commands
  • Selective jamming of beacons
  • We observed that some Zigbee Routers either did not initiate or significantly

delayed the rejoin process when Network Update commands are jammed:

  • Our SmartThings Smart Bulb did not initiate that process within 38 hours
  • Our Centralite 3-Series Smart Outlet delayed that process for about 25 minutes
  • We responsibly disclosed our findings to the Zigbee Alliance:
  • Specification changes will prevent malicious PAN ID changes
  • The firmware of SmartThings hubs was modified to ignore PAN ID conflicts[4]

[4] SmartThings Community. (2020), Hub firmware release notes - 0.31.4, [Online]. Available: https://community.smartthings.com/t/hub-firmware-release-notes-0-

31-4/197941 Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 13

slide-27
SLIDE 27

Conclusion

  • Our testbed design enables in-depth security analysis of Zigbee networks:
  • Packet Sniffing

= ⇒ Software-Defined Radio

  • Packet Injection

= ⇒ Software-Defined Radio and IEEE 802.15.4 USB Adapter

  • Packet Jamming

= ⇒ IEEE 802.15.4 USB Adapter

  • Packet Analysis

= ⇒ Zigator

  • Additional resources:
  • http://mews.sv.cmu.edu/research/zigator/
  • Questions?
  • {akestoridis, mharisha, mikex, tague}@cmu.edu

Akestoridis et al. Security Analysis of Zigbee Networks with Zigator and GNU Radio GNU Radio Conference 2020 14