ZigBee: attack of the killer bees
Developer Joshua Wright intends to release KillerBee, an open source collection of Linux tools intended for testing the security of ZigBee networks. According to Wright, many ZigBee implementations are a mess – he hopes that his tool, which is coded in Python, will ultimately lead to more secure products.
Wright lists ZigBee applications which include controlling water flows in dams and natural gas control valves. The technology is also widely used in building automation; many thousands of ZigBee devices have been used in the brand-new MGM CityCenter in Las Vegas, for example. Some intelligent electricity meters in use in the US also communicate using ZigBee in a mesh network.
ZigBee (IEEE 802.15.4) is far more popular than Bluetooth, Wi-Fi or DECT for these kind of scenarios, as it is simpler to implement – the complete stack requires only 120 KB of space – and because the wireless technology uses significantly less energy. Wright, however, concludes that "When both simplicity and low cost are goals, security suffers."
KillerBee includes a number of tools which, taken together, look at lot like the sort of attack programs familiar from Wi-Fi environments. According to Wright, the security problems and the errors that underlie them, are reminiscent of the design problems which dogged Wi-Fi. ZigBee offers no protection against replay attacks, in which an attacker simply resends recorded packets to the network. Wright's succinct comment, "Wi-Fi was dogged by the same errors – but that was 15 years ago."
KillerBee includes applications for sniffing out any ZigBee devices in the surrounding area (zbid), for recording data streams from the wireless network (zbdump) and for replaying recorded data streams (zbreplay). Replaying packets could, according to Wright, be useful in contexts such as locks networked using ZigBee. An attacker would merely need to record the data transmitted from the lock to a control server located in the building at the moment at which a door is opened. Sending this sequence to the server via ZigBee at a later date should cause the lock to open again.
KillerBee also includes a program for cracking the secret key stored in ZigBee devices. Since many ZigBee devices have no display or keypad, the code required for encryption is frequently stored in factory-set Flash memory. Where keys are exchanged over the air (OTA), they are exchanged in unencrypted form and can easily by recorded using zbdump. Recordings can be subsequently analysed in Wireshark without difficulty.
zbgoodfind uses a memory dump generated using sniffer hardware developed by Travis Goodspeed to crack stored keys. Wright's tools all work with the Atmel AVR RZ USBStick ZigBee USB stick, which costs just under $40, though if you want to record and be able to replay data simultaneously, you'll need two. To replay data, you'll also need to overwrite the device's firmware, for which you'll need an on-chip debugger and programmer, such as Atmel's AVR JTAG ICE mkII, a clone version of which can be picked up for around 50 euros. Wright is not officially selling pre-flashed sticks, but intimated to heise Security, The H's associates in Germany, that he was sure he could help out in 'individual cases'.