With the demand and rise of electronic equipment’s, new technologies are being developed and deployed to meet the global demands. Zigbee is one such technology in rising with low power consumption and low-cost to meet the rising market of Internet of things (IoT) networks. Zigbee is generally deployed for applications which use low data rate and low power consumption and is an open standard worldwide. Zigbee uses a different protocol than Wi-Fi networks where it uses a mesh networking protocol to create a self-healing architecture, thereby supporting much lower data rates than Wi-Fi.
Exploitation in ZigBee Devices
Although Zigbee was claimed to be one of the most secured technologies deployed for the use in the smart and IoT devices, but however with the sole dependence on Zigbee to operate these devices, and other factors like low-cost, low power consumption and easy deployment have succeeded to draw more attention than the security issues in Zigbee, thus leaving many flaws and loopholes to be exploited by the attacker.
Zigbee network uses cryptographic protection when two or more devices in the mesh Zigbee network communicate with each other, so it is crucial to make sure that the encryption keys (Network key and Link key) are properly secured every time. The security of a Zigbee network rests on the pre-assumption that the keys are securely stored and there is no chance of unencrypted transmission of the symmetric keys as they are pre-installed. However, when a new and non-preconfigured device is included in the network, chances are that for allowing encrypted communication unprotected key will most likely be sent, which will, in turn, render the whole ZigBee network vulnerable.
Zigbee networks can also be pervaded by physically accessing smart devices in homes such as smart ACs and low power lights. These devices are exploited by assuming that because of their low cost, low power consumption and limited capabilities their hardware is not tampered resistant, which paves way for the attacker to further penetrate and exploit the ZigBee network.
Different Types of Attacks Against ZigBee
ZigBee is based on 802.15.4 protocol, but however, security is not very well implemented by the developers in ZigBee. This has attracted a lot of information security professional to look into the security capabilities of the 802.15.4 protocol and also the implementation of ZigBee radios in the IoT devices. The numerous attacks against ZigBee has been identified and can be classed under the following categories namely,
Some ZigBee networks do not use proper encryption and attackers can take this advantage to sniff all the communications with the use of proper equipment. Sniffing attack in a ZigBee network generally refers to the process of collecting all the available information from a network, which is possible in a network which implements the standard generic security level protocols for communication. This can be prevented by implementing high security by preinstalling the network key on the ZigBee devices.
- Replay attacks
A replay attack is a kind of key-based attack where the attacker records approved traffic on a network and replay it at a later time to cause malicious effects. These attacks are straight forward in case of ZigBee’s which do not implement a strong encryption or do not implement encryption for communication at all. Replay attack can be evaded with the use and implementation of freshness counter. With these counters implemented, every packet of data which gets transmitted is assigned a freshness number and the counter is thus incremented for every such packet of data, and these packets only get accepted only if their count is greater than that of the freshness counter’s measuring their count. However proper conduct and usage of these counter might prove to be very grueling for the administrator of the ZigBee network who monitors it as he/she has to manually do it.
- Physical Attacks
This type of attack is the most common and involves tampering with the devices in the ZigBee devices by locating it. In fact, hard coded encryption key which might be loaded into the RAM memory are often employed by many radios operating on the ZigBee network, once the device is powered. Now, as these devices in the network are distributed and flashed, the probability of replacing these keys are very less and having known these issues, the attackers can set up special serial interfaces in order to intercept the encryption key in the ZigBee device when the power rises from flash to RAM. There are various low-cost devices like Bus Pirate and GoodFet which can be used for the above-mentioned exploit, thus proving the entire ZigBee network detrimental.
There are numerous methods other than the one mentioned above to disrupt the ZigBee network thereby rendering it unsafe. Signal jamming, reflexive jamming, maximization of frame counter are to name a few. Maximizing the frame counter is one of the most common examples of DOS in a ZigBee network, where the MIC is not verified and the frame counter is set to the maximum possible value, thus using the frame counter to ignore legitimate data packets. In this case, even if the contents of a packet transmitted are unintelligible and meaningless still the frame counter value will be accepted. Now the legitimate data packets received after the malicious packets with lower frame counter value will be ignored.
Defense Strategies and Security Best Practice Recommendations
A few of the security practices which are recommended while implementing a ZigBee WPAN networks are:
- The organizations should develop a general LR-WPAN technology security policy and proper procedures should be set up to govern the management, implementation, and operation of the ZigBee networks.
- The ZigBee network infrastructure should always be protected with the help of a Network key. The network key is implemented at all the nodes and end point including the routers, gateways, and devices are made secure. In this way nodes without a valid network key won’t be allowed to enter into the ZigBee infrastructure, thus securing the network and validating it up to a certain extent.
- Employing address filtering at the MAC layer is another security recommendation that must be kept in mind as it is in line with the IEEE 802.15.4 standard and is sometimes referred to as Access Control List (ACL) mode. Depending on the ZigBee vendor this feature should be utilized by all the nodes in the network.
- Source node authentication should be implemented across all the nodes if the ZigBee vendor supports it, this will help in the identification of the transmitting node.
- ZigBee coordinator and PAN identifier should be designated.
- Out-of-bound loading mechanism should be used to load cryptographic network keys onto the ZigBee devices. From a security viewpoint, out-of-bound should always be preferred if the vendor supports it, however, if it is not supported In-band key loading under controlled condition should be adopted.
- Enabling layer-2 security mechanisms which are supported in the IEEE 802.15.4.
- All the nodes in the ZigBee network should be preconfigured with Trust Center (TC) address. Here, TC is the central element in the ZigBee security architecture and is trusted by every device configured in the network. It should be ensured that the TC is preconfigured in all the nodes of the devices in the ZigBee network and it should be same across every node in the network.
Authored By - Sayan Upadhyay
TCS Cyber Security Practice