Zigbee Security and Exploitation for IoT Devices

Share and earn Cybytes
Facebook Twitter LinkedIn Email

While working on our training material for the Offensive IoT Exploitationcourse, we here at Attify did a ton of in-depth research into all the possible aspects of IoT devices. One of the component that we focused primarily, in radio based exploitation was Zigbee Security, which is arguably the most popular IoT radio communication protocol in Smart Homes and Medical Devices.

Introduction to Zigbee

Zigbee is one of the most common communication protocol found in Smart Home devices and several other categories of IoT devices. The extremely power efficient nature, mesh networking and ease of usage makes Zigbee one of the popular choice among manufacturers.

It’s a specification built on top of the IEEE 802.15.4, and an open protocol created by the member companies of Zigbee Alliance, which include companies like TI, Silicon Labs, Philips and many others.

There have been a number of iterations of the Zigbee protocol, the most recent at the time of writing being Zigbee 3.0.

Attacks possible

Zigbee being a radio communication protocol suffers from the standard radio based vulnerabilities. Some of the attacks that are possible in Zigbee communications are :

Attackers being able to sniff the data being transmittedReplaying of packets after capturing it to perform malicious actionsSniffing of the encryption key during the initial communicationModification of the captured packets and then replayingSpoofing based attacksDenial of Service situations

This blog post is an introductory guide to set things up in case you would like to learn Zigbee exploitation on your own and perform additional exploitation of each of the vulnerabilities mentioned above.

Hardware Required

Before reading the hardware required section, bear in mind that this is one of the possible combination you could use to get started with Zigbee Security. There could be innumerable types of hardware you could use — such as using a Zigbee dev kit, using a commercial IoT device emitting Zigbee signals and so on.

Below is a simple setup which you can get started with:

Arduino Uno/NanoDigiKey Xbee module / Arduino Xbee shieldAtmel RzRaven USB stickAttify Badge

Arduino : Arduino is the de-facto to get started into any sort of electronics projects. Chances are high that you might have used this in your university or high school. The Nano is the most smallest Arduino nano, but sufficient enough for our purposes.

DigiKey Xbee module / Xbee Shield : In order to learn Zigbee, you need something which can transmit and receive Zigbee signals. Xbee is a full duplex transceiver capable of wirelessly communicating with other Xbee modules using Zigbee standard protocol.

Atmel RzRaven USB Stick: This is the half-duplex module which performs the “magic” of sniffing and transmitting modified captured Zigbee packets. If you’re familiar with other sort of radio exploitation, consider this as the “HackRF for Zigbee”.

Attify Badge: You can use this to program the Xbee module with XCTU and plugging in the badge on your system. This is because Xbee usually doesn’t have the miniUSB or similar port which could be used to directly plug it in and program. In case you don’t have Attify Badge or similar hardware, head out to Amazon or your local store and order a mini USB kit for Xbee — something like this.

MiniUSB board for Xbee (img src : robosavvy.com)

Or you can order Attify Badge by emailing us here.

Hacking IoT Embedded devices with Attify

For programming and hardware connections, it’s pretty straightforward in this case. Connect power => power, Gnd => Gnd, Tx to Rx and Rx to Tx. You might want to look up the datasheet of the Xbee module version which you have with you.

Programming Arduino and Xbee

Programming Arduino

In order to program Arduino, simply download and open up the Arduino IDE from here https://www.arduino.cc/en/Main/Software . Once loaded, open up the Hub and node programs from the Attify’s github repo to each of the Arduino one after the other.

The code has been detailed with inline comments to help you understand what the code means.On an additional note, the code sample provided also takes the temperature, humidity and light values via the sensors and uses the DHT library. It is perfectly fine in case you decide to do the entire analysis and exploitation with a hardcoded string being transmitted, instead of the DHT values. Or, if you would like to use the code as it is, make sure to buy the DHT11 and additional required devices that go along with it.

Tools needed

Arduino * 1 https://www.sparkfun.com/products/11021DHT 11 * 1 https://www.adafruit.com/product/386XBee S1 module(Different configuration needed for S2 module) * 2LDR/Photocell * 1 https://www.sparkfun.com/products/9088BC547 *1 https://www.sparkfun.com/products/8928LED * any number https://www.sparkfun.com/products/10635Jumper cables https://www.sparkfun.com/products/13870Breadboard https://www.sparkfun.com/products/12046Xbee shield * 2 https://www.sparkfun.com/products/12847


Node code :

Hub code:

Also below are the schematics in case you want to build an exact similar setup as our starting kit :

Node Schematics:

Node Schematics for Zigbee vulnerable setup

Hub Schematics

Hub Schematics for Zigbee vulnerable setup

Once you have programmed both the Arduinos, the next step is to configure the Xbees using XCTU.

Programming Xbee

Launch XCTU and click on Discover Radio modules. It’ll show you the list of available COM ports where devices have been plugged in. Select the one which corresponds to the Xbee module (or select all in case you are not quite sure).

The additional configuration will be 8N1 as always, 8 data bits, no parity bit and 1 stop bit . Additionally, you would also need to specify the baud rate for your given Xbee module. In case you are not aware of what baudrate your module is using, you can always select all in the baudrates for the module and XCTU will scan with all baudrate and find the correct one for you.

Once you hit Finish searching for the module, it will identify the device. Click on Add the Device.

Device being identified in XCTU

At this step, you’ll be shown the various properties of the device such as the Channel name and the PAN ID — the two properties which matter to us at the moment. In Zigbee, there are a total of 16 channels for each band and each channel is spaced 5MHz apart with 2 MHz of bandwidth usage for noiseless data transmission. A list of all the Zigbee channels can be found here. A PAN ID for a Zigbee network is a unique identifier which is the same for all devices on the network.

Configure the channel name and PAN ID to any particular value. You just need to ensure that the other Xbee should have the same Channel name and the PAN ID.

Xbee properties in XCTU

That is all required to complete the setup for the vulnerable lab for Zigbee. In the upcoming blog posts on Zigbee, we will see some exploitation techniques which we can perform on this setup and also take control of a commercial device emitting Zigbee signals.

If you would like to know more about IoT Exploitation techniques, attend one of our public training.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Attify – IoT & Mobile Security
Founded in 2013, Attify has been a global leader in IoT, mobile, big data and infrastructure security. Attify's team includes security professionals with expertise ranging in various fields including Reverse Engineering, Embedded Device security, Radio reversing, Web application pentesting and infrastructure security. Attify is also the creator of popular training courses such as "Offensive Internet of Things (IoT) Exploitation", "Advanced Android and iOS Hands-on Exploitation" and more. Attify members have also written books and papers such as "Learning Pentesting for Android Devices", "A Short Guide on ARM Exploitation" and many more. We have also presented our research at numerous conferences such as BlackHat (USA, Asia, EU, AbuDhabi) Defcon, OWASP AppSec USA, AppSec APAC, Nullcon, Toorcon, ClubHack, phDays, Syscan and more.
Promoted Content
Bypass Jailbreak Detection with Frida in iOS applications
In this blog post, we will have a look at Frida, which is one of the really interesting tools for mobile application security analysis. This is also something we cover in-depth in our Advanced Android and iOS Exploitation training for which you can register here – Training Link Even if you have never used Frida, this post will serve as a guide for you to get started into the world of Frida for Mobile application security analysis and exploitation. Here’s what we are going to cover in this blog post: 1. Introduction to Frida 2. Setting it up on iOS 3. Connecting to an iOS process using Frida 4. Dumping class and method information 5. Runtime manipulation of iOS apps using Frida 6. Conclusion

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?