Software error in ZigBee radio modules facilitates eavesdropping
As reported by developer Travis Goodspeed on his blog, a weakness in the way Z-Stack, Texas Instruments' open source wireless communication protocol stack used in its ZigBee radio modules, generates pseudo-random numbers makes it easier for an attacker to eavesdrop on encrypted communications. This is not the first occasion on which Goodspeed has hit the headlines for his cryptographic analyses of ZigBee modules.
The weakness allows attackers to eavesdrop on wireless communications for devices such as automation systems and sensors and potentially even to access these devices. The vulnerability is of particularly concern in view of the widespread use of smart electricity meters in the USA. Some electricity providers use ZigBee to transfer data from electricity meters to base stations.
The crux of the problem is that the numbers generated by the random number generator (PRNG) for initialising the elliptic curve cryptography functions (ECC) used for asymmetric encryption are predictable. This not only makes calculating the ECC key used easier, it is then also possible to crack the AES key for symmetrical communication with other ZigBee modules, since this is transferred using ECC encryption.
According to developer Travis Goodspeed, the problem is the result of multiple factors. Firstly, the 16 bit seed used to initialise the PRNG is too short. Z-Stack also uses a relatively insecure version of a linear feedback shift register (LFSR) to generate its (pseudo) random numbers. Furthermore, tests carried out by Goodspeed show that the seed itself possesses only minimal entropy. Although the seed is derived from a digitally converted analogue signal from the radio module, the values are apparently not as scattered as might be expected. The stack also fails to support reseeding, so that as long as the module is turned on, the LFSR always generates random numbers from the same seed.
ZigBee modules with integrated 8051 compatible controllers, such as the CC2430 and CC2530, containing Z-Stack version 2.2.2-1.30 are affected, as are earlier versions. TI is planning to release Z-Stack version 2.3, which should use an improved PRNG.