Updated: Sep 8
In this blog post we will be describing the protocol commonly referred to as ZigBee. We will look at describing what it is, how it is used and how it can be used by Security Researchers when examining hardware targets.
In this post we will cover the following:
Under the hood (802.15.4)
ZigBee Protocol Stack
ZigBee Addressing and Packet Format
ZigBee Route Discovery
Anatomy of a ZigBee Attack
ZigBee is a communications protocol wrapped around underlying specification standard IEEE 802.15.4. ZigBee is typically found in environments that require interconnection of many low power devices in a single location. As we will later describe, the strength of this technology is its ability to increase the overall range using a collaborative approach of many interconnected low powered devices. ZigBee has many benefits and some potential flaws. This article will look to cover ZigBee's inner workings aswell as examine a practical use case that may assist Security Researchers in the field.
Under the hood
As mentioned above, ZigBee captilises on base specification IEEE 802.15.4 at a low level. The IEEE 802.15.4 specification standard describes how low-rate wireless personal area network (LR-WAN) devices should operate at both a physical and media access control layer. Thinking of the standard in terms of layers assists in conceptualizing how each of the components of the specification fit together to transfer data up and down the protocol stack. Using the OSI model as a reference, 802.15.4 mainly operates at layer 1 (Physical) and layer 2 (MAC).
The Physical Layer (Layer 1) of this specification handles data transmission and is managed by a a physical radio transceiver. The physical radio transceiver handles channel selection and the signal management function. The IEEE 802.15.4 specifies three frequency bands, these frequency bands are stipulate which part of the RF spectrum the standard operates at. The frequencies are used as a means to transfer data through the airwaves between devices attached to a common frequency. Each of these bands has a differing number of associate channels (in essence the higher the bandwidth the more channels there are to choose from).
868 MHz (Europe)
1 channel (0)
915 MHz (USA)
10 channels (1-10)
2.4 GHz (Utilised Globally)
16 channels (11-26)
The Media Access Control layer (Layer 2) of this specification helps facilitate the transmission of MAC frames between interconnected devices using the underlying physical layer and its associated channels. At this layer, data is encapsulated within a MAC frame and sent through to the physical layer for transmission.
The Media Access Control layer is also tasked with managing access to the various channels and manages beacons used for communications. This layer employs the use of CSMA/CA (Carrier Sense Mulitple Access / Collision Avoidance) to help manage network contention within the topology. It does so by listening over a specific channel for a predetermined period of time in an attempt to avoid collisions.
All higher layer protocols utilise these base layers for data transmission. This is made possible through encapsulation, where each high layer data unit is encapsulated or wrapped within each succeeding lower layer.
Topologies is a term used within the context of the IEEE 802.15.4 specification, to simply describe the different methods for interconnecting nodes (devices). Nodes (devices) are connected together in a structured way in order that all nodes (devices) can communicate with one another.
NOTE: Although not specific to the underlying IEEE 802.15.4 specification, and for a later topic, ZigBee uses the concept of ZigBee Co-ordinator (ZC), ZigBee Router (ZR) and ZigBee Endpoint (ZED). These device roles are used within a ZigBee connected topology in order to ensure data flows within the chosen topology between interconnected devices.
The three main types of topologies used within ZigBee are:
Each of these topologies has a use and is largely dependent on the distancing and type of node (device) that are being used within the topology.
A single ZC with one or more ZEDs. It only extends two hops and is therefore limited in node distance. It also requires a reliable link with a single point of failure at the ZC.
A multi-hop network that employs beaconing and extends the network coverage and range over a star network. ZC and ZR nodes can have children, but ZEDs remain true endpoints. Child nodes only communicate with their parent (like a small star network). A parent can communicate downstream to its children or upstream to its parent. The problem still exists with a single point of failure at the center.
Dynamic path formation and morphing. Routing can occur from any source device to any destination device. It uses tree and table-driven routing algorithms. ZC and ZR radios must be powered at all times to perform routing duties, consuming battery life. Additionally, calculating the latency in a mesh network can be difficult if not non-deterministic. In this mode, some routing rules are relaxed; however, routers within a certain range of each other can communicate between themselves directly. The main advantage is the network can grow beyond the line of sight and has multiple redundant paths.
A node is a designation within the IEEE 802.15.4 specification that describes the capabilities of a device that is participating within the network. Within the IEEE 802.15.4 specification there are two main types of nodes:
This type of node (device) can act as a coordinator of a personal access network or simply as a common mode node. When acting as a coordinator this type of node has the capability of communicating with any other node within the topology. It achieves this by relaying messages two and from other common mode nodes.
These types of nodes are restricted in capability and can only communicate with the Full-Function Device.
Regardless of the topology, every network is required to have at least one Full-Function Device and each node (device) is assigned a unique identifier (64bit or 16bits in length). These unique identifiers are based on the 64bit MAC address of each device or alternatively "traded-in" for a 16bit unique identifier. In the case of a 16bit unique identifier, which is also known as the PAN ID, is assigned and managed by the PAN co-coordinator.
IEEE 802.15.4 uses a basic frame as its unit for data transport. Each of these frames has a different frame format. There are four types of frame used within the specification: Data Frame
Used for transfer of actual application data
Used by the coordinator to signal an active phase and to advertise its presence on the personal area network. This has the added function of allowing other nodes to perform PAN discovery and synchronization.
Used to confirm frame reception
MAC command frame
Association/Disassociation request management
IEEE 802.15.4 Startup Process
Device initialises its stack (PHY and MAC layers)
A PAN coordinator is established (mandatory)
PAN coordinator assigns a unique PAN ID (taking into consideration nearby IEEE 802.15.4 networks)
PAN coordinator chooses a unique channel (taking into consideration nearby IEEE 802.15.4 networks)
PAN coordinator then starts to accept requests
Nodes join by actively scanning across active channels broadcasting request to join an active network (Beacon Request) or can listen to Beacons being advertised by the PAN coordinator (in beacon-based networks)
Device will send an association request
PAN coordinator accepts or rejects the devices association request based on access control mechanisms. If accepted the PAN will issue a 16bit unique identifier to the device
IEEE 802.15.4 Security
Provides Encryption and Authentication
ACL's are used to store:
Based on the IEEE 802.15.4 standard the ZigBee protocol is used within low cost, low powered IoT devices of all shapes and sizes and got its name from the idea of a bee flying. ZigBee has a varied history and has been rebranded multiple times with the current custodian of the technology lying with the Connectivity Standards Alliance (https://csa-iot.org/). As mentioned multiple times in the post, ZigBee shares a common progenitor (802.15.4), however adds higher layers that make it function similarly to a TCP/IP network.
ZigBee Protocol Stack
The protocol stack encompasses the following layers:
NWK - Network Layer
Used for the 3 principal components ZC, ZR and ZDE
Used for device management, route discovery, route healing, route messaging and packet transfer
Assigns the logical network addressing for the ZC (coordinator)
Secures the connection
APS - Application Layer
Provides the conduit between the network and application layer
Manages the bind database, which is used to store a list of devices and their corresponding services. The combination of device address and associated service is known collectively as a Device Object. A group of device objects is known as a cluster
The predominate purpose of the APS layer is to interface the user with the end device
Further ZigBee components:
Security Service Provider
Provides security services e.g. Security Key management
ZDO management plane
Used for transport of all application layer management data
ZigBee Device Object
This is Endpoint 0, which is responsible for overall device management
Manages keys, policies and roles of devices
Used to discover devices one hop away to discover offered services
Initiates and responds to binding requests for the device
Helps to setup secure bindings between devices. It does this as it has visibility of the security policy and keys shared by the device
As mentioned above a ZigBee binding simply refers to a connection between two endpoints. An application profile denotes a binding that services a specific functional combination. An example of an application profile may be functions used to control a home lighting system. Within the application profile there may be further descriptions used to define individual components, such as a dimmer based on the home lighting example given above. Using a combination of source and destination endpoint, coupled with a cluster identifier and an application profile identifier this ensures that unique messaging can be sent and received uniquely between two endpoints.
ZigBee Addressing and Packet Format
As elluded to above, ZigBee is overlayed ontop of the IEEE 802.15.4 protocol stack, however takes on a new tangent at the network and application layers. The ZigBee NWK frame is encapsulated within the IEEE 802.15.4 MAC layer Payload Data field. In turn the ZigBee APS frame is encapsulated within the NWK Frame Payload field.
In order for a source end device to find a path through a ZigBee network to a destination end device, ZigBee uses mesh routing to establish this path. Route discovery is determined using the AODV protocol (Ad-hoc On Demand Vector). Routing within ZigBee networks only occurs when there is an association between two endpoints. A route discovery process is only initiated if a source doesn't already have a route or path towards its intended destination. This has the added benefit of not requiring every device to maintain a full list of routes to every other endpoint.
NOTE: ZigBee Endpoints rely on ZigBee Routers or coordinators for route discovery and do not themselves participate in the routing process.
Routing packets can occur using the following methods:
Broadcasting - Packets are sent to all nodes within the topology
Mesh Routing - Uses local route table to obtain routes to a desired destination
Tree Routing - Uses unicast packets between required nodes
Source Routing - Used with Z Wave networks
The mechanism for route discovery follows these steps:
Device issues a route request command frame to the entire network
Destination receives the route request and responds with a route reply frame
Route requester evaluates all returned responses for an optimal route based on the accumulative link costs to the destination
Three main security layers:
Handles key creation
Uses a link key for outbound frames that have an associated route
Uses a network key in the event that no associated route is available
ZigBee uses multiple keys with respects to security. These keys are managed by a "Trust Center", which in most cases is the ZigBee Coordinator.
The "Trust Center" can assume two modes:
Does not establish keys with any network device
A network key is established with every network device
ZigBee Key Types:
Configured by manufacturer or alternatively entered by the user.
Provides network layer protection
Used to create a secure binding between two devices
Preferred over Network Key
The "Trust Center" functions as an arbiter for authenticating new devices and disseminating network keys to these devices upon their association (refer to the IEEE 802.15.4 Startup Process section above) to a network. Network keys are encrypted and are then distributed to new devices upon their association to the network. At this point a new device is now able to communicate using the network key to encrypt data in transit.
In some cases, the initial encryption of network keys uses a well-known default trust center link key [5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39]. It is this specific key that can be used to further compromise a ZigBee environment. This becomes a viable attack vector based on the potential exposure of link key's that are now transmitted in the clear.
Once a link key is obtained it becomes possible to successfully decrypt interesting traffic and thus obtain further insights into communication flows. Furthermore it becomes possible to replay such communication flows and potentially take over full control of affected end nodes using man-in-the-middle techniques.
Anatomy of a ZigBee Attack
This section will describe the process involved to enact such an attack. We will detail the hardware used, the setup, and the use of wireshark to sniff traffic flows to ultimately uncover network keys.
ZigBee CC2531 USB Dongle
The Staging of the attack
The Setup used to stage this attack compromised of a Wireless Home Automation Controller and its respective Wireless Remote Control. The Wireless Home Automation Controller assumed the role of the ZigBee Coordinator (ZC) and the Wireless Remote Control the role of the ZigBee Endpoint (ZED).
The Wireless Home Automation Controller is used as a gateway (FFD) for connecting a diverse range of ZigBee Endpoint devices. It was also found to be using ZigBee Protocol version 2.
The Wireless Remote Control is used to send arm and disarm control messages, which the WIreless Home Automation Controller uses to execute an associated function, such as the enabling of a siren.
The CC2531 USB Dongle is pre-flashed to run as a ZigBee sniffer ONLY and cannot replay packets, however coupled with wireshark, it allows for the retrieval and examination of ZigBee communication flows.
As mentioned above in some cases a default trust center link key is used for initial transmission of the network keys. In order to place ourselves in the position to capture this data we will be required to setup wireshark with this key.
Step 1. Navigate to Preferences, Protocols, Zigbee, Click Edit
Step 2. Enter 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39 into Key field, Choose Normal in Byte Order and Enter ZigbeeAliiance09 for the label, Click OK.
Step 3. Determining the correct channel to listen on
Using the zbstumbler utility from the killerbee toolkit allows you to scan across channels for this purpose. Once the correct channel has been determined we can then move onto the next step.
Step 4. Determine the correct interface to use
We can utilise the zbid utility from the killerbee toolkit for this purpose
Step 5. Using zbwireshark from the killerbee toolkit allows us to spawn a wireshark instance incorporating both the correct logical device (1:16) and the correct channel
As mentioned previously the default trust center key vector allows for an attacker to potentially glean an transmitted network key in the clear. As mentioned above, network keys are transmitted by the Trust Center upon association request by an end node. The following outlines the process of device association as observed using wireshark, the subsequent acquisition of the associated network key and finally observation of clear text control messages that can be replayed at ones heart content.
Step 1. Association of the Zigbee Endpoint
Here we see an association Request by the RFD (Reduced-Function Device a.k.a Wireless Remote Control)
Here we see the Acknowledge Packet, which at its heart contains the Network Key information
Here we see the Successful Association Response from the ZC. Also note the Short Address assigned to the endpoint by the ZC, used as a unique identifier.
Step 2. Using the newly acquired network key to help decrypt data packets
Navigate to Preferences, Protocols, Zigbee, Click Edit
Enter the newly acquired network key as a new entry in the Pre-configured keys section
Step 3. Observe clear text data transmission
We are now afforded the ability to examine unencrypted clear text communication flows. In our case we use it to examine the Arm Control messages sent by the Wireless Remote Control
This post intended to lay the foundations with respects to the ZigBee Protocol and its fundamental inner workings. In providing an overview of the architecture and its core features it is the hope that this information was found to be a valuable reference point.
"IoT and Edge Computing for Architects - Second Edition" - Perry Lea
ZigBee Alliance - https://csa-iot.org/resources/developer-resources/