zigbee smart homes
play

ZIGBEE SMART HOMES A HACKERS OPEN HOUSE ZIGBEE SMART HOMES TOBIAS - PowerPoint PPT Presentation

Mar 03, 2024 •41 likes •601 views

TOBIAS ZILLNER ZIGBEE SMART HOMES A HACKERS OPEN HOUSE ZIGBEE SMART HOMES TOBIAS ZILLNER ABOUT ME Senior IS Auditor @ Cognosec in Vienna Penetration Testing, Security Audits & Consulting IoT Security Research, Playing with

  1. TOBIAS ZILLNER ZIGBEE SMART HOMES A HACKER’S OPEN HOUSE

  2. ZIGBEE SMART HOMES TOBIAS ZILLNER ABOUT ME • Senior IS Auditor @ Cognosec in Vienna • Penetration Testing, Security Audits & Consulting • IoT Security Research, Playing with SDR • Owner of a ZigBee based home automation system :D 2

  3. ZIGBEE SMART HOMES AGENDA • Introduction • ZigBee Security Measures - The good • ZigBee Application Profiles - The bad • ZigBee Implementations - The ugly • Demonstration • Summary 3

  4. ZIGBEE SMART HOMES WHAT IT’S ALL ABOUT

  5. ZIGBEE SMART HOMES Based on IEEE 802.15.4 Low-cost Low-power ZigBee Two-way Reliable Wireless 5

  6. ZIGBEE SMART HOMES Health Care Home Smart Energy Automation Building Retail Services Automation ZigBee Remote Telecom Application Control Services Domains 6

  7. ZIGBEE SMART HOMES http://www.zigbee.org/zigbee-in-space-xbee-rf-modules-launched-by-nasa/ 7

  8. ZIGBEE SMART HOMES 8

  9. ZIGBEE SMART HOMES WHY IS IT IMPORTANT? Number of IoT Devices 30,000,000,000 26 • Trend is wireless connections billion 25,000,000,000 • Samsung CEO BK Yoon - “Every Samsung device will be part of IoT till 2019” 3 20,000,000,000 • Over 500 smart device per household in 15,000,000,000 2022 1 10,000,000,000 0.9 5,000,000,000 billion 1 http://www.gartner.com/newsroom/id/2839717 2 http://www.gartner.com/newsroom/id/2636073 0 3 http://www.heise.de/newsticker/meldung/CES-Internet-der-Dinge-komfortabel- 2009 2020 vernetzt-2512856.html 9

  10. ZIGBEE SMART HOMES https://www.praetorian.com/iotmap/ 10

  11. ZIGBEE SMART HOMES https://www.praetorian.com/iotmap/ 11

  12. ZIGBEE SMART HOMES 12

  13. ZIGBEE SMART HOMES 13

  14. ZIGBEE SMART HOMES WHY SECURITY? • HOME automation has high Items of interest will be located, identified, privacy requirements monitored, and remotely controlled through technologies such as radio- • Huge source of frequency identification, sensor networks, personalized data tiny embedded servers, and energy harvesters - all connected to the next- generation internet 1 -Former CIA Director David Petraeus" 14

  15. ZIGBEE SMART HOMES ZIGBEE SECURITY MEASURES

  16. ZIGBEE SMART HOMES ZIGBEE SECURITY MEASURES Security Measures Symmetric Message Integrity Replay Encryption Authentication Protection Protection AES-CCM* MIC Frame Counter 128bit 0 - 128 bit 4 Byte 16

  17. ZIGBEE SMART HOMES OFFICIAL STATEMENT "To avoid 'bugs' that an attacker can use to his advantage, it is crucial that security be well implemented and tested. […] Security services should be implemented and tested by security experts […]." (ZigBee Alliance 2008, p. 494) 17

  18. ZIGBEE SMART HOMES ZIGBEE SECURITY • One security level per network • Security based on encryption keys • Network Key: Used for broadcast communication, Shared among all devices • Link Key: Used for secure unicast communication, Shared only between two devices 18

  19. ZIGBEE SMART HOMES SECURITY ARCHITECTURE Trust in the security is ultimately reduces to: • Trust in the secure initialization of keying material • Trust in the secure installation of keying material • Trust in the secure processing of keying material • Trust in the secure storage of keying material 19

  20. ZIGBEE SMART HOMES HOW ARE KEYS EXCHANGED? Preinstalled ¡Devices Key ¡Transport Key ¡Establishment • Out ¡of ¡band ¡ • Derived ¡from ¡other ¡keys recommended • Also ¡requires ¡preinstalled ¡ keys 20

  21. ZIGBEE SMART HOMES ZIGBEE APPLICATION PROFILES

  22. ZIGBEE SMART HOMES APPLICATION PROFILES Define communication Enable applications to between devices • Send commands • Agreements for messages • Request data • Message formats • Process commands • Processing actions • Process requests Startup Attribute Sets (SAS) provide interoperability and compatibility 22

  23. ZIGBEE SMART HOMES HOME AUTOMATION PROFILE Default Trust Center Link Key • 0x5A 0x69 0x67 0x42 0x65 0x65 0x41 0x6C 0x6C 0x69 0x61 0x6E 0x63 0x65 0x30 0x39 • ZigBeeAlliance09 Use Default Link Key Join • 0x01(True) • This flag enables the use of default link key join as a fallback case at startup time. 23

  24. ZIGBEE SMART HOMES LIGHT LINK PROFILE • Devices in a ZLL shall use ZigBee network layer security. • “The ZLL security architecture is based on using a fixed secret key, known as the ZLL key, which shall be stored in each ZLL device. All ZLL devices use the ZLL key to encrypt/decrypt the exchanged network key. “ • “It will be distributed only to certified manufacturers and is bound with a safekeeping contract“ 24

  25. ZIGBEE SMART HOMES LIGHT LINK PROFILE 25

  26. ZIGBEE SMART HOMES LIGHT LINK nwkAllFresh Use insecure join • False • True • Do not check frame counter • Use insecure join as a fallback option. Trust center link key • 0x5a 0x69 0x67 0x42 0x65 0x65 0x41 0x6c 0x6c 0x69 0x61 0x6e 0x63 0x65 0x30 0x39 • Default key for communicating with a trust center 26

  27. ZIGBEE SMART HOMES APPLICATION PROFILES SUMMARY • HA Profile requires support of known encryption key as fallback • ZLL Profile uses “secret” key for protecting key exchanges 27

  28. ZIGBEE EXPLOITED ZIGBEE IMPLEMENTATIONS

  29. ZIGBEE SMART HOMES REQUEST KEY SERVICE "The request-key service provides a secure means for a device to request the active network key, or an end-to-end application master key, from another device" (ZigBee Alliance 2008, p. 425) 29

  30. ZIGBEE SMART HOMES ZBOSS /** Remote device asked us for key. Application keys are not implemented. Send current network key. Not sure: send unsecured? What is meaning of that command?? Maybe, idea is that we can accept "previous" nwk key? Or encrypt by it? */ 30

  31. ZIGBEE SMART HOMES ZBOSS /* Initiate unsecured key transfer. Not sure it is right, but I really have no ideas about request meaning of key for network key. */ 31

  32. ZIGBEE SMART HOMES TESTED DEVICES • Door Lock • Smart Home System • Lighting Solutions 32

  33. ZIGBEE SMART HOMES RESULTS ALL tested systems only use the default TC Link Key for securing the initial key exchange No link keys are used or supported • Complete compromise after getting network key No ZigBee security configuration possibilities available No key rotation applied • Test period of 14 month 33

  34. ZIGBEE SMART HOMES RESULTS Device reset often difficult • Removal of key material not guaranteed • One device does not support reset at all Light bulbs do not require physical interaction for pairing Workarounds like reduced transmission power are used to prevent pairing problems • Devices have to be in very close proximity for pairing 34

  35. ZIGBEE EXPLOITED DEMONSTRATION

  36. ZIGBEE EXPLOITED SECBEE ZigBee security testing tool USRP B210 Target audience • Security testers • Developers Based on scapy-radio, µ racoli and killerbee Raspbee https://github.com/Cognosec/SecBee

  37. ZIGBEE EXPLOITED SECBEE Provides features for testing of security services as well as weak security configuration and implementation USRP B210 • Support of encrypted • Reset to factory communication • Join to network • Command injection • Test security services • Scan for weak key transport Raspbee

  38. ZIGBEE SMART HOMES DIRECT INDIRECT Coordinator Coordinator End device End device Data request DATA timeframe < 0.8ms ACK ACK DATA 38

  39. ZIGBEE SMART HOMES DEMONSTRATION - KEY EXTRACTION

  40. ZIGBEE SMART HOMES NETWORK KEY SNIFFING Fallback key exchange insecure Most vendors only implement fallback solution Same security level as plaintext exchange 40

  41. ZIGBEE EXPLOITED 41

  42. ZIGBEE SMART HOMES VENDOR RESPONSE 42

  43. ZIGBEE SMART HOMES NETWORK KEY SNIFFING So, the • Timeframe is limited • Proximity is necessary • Key extraction works only during pairing … what would an attacker do? 43

  44. TYPICAL END-USER 44

  45. ZIGBEE SMART HOMES THE SOCIAL ENGINEERS WAY Jam the communication Wait for users to re-pair the device It is not only about technology :D 45

  46. ZIGBEE SMART HOMES THE HACKER WAY Trigger Key Transport Sniff over the air key exchange 46

  47. ZIGBEE SMART HOMES 47

  48. ZIGBEE SMART HOMES 48

  49. ZIGBEE SMART HOMES NETWORK KEY EXTRACTION No physical access is required No knowledge of the secret key is needed Usability overrules security Fully compromised system 49

  50. ZIGBEE EXPLOITED DEMONSTRATION - COMMAND INJECTION

  51. ZIGBEE EXPLOITED 51

  52. ZIGBEE SMART HOMES SUMMARY • Security measures provided are good • Requirements due to interoperability weaken the security level drastically • Vendors only implement the absolute minimum to be compliant • Usability overrules security 52

  53. ZIGBEE SMART HOMES DEEPSEC SOUND BYTES • Proper implementation of security measures is crucial - Compliance is not Security • Learn from history and do not rely on “Security by Obscurity” • There is a world beside TCP/IP 53

  54. ZIGBEE EXPLOITED 54

  55. THANK YOU! Contact details Tobias Zillner, BSc MSc MSc tobias.zillner@cognosec.com +43 664 8829 8290

  56. TIME FOR QUESTIONS AND ANSWERS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis,

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis,

Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague Carnegie Mellon University ACM WiSec 2020 Motivation Smart home network security affects

867 views • 64 slides
Digitally Augmented Homes: Telehealth for Smart Homes George Demiris PhD, FACMI March 26, 2014

Digitally Augmented Homes: Telehealth for Smart Homes George Demiris PhD, FACMI March 26, 2014

Digitally Augmented Homes: Telehealth for Smart Homes George Demiris PhD, FACMI March 26, 2014 Introduction/ Definitions Examples A Case Study Discussion Smart homes Origins of the concept in the late 1970s and the 1980s:

745 views • 38 slides
Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for

Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for

Networking with Zigbee and Emergent Behavior 5XID0, Week 2 ZigBee Communication standard for Sensor Networks Based on the IEEE 802.15.4 standard Developed by the ZigBee Alliance, www.zigbee.org IEEE 802.15.4 &amp; ZigBee In Context

658 views • 27 slides
A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli

A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli

A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli Ferdinando Fioretto New Mexico State University University of Michigan May, 2017 Home Automation 1 Network of smart homes 2 Smart Homes and SHDS

432 views • 27 slides
Duet Making Localization Work for Smart Homes Shichao Yue Presenting on behalf of Deepak

Duet Making Localization Work for Smart Homes Shichao Yue Presenting on behalf of Deepak

Duet Making Localization Work for Smart Homes Shichao Yue Presenting on behalf of Deepak Vasisht, Anubhav Jain, Chen-Yu Hsu, Zachary Kabelac, Dina Katabi The Smart Home Dream Pr Problem State atement Smart homes need continuous tracking of

858 views • 36 slides
IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range -

IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range -

IoTSSC - ZigBee, Wi-Fi ZigBee Low power low rate personal area networking 10-20m range - why somewhat wider range? Zigbee operates in the 868MHz band in Europe (915MHz in the US and Australia) Multiple channels in 2.4GHz band also

756 views • 28 slides
SMART SOLAR FOR SMART HOMES En route to a ne En route to a new, w, smar smarter energ ter

SMART SOLAR FOR SMART HOMES En route to a ne En route to a new, w, smar smarter energ ter

SMART SOLAR FOR SMART HOMES En route to a ne En route to a new, w, smar smarter energ ter energy world y world Homes Homes and and buildings buildings repr epresent esent 30% 30% of of total total ener energy gy consumption

400 views • 19 slides
Frequency Agility in a ZigBee Network for Smart Grid Application Peizhong Yi, Abiodun Iwayemi,

Frequency Agility in a ZigBee Network for Smart Grid Application Peizhong Yi, Abiodun Iwayemi,

ILLINOIS INSTITUTE OF TECHNOLOGY Frequency Agility in a ZigBee Network for Smart Grid Application Peizhong Yi, Abiodun Iwayemi, Chi Zhou Optical Wireless Integration Lab Electrical and Computer Engineering Department Illinois Institute of

405 views • 18 slides
OASIS Energy Interoperation with ZigBee Smart Energy 2: a proof sketch for interoperability

OASIS Energy Interoperation with ZigBee Smart Energy 2: a proof sketch for interoperability

OASIS Energy Interoperation with ZigBee Smart Energy 2: a proof sketch for interoperability William Cox, Cox Software Architects LLC wtcox@CoxSoftwareArchitects.com David Holmberg, NIST david.holmberg@nist.gov Don Sturek, Grid2Home

619 views • 12 slides
1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

1 IEEE 802.15.4 PHY IEEE 802.15.4 PHY Features Receiver Energy Detection

Structure of Presentation Introduction 8 0 2.15.4 and Zigbee IEEE 812.15.4 WPAN IEEE 802.15.4 PHY IEEE 802.15.4 MAC Zigbee Routing Layer Kevin Klues Department of Computer Science and Engineering 2 Introduction Zigbee and

863 views • 6 slides
A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli

A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli

A Multiagent System Approach to Schedule Devices in Smart Homes William Yeoh Enrico Pontelli Ferdinando Fioretto New University State University University of Michigan Feb, 2017 Home Automation Fig.1 Fig.2 1 Network of smart homes Fig.3

450 views • 29 slides
Smart Proactive Homes Live independently at home for longer ProActivated will turn your own

Smart Proactive Homes Live independently at home for longer ProActivated will turn your own

Smart Proactive Homes Live independently at home for longer ProActivated will turn your own home in a smart home. Combining new and innovative technology with our smart software allows your home to deliver support in your daily life.

428 views • 20 slides
Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great

Securing Smart Homes Using NDN Lei Pi, Lan Wang Motivation IoT technology has great potential in a wide range of fields Numbers of IoT devices is increasing at high speed Security issues is emerging and posing a challenging

413 views • 5 slides
Consumer-Oriented Integration of Smart Homes and Smart Grids A Case for Multicast-Enabled Home

Consumer-Oriented Integration of Smart Homes and Smart Grids A Case for Multicast-Enabled Home

Consumer-Oriented Integration of Smart Homes and Smart Grids A Case for Multicast-Enabled Home Gateways? Sebastian Meiling, Till Steinbach, Moritz Duge and Thomas C. Schmidt moritz.duge@haw-hamburg.de iNET RG, HAW Hamburg

424 views • 19 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides

IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides

IEEE 802.15.4 and Zigbee CS 687 University of Kentucky Fall 2015 Acknowledgment: Some slides are adapted from presentations by Bob Heile from ZigBee Alliance, Joe Dvorak from Motorola, Geir E. Oien from NTNU, and Marco Naevve from Eaton

480 views • 34 slides
Processing Data Streams: An (Incomplete) Tutorial Johannes Gehrke Department of Computer Science

Processing Data Streams: An (Incomplete) Tutorial Johannes Gehrke Department of Computer Science

Processing Data Streams: An (Incomplete) Tutorial Johannes Gehrke Department of Computer Science johannes@cs.cornell.edu http://www.cs.cornell.edu Standard Pub/Sub Publish/subscribe (pub/sub) is a powerful paradigm Publishers generate

898 views • 75 slides
Peoples United Financial, Inc. (Exact name of registrant as specified in its charter) Delaware

Peoples United Financial, Inc. (Exact name of registrant as specified in its charter) Delaware

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 8-K CURRENT REPORT Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Date of Report (Date of earliest event reported) April 24, 2020 (April 23,

806 views • 46 slides
Forum for Information Retrieval Evaluation Prasenjit Majumder DAIICT, Gandhinagar, India

Forum for Information Retrieval Evaluation Prasenjit Majumder DAIICT, Gandhinagar, India

Forum for Information Retrieval Evaluation Prasenjit Majumder DAIICT, Gandhinagar, India Dipasree Pal ISI, Kolkata, India (currently at U. Tampere, Finland) On behalf of the FIRE Team September 21, 2010 www.isical.ac.in/fire Overview

518 views • 16 slides
Lecture 4 JA V A (46-935) Somesh Jha 1 Inner Classes Flash bac k to the class. A

Lecture 4 JA V A (46-935) Somesh Jha 1 Inner Classes Flash bac k to the class. A

Lecture 4 JA V A (46-935) Somesh Jha 1 Inner Classes Flash bac k to the class. A bstr actT ermStructur e There w as a whic h SlowYieldV olObje ct computed: ( i = 0) Dierence b et w een and c

788 views • 51 slides
Tutorial: Development of Interactive Applications for Mobile Devices 7th International Conference

Tutorial: Development of Interactive Applications for Mobile Devices 7th International Conference

Tutorial: Development of Interactive Applications for Mobile Devices 7th International Conference on Human Computer Interaction with Mobile Devices and Services (Mobile HCI 2005) Enrico Rukzio (Media Informatics Group, University of Munich )

641 views • 24 slides
Learning to attach semantic metadata to Web Services Andreas He, Nicholas Kushmerick

Learning to attach semantic metadata to Web Services Andreas He, Nicholas Kushmerick

Learning to attach semantic metadata to Web Services Learning to attach semantic metadata to Web Services Learning to attach semantic metadata to Web Services Andreas He, Nicholas Kushmerick University College Dublin, Ireland {andreas.hess,

795 views • 43 slides
Craig Knoblock University of Southern California These slides are based in part on slides from

Craig Knoblock University of Southern California These slides are based in part on slides from

Craig Knoblock University of Southern California These slides are based in part on slides from Matt Michelson, Sheila Tejada, Misha Bilenko, Jose Luis Ambite, Claude Nanjo, and Steve Minton Craig Knoblock University of Southern California 1

919 views • 81 slides
Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets

Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets

Online Social Networks and Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets and stock prices/volume 2. Tweets and event (earthquake) detection 3. Tracking memes in news media and blogs 2

1.03k views • 89 slides

More recommend