08

ZIGBEE EXPLOITED The good, the bad and the ugly

Tobias Zillner – August 6th 2015

Cognosec © 2015 | Castellezgasse 16/2 | 1020 Vienna, Austria ZigBee Exploited Version 1.0

TABLE OF CONTENTS

ABSTRACT ...... 1 INTRODUCTION ...... 1 THE ZIGBEE STANDARD ...... 1 ZIGBEE SECURITY ...... 2 Security ...... 2 Application Support Sublayer Security ...... 2 ZIGBEE APPLICATION PROFILES ...... 3 ZigBee Public Application Profile (HAPAP) ...... 3 ZigBee Light Link Profile (ZLL) ...... 4 SECBEE – A NEW ZIGBEE SECURITY TESTING TOOL ...... 4 REAL WORLD ASSESSMENTS AND IDENTIFIED VULNERABILITIES ...... 5 CONCLUSION ...... 5 BIBLIOGRAPHY ...... 6

Cognosec Gmbh Classification: Confidential ii ZigBee Exploited Version 1.0

which pose security risks. With the availability of ABSTRACT consumer-ready, programmable radio systems and low-cost devices with sufficient computational The (IoT) is an emerging power, the field of -defined-radio (SDR) trend. IoT involves the integration of digital is experiencing rapid growth enabling researchers and technologies in physical objects to audit wireless communication beside traditional and systems, especially those historically Wifi. unconnected, which are supposed to make our everyday life easy and convenient. One of This paper highlights the main security risks in the most widespread used wireless ZigBee implementations, which devices are technologies to connect IoT devices is the affected and describes the results of a practical ZigBee standard. This emerging technology assessments of ZigBee enabled device. needs to keep pace with customer demands for cheap, long-living and available devices. One of the major challenges besides user and THE ZIGBEE STANDARD industry acceptance is security. However, ZigBee is a standard for personal-area networks security is very often sacrificed or neglected due to fear of reduced or limited usability or developed by the ZigBee Alliance (including fear of breaking backwards compatibility. companies like Samsung, Philips, Motorola, Texas Instruments and many others) with the aim This paper describes the actual applied of providing low-cost, low-power consumption, security measures in ZigBee, highlight the two-way, reliable, wireless communications included weaknesses and introduces a standard for short range applications. (ZigBee software framework that can be used to Alliance 2008, p. 29) The standard is completely automatically audit ZigBee communication open and gained ratification by the Institute of and the implementation of ZigBee security Electrical and Electronics Engineer (IEEE) in services for various vulnerabilities and exploit 2003. The of ZigBee is based on them. IEEE 802.15.4. Advantages of choosing ZigBee are the provision of long battery lifetime, the support of a large number of nodes (up-to 65000) INTRODUCTION in a network, the easy deployment, the low costs and global usage. (Kaur & Sharma 2013)(ZigBee IoT is considered to be the next phase of the Alliance 2014) Internet revolution. Linking physical objects in the real world to the virtual world and enabling ZigBee is used for example in following areas anytime, anyplace and anything communication. (ZigBee Alliance 2014): (Santucci 2010, p. 11) Communication between devices is mainly carried out using wireless channels, which introduces various security Input Devices issues. Some of these weaknesses are new, but most have actually been around for a long time. A Home Automation desired short time-to-market, as well as backward compatibility and future proofing considerations lead to the persistence of known problems. The Health Care ZigBee standard is one of the dominating standards for wireless communication between Telecom Services IoT devices. Even though the ZigBee standard was created with security in mind, low per-unit- Retail Services costs and usability as well as compatibility factors lead to poor implementation of security controls, Smart Energy

Cognosec Gmbh Classification: Confidential PAGE 1 OF 6 ZigBee Exploited Version 1.0

number and may be used by the NWK and APL layers of a device. A device must The ZigBee stack consists of four layers: (ZigBee acquire a network key via key-transport or Alliance 2008, p. 35) pre-installation. (PHY) Link key is used to secure unicast communication on . This Layer (MAC) 128-bit key is shared only between two devices. Link keys are acquired either via Network Layer (NWK) key-transport, key- establishment, or pre- installation (for example, during factory Application Layer (APL) installation) and may be used only by the APS sub-layer. The IEEE 802.15.4-2003 standard is used for the two lowest layers, the physical layer (PHY) and Network Layer Security the medium access control layer (MAC). The other two layers are defined by the ZigBee The ZigBee Network Layer ensures the integrity Protocol Stack. and encryption of the transmitted frames by applying AES encryption (AES CCM mode) with a From a security perspective, the network and the key length of 128 bit, and ensures its integrity by application layer are of highest relevance and are using a cipher block chaining message therefore described in more detail in the next authentication code (CBC-MAC). (ZigBee Alliance chapter. 2008, p. 423)

ZIGBEE SECURITY Application Support Sublayer Security The ZigBee standard includes complex security measures to ensure key establishment, secure If a frame originated by the APS layer needs to be networks, key transport and frame security. secured, the APS layer is responsible for the (ZigBee Alliance 2008, p. 419 f). Those services proper protection of the frame. The APS layer are implemented at the Network and the allows frame security to be based on link keys or Application Support Sublayer (APS), a sub layer the network key. If the active network key should of the Application Layer. The ZigBee protocol is be used for frame protection, the APS layer first based on an "open trust" model. This means all checks if the frame gets protected on NWK layer. protocol stack layers trust each other. Therefore If so the frame just gets passed to the NWK layer cryptographic protection only occurs between and the frame protection is performed on the devices. Every layer is responsible for the security NWK layer. The APS layer is also responsible for of their respective frames. providing applications and the ZDO with key establishment, key transport, and device The security of ZigBee networks is based on their management services. (ZigBee Alliance 2008, p. encryption keys. It is possible to distinguish 424) between two types of security keys. (ZigBee Alliance 2008, p. 422) The ZigBee standard states the following about the security of ZigBee installations: “The level of Network key is used to secure broadcast security provided by the ZigBee security communication. This 128-bit key is shared architecture depends on the safekeeping of the among all devices in the network. Usually symmetric keys, on the protection mechanisms multiple network keys are stored by the employed, and on the proper implementation of Trust Center, but only one network key is the cryptographic mechanisms and associated the active network key. The current active security policies involved. Trust in the security network key is identified by a sequence

Cognosec Gmbh Classification: Confidential PAGE 2 OF 6 ZigBee Exploited Version 1.0

architecture ultimately reduces to trust in the ZigBee device might be a multi-purpose-device, secure initialisation and installation of keying different profiles are created to allow devices of material and to trust in the secure processing and various vendors to properly communicate with storage of keying material.” (ZigBee Alliance each other using those predefined profiles. 2008, p. 420). ZigBee Home Automation Public As stated above, the ZigBee Security is based on the assumption that keys are securely stored, and Application Profile (HAPAP) devices are pre-loaded with symmetric keys so An example of a profile would be the home they have never to be transmitted unencrypted. automation profile. This ZigBee profile permits a But there are exceptions to this policy. If a non- series of device types to exchange control preconfigured device joins a network, a single key messages to form a wireless home automation may be sent unprotected and enable encrypted application. These devices are designed to communication. This one-time transmission of the exchange well-known messages to effect control unprotected key results in a short timeframe of such as turning a lamp on or off, sending a light exploitability in which the key could be sniffed by sensor measurement to a controller, or an attacker. Since the security is dependent on sending an alert message if an occupancy sensor the safekeeping of the encryption keys such a key detects movement. interception would lead to a critical security This means if a manufacturer wants a device to compromise and puts the security of the whole be compatible to other certified devices from other network at risk. Even thought the timeframe manufacturers, the device has to implement the seems to be narrow, an attacker could use standard interfaces and practices of this profile. jamming techniques to trick the user to initiate a To provide this kind of interoperability all ZigBee factory reset or another way of re-joining, re- Home Automation devices should implement so establishing that attack time-frame. called Startup Attribute Sets (SAS). From a Another exception is made due to the low-cost security standpoint, the following two attributes nature of some types of devices such as light are of particular interest: switches or temperature sensors. Because of Default Trust Center Link Key their limited capabilities, it cannot be assumed that the hardware is built tamper-resistant. So if o 0x5A 0x69 0x67 0x42 0x65 0x65 an attacker gets physical access to such a device, 0x41 0x6C 0x6C 0x69 0x61 0x6E it may be possible to access the secret keying 0x63 0x65 0x30 0x39 material and other privileged information, as well o Note: The Link Key is listed in little- as access to the security software and hardware. endian format. (ZigBee Alliance 2008, p. 420) Default Link Key Join o 0x01 (True). ZIGBEE APPLICATION PROFILES o This flag enables the use of default link key join as a fallback case at The key to communicating between devices on a startup time. ZigBee network is the usage of application profiles. Application profiles are agreements for The use of the default TC link key messages, message formats, and processing “ZigBeeAlliance09” introduces a high risk to the actions that enable developers to create an secrecy of the network key. The Home interoperable, distributed application employing Automation Public Application Profile states that: application entities that reside on separate "The current network key shall be transported devices. These application profiles enable using the default TC link key in the case where applications to send commands, request data, the joining device is unknown or has no specific and process commands and requests. As one authorization associated with it. This allows for

Cognosec Gmbh Classification: Confidential PAGE 3 OF 6 ZigBee Exploited Version 1.0

the case where alternative pre-configured link As every ZLL device joining to a ZLL network keys specifically associated with a device can be shall use per definition the ZLL master key to used as well." (ZigBee Alliance 2013, p. 44) derive the active network key, knowledge of the Since, as discussed before, the security of ZigBee ZLL master key allows an attacker to intercept the is highly reliant on the secrecy of the key material key- exchange and acquire the current active and therefore on the secure initialisation and network key. This would then allow the attacker to transport of the encryption keys, this default control all devices in the ZigBee network. As the fallback mechanism has to be considered as ZLL master key has supposedly been leaked in critical risk. If an attacker is able to sniff a device the Internet (e.g. on reddit and some online join using the default TC link key, the active forums), the security of the ZLL devices has to be network key is compromised and the considered as compromised. confidentiality of the whole network communication can be considered as Besides the leaked key, ZLL devices support a compromised. This might be a lower risk if only feature called “Touchlink Commissioning” that light bulbs are used, but as HVAC systems and allows devices to be paired with controllers. As door-locks also use the Home-Automation profile, the default and publicly known TC link key is the impact on security of this profile requirement used, devices can be “stolen”. Tests showed that is greatly increased. amateur radio hardware using normal dipole (Rasperry Pi extension board) antennas already ZigBee Light Link Profile (ZLL) allowed Touchlink Commission from several meters away whereas for security reasons this The ZigBee Light Link (ZLL) profile addresses should only work in close proximity. Usage of devices and functionality in the over-the-counter, professional radio equipment would allow an even consumer lighting application domain. (ZigBee higher distance for such a successful device Alliance 2012, p. 1) takeover.

Devices in a ZLL shall use ZigBee network layer security. During classical ZigBee commissioning SECBEE – A NEW ZIGBEE where a non-ZLL device is being joined to a ZLL network without a trust center, a pre-installed link SECURITY TESTING TOOL key is used to secure the transfer of the network Since ZigBee provides some very specific key when authenticating. The ZLL pre-installed security services and attack vectors a tool that link key is a secret shared by all certified ZLL enables security researchers, testers and devices. It will be distributed only to certified developers to check the configuration and manufacturers and is bound with a safekeeping implementation of security services of their contract. Additionally, if the decryption of the APS product was developed. Unlike other tools for message fails with the key described above, ZLL ZigBee testing, it enables testers to check devices shall try to decode the APS message encrypted networks and automatically perform using the known default trust center link key. Like ZigBee specific tests such as network leaves / the HAPAP, the ZLL profile also specifies joins, reset to factory defaults or search for “ZigBeeAlliance09” as the default Trust center link unsecure key transport. key in the SAS and requires the support of an insecure join as a fallback. This leads also to the SecBee is based on scapy-radio and killerbee , same vulnerable initial key exchange. Even if the but enhances the functionality drastically and also manufacturer implemented a secure key fixes some limitations of these tools. exchange and distributed proper key material, it would be possible for an external attacker to disturb the network join using selective jamming and then wait for the insecure join to get access to the exchanged key material.

Cognosec Gmbh Classification: Confidential PAGE 4 OF 6 ZigBee Exploited Version 1.0

REAL WORLD ASSESSMENTS bulb is always sending beacon requests to look for a new network to join. AND IDENTIFIED VULNERABILITIES In addition, it should be noted that the usage of To verify the implementation of ZigBee security in wireless communication systems for security real world devices, a home automation system, a applications like surveillance is not recommended smart lighting solution and a ZigBee enabled door as the communication can easily be disturbed lock were assessed using the newly developed with simple jamming and no tested device ZigBee security testing tool – SecBee. The implemented something like a heartbeat message practical security analysis of every assessed to provide the central device with information device showed that the solutions are designed for about the actual status. This attack scenario easy setup and usage but lack configuration becomes increasingly likely as the prices for radio possibilities for security and perform a vulnerable hardware are getting lower, the hardware is device pairing procedure that allows external publicly available and open source tools exists parties to sniff the exchanged network key. Even that provide the necessary features to perform if the timeframe to exploit the vulnerability is very attacks on wireless networks. It is just a of limited, bringing the user into play can easily time till the first real world incident will become circumvent this. ZigBee communication can be public. easily jammed. Since ZigBee is designed for low power communication and energy saving this can be easily achieved by simply sending noise on the CONCLUSION target ZigBee channel to prevent successful communication. A typical user would notice a lost The security features provided by the ZigBee connection and therefore just perform a re-pairing standard can be considered as very strong and procedure to solve this issue. Targeting the user robust. ZigBee encryption is based on the well level allows an attacker to enforce a re-paring and known AES algorithm for data encryption and sniff the transmitted network key. This would data authentication. The security is dependent on allow an attacker to get complete control of the the secrecy of the encryption keys as well as their system as the security of the solution is solely secure initialisation and distribution of the relying on the secrecy of this key. encryption keys. The main risks for ZigBee Home Automation Systems are implementation failures Furthermore, the tested home automation system and shortfalls. Also among the main constraints in is not capable of resetting or changing the applied implementing security features in a ZigBee network key, so even if a user notices unwanted are limited resources. The behaviour in the network, there would be nodes are mainly battery powered and have absolutely no possibility of locking the intruder limited computational power and memory size. out. Also no automatic key rotation could be Therefore, it is essential for security to fulfil some identified during a timeframe of eleven month. preconditions on implementation side, which are the following: The smart lighting solution is also vulnerable to a device takeover from any external party. It was Device Tampering: ZigBee is targeted for possible to steal light bulbs and join them to a low-cost applications, and the nodes hardware fake network without knowledge of the active may not be tamper resistant. If an intruder secret keys. An attacker just has to send a “reset acquires a node from an operating network to factory default” command to the light bulb and that has no anti-tamper measures, the actual wait for the bulb to search for ZigBee networks to key could be obtained simply from the device join. The bulb will connect to the first network memory. A tamper- resistant node could erase available without any further interaction of a user. the sensitive information including the security No button or similar has to be pressed. The light keys if tampering is detected.

Cognosec Gmbh Classification: Confidential PAGE 5 OF 6 ZigBee Exploited Version 1.0

Key Transport: The default TC link key ZigBee Alliance, (2008). ZIGBEE should not be used since this key is SPECIFICATION San Ramon, United States. considered as public knowledge and provides ZigBee Document 053474r17. ZigBee Alliance the same level of security as unencrypted key (2012). ZigBee Light Link Standard. San Ramon, transport. United States. Version 1.0, ZigBee Document 11- Key Establishment: The master keys used 0037-10. during key establishment shall be distributed via out-of- band channels. For example a ZigBee Alliance (2012). ZigBee Light Link sticker with a preconfigured master key could Standard. San Ramon, United States. Version be attached to a device and entered by the 1.0, ZigBee Document 11-0037-10. user during device setup. ZigBee Alliance, (2013a). ZIGBEE HOME Key Rotation: The security of the AUTOMATION PUBLIC APPLICATION communication is dependent on the secrecy of PROFILE. San Ramon, United States. Revision the network key and of the link keys. The 29, Version 1.2, ZigBee Document 05-3520-29. network key shall be changed periodically. Key management in form of changing the network key in a meaningful time period or after a certain number of messages should be introduced. Otherwise known plaintext or other attacks on the security of AES may be possible.

Tests with light bulbs and even door locks have shown that the vendors of the tested devices implement the minimum of the features required to be certified, including the default TC fallback key. No other options were implemented and available to the end-user.

Also relying on the secrecy of keys distributed only among a limited group of people, as the ZLL profile requires, is a security method known to have failed before. Travis Goodspeed showed successful attacks on ZigBee hardware to extract keys (Goodspeed 2009 p. 1f), and thus without appropriate hardware, key secrecy should not be the foundation of the ZigBee product’s security architecture.

BIBLIOGRAPHY

Goodspeed, T. (2009), Extracting Keys from Second Generation Zigbee Chips. Black Hat USA, Las Vegas.

Santucci, G., (2010). Vision and Challenges for Realising the Internet of Things. Brussels: Publications Office of the European Union.

Cognosec Gmbh Classification: Confidential PAGE 6 OF 6