research-article

Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning

Authors:

Philipp Morgner,

Stephan Mattejat,

Zinaida Benenson,

Christian Müller,

Frederik ArmknechtAuthors Info & Claims

WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 230 - 240

https://doi.org/10.1145/3098243.3098254

Published: 18 July 2017 Publication History

Abstract

Hundred millions of Internet of Things devices implement ZigBee, a low-power mesh network standard, and the number is expected to be growing. To facilitate an easy integration of new devices into a ZigBee network, touchlink commissioning was developed. It was adopted in the latest specifications, ZigBee 3.0, which were released to the public in December 2016, as one of two commissioning options for ZigBee devices. ZigBee 3.0 products can be used in various applications, also including security-critical products such as door locks and intruder alarm systems. The aim of this work is to warn about a further adoption of this commissioning mode. We analyze the security of touchlink commissioning procedure and present novel attacks that make direct use of standard's features, showing that this commissioning procedure is insecure by design. We release an open-source penetration testing framework to evaluate the practical implications of these vulnerabilities. Evaluating our tools on popular ZigBee-certified products, we demonstrate that a passive eavesdropper can extract key material from a distance of 130 meters. Furthermore, an active attacker is able to take-over devices from distances of 190 meters. Our analysis concludes that even a single touchlink-enabled device is sufficient to compromise the security of a ZigBee 3.0 network, and therefore, touchlink commissioning should not be supported in any future ZigBee products.

References

[1]

Frederik Armknecht, Zinaida Benenson, Philipp Morgner, and Christian Müller. 2016. On the security of the ZigBee Light Link touchlink commissioning procedure. In International Workshop on Security, Privacy and Reliability of Smart Buildings.

[2]

Bastian Bloessl, Christoph Leitner, Falko Dressler, and Christoph Sommer. 2013. A GNU Radio-based IEEE 802.15.4 Testbed. 12. GI/ITGFachgespräch Sensornetze (2013), 37.

[3]

Alex Chapman. 2014. Hacking into Internet Connected Light Bulbs. (July 2014). http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/

[4]

Nitesh Dhanjani. 2013. Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Lighting System. (August 2013). http://www.dhanjani.com/blog/2013/08/hacking-lightbulbs.html

[5]

Travis Goodspeed, Sergey Bratus, Ricky Melgares, Ryan Speers, and Sean W. Smith. 2012. Api-do: Tools for Exploring the Wireless Attack Surface in Smart Meters. In 45th Hawaii International Conference on Systems Science (HICSS-45 2012), Proceedings, 4--7 January 2012, Grand Wailea, Maui, HI, USA. IEEE Computer Society, 2133--2140.

Digital Library

[6]

Deral Heiland. 2016. R7-2016-10: Multiple Osram Sylvania Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059). (July 2016). https://community.rapid7.com/community/infosec/blog/2016/07/26/r7-2016-10-multiple-osram-sylvania-osram-lightify-/vulnerabilities-cve-2016-5051-through-5059

[7]

IEEE Computer Society. 2003. IEEE Standard for Information Technology - Telecommunications and Information Exchange Between Systems - Local and Metropolitan Area Networks Specific Requirements Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LR-WPANs). IEEE Std 802.15.4-2003 (2003), 1--670.

[8]

Franciscus Wilhelmus Adrianus Alphonsus Van Leeuwen. 2014. Network discovery with touchlink option. (Feb. 27 2014). https://www.google.com/patents/WO2014030103A2 WO Patent App. PCT/IB2013/056,663.

[9]

Olayemi Olawumi, Keijo Haataja, Mikko Asikainen, Niko Vidgren, and Pekka Toivanen. 2014. Three practical attacks against ZigBee security: Attack scenario definitions, practical experiments, countermeasures, and lessons learned. In 14th International Conference on Hybrid Intelligent Systems, HIS 2014, Kuwait, December 14--16, 2014. IEEE, 199--206.

[10]

Philips. 2015. Friends of Hue - Update. (December 2015). http://www.developers.meethue.com/documentation/friends-hue-update

[11]

J Picod, Arnaud Lebrun, and J Demay. 2014. Bringing software defined radio to the penetration testing community. In Black Hat USA Conference.

[12]

Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi-Or Weingarten. 2017. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In IEEE Symposium on Security and Privacy, S&P 2017.

[13]

Eyal Ronen and Adi Shamir. 2016. Extended Functionality Attacks on IoT Devices: The Case of Smart Lights. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21--24, 2016. IEEE, 3--12.

[14]

Naveen Sastry and David Wagner. 2004. Security considerations for IEEE 802.15.4 networks. In Proceedings of the 2004 ACM Workshop on Wireless Security, Philadelphia, PA, USA, October 1, 2004, Markus Jakobsson and Adrian Perrig (Eds.). ACM, 32--42.

Digital Library

[15]

Niko Vidgren, Keijo Haataja, Jose Luis Patino-Andres, Juan Jose Ramirez-Sanchis, and Pekka Toivanen. 2013. Security Threats in ZigBee-Enabled Systems: Vulnerability Evaluation, Practical Experiments, Countermeasures, and Lessons Learned. In 46th Hawaii International Conference on System Sciences, HICSS 2013, Wailea, HI, USA, January 7--10, 2013. IEEE, 5132--5138.

Digital Library

[16]

Joshua Wright. 2009. KillerBee: Practical ZigBee Exploitation Framework. (2009). http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf ToorCon 11.

[17]

ZigBee Alliance. 2012. ZigBee Light Link Standard Version 1.0 - Document 11-0037-10.

[18]

ZigBee Alliance. 2013. Smart Energy Profile 2 Application Protocol Standard - Document 13-0200-00.

[19]

ZigBee Alliance. 2013. ZigBee Home Automation Public Application Profile Version 1.2 - Document 05-3520-29.

[20]

ZigBee Alliance. 2016. Base Device Behavior Specification Version 1.0 -- Document 13-0402-13.

[21]

ZigBee Alliance. 2016. zigbee alliance Accelerates IoT Unification with 20 zigbee 3.0 Platform Certifications. (December 2016). http://www.zigbee.org/zigbee-alliance-accelerates-iot-unification-with-20-zigbee-3-0-platform-certifications/

[22]

ZigBee Alliance. 2016. ZigBee Cluster Library Specification Revision 6 - Document 07-5123-06.

[23]

ZigBee Alliance. 2017. The zigbee alliance to Unveil Universal Language for the IoT from CES 2017 --- Making it Possible for Smart Objects to Work Together on Any Network. (January 2017). http://www.zigbee.org/the-zigbee-alliance-to-unveil-universal-language-for-the-iot-from-ces-2017-making-it-possible-for-smart-objects-to-work-together-on-any-network/

[24]

ZigBee Alliance. 2017. ZigBee Certified Products. (2017). http://www.zigbee.org/zigbee-products-2/

[25]

ZigBee Standards Organization. 2012. ZigBee Specification - Document 053474r20.

[26]

Tobias Zillner. 2015. White paper: ZigBee Exploited - The good, the bad and the ugly. Technical Report. Cognosec.

[27]

Tobias Zillner and Sebastian Strobl. 2015. ZigBee Exploited - The good, the bad and the ugly. (2015). https://www.blackhat.com/us-15/briefings.html#zigbee-exploited-the-good-the-bad-and-the-ugly Black Hat USA.

Cited By

Kondeti VBahsi H(2024)Mapping Cyber Attacks on the Internet of Medical Things: A Taxonomic Review2024 19th Annual System of Systems Engineering Conference (SoSE)10.1109/SOSE62659.2024.10620925(84-91)Online publication date: 23-Jun-2024
https://doi.org/10.1109/SOSE62659.2024.10620925
Morales-Gonzalez CHarper MCash MSun QFu X(2024)On Building Automation Systems and Attacks2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10555990(536-542)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10555990
Morales-Gonzalez CHarper MCash MLuo LLing ZSun QFu X(2024)On building automation system securityHigh-Confidence Computing10.1016/j.hcc.2024.1002364:3(100236)Online publication date: Sep-2024
https://doi.org/10.1016/j.hcc.2024.100236
Show More Cited By

Index Terms

Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Systems security
    1. Distributed systems security

Recommendations

Security threats and countermeasures on the internet of things

Internet of things (IoT) refers to intelligent technologies and services that connect all objects based on the internet to communicate information between people and things, things and systems. However, these IoT-based devices are exposed to many security ...
A Survey on Low Power Network Protocols for the Internet of Things and Wireless Sensor Networks
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Low power communication is becoming an increasingly critical factor in the design and implementation of large-scale Internet of Things (IoT) and Wireless Sensor Networks (WSN). Recently, new protocols have been introduced to help reduce such system's ...
A New Commissioning and Deployment Method for Wireless Sensor Networks
UBICOMM '09: Proceedings of the 2009 Third International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies

Sensor networks are deployed on various environments in order to collect sensing information in many cases. It is not easy to optimize program codes of all nodes due to the environmental variety of deployment of sensor networks. Therefore, commissioning ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks

July 2017

297 pages

ISBN:9781450350846

DOI:10.1145/3098243

General Chair:
Guevara Noubir
Northeastern University
,
Program Chairs:
Mauro Conti
University of Padua, Italy
,
Sneha Kumar Kasera
University of Utah

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
NSF: National Science Foundation
ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

German Research Foundation (DFG)

Conference

WiSec '17

Sponsor:

WiSec '17: 10th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 18 - 20, 2017

Massachusetts, Boston

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
632
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kondeti VBahsi H(2024)Mapping Cyber Attacks on the Internet of Medical Things: A Taxonomic Review2024 19th Annual System of Systems Engineering Conference (SoSE)10.1109/SOSE62659.2024.10620925(84-91)Online publication date: 23-Jun-2024
https://doi.org/10.1109/SOSE62659.2024.10620925
Morales-Gonzalez CHarper MCash MSun QFu X(2024)On Building Automation Systems and Attacks2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10555990(536-542)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10555990
Morales-Gonzalez CHarper MCash MLuo LLing ZSun QFu X(2024)On building automation system securityHigh-Confidence Computing10.1016/j.hcc.2024.1002364:3(100236)Online publication date: Sep-2024
https://doi.org/10.1016/j.hcc.2024.100236
Kumar MYadav VYadav S(2024)Advance comprehensive analysis for Zigbee network-based IoT system securityDiscover Computing10.1007/s10791-024-09456-327:1Online publication date: 24-Jul-2024
https://doi.org/10.1007/s10791-024-09456-3
Bertoglio DGil AAcosta JGodoy JLunardi RZorzo A(2024)Towards New Challenges of Modern PentestIntelligent Sustainable Systems10.1007/978-981-99-7569-3_3(21-33)Online publication date: 16-Feb-2024
https://doi.org/10.1007/978-981-99-7569-3_3
Ren MZhang HRen XMing JLei Y(2024)Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency InferenceComputer Security – ESORICS 202310.1007/978-3-031-51476-0_23(467-486)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_23
Sombatruang NCaulfield TBecker IFujita AKasama TNakao KInoue DCalandrino JTroncoso C(2023)Internet service providers' and individuals' attitudes, barriers, and incentives to secure IoTProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620324(1541-1558)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620324
Wan YLin XSabur AChang AXu KXue G(2023)IoT System Vulnerability Analysis and Network Hardening with Shortest Attack Trace in a Weighted Attack GraphProceedings of the 8th ACM/IEEE Conference on Internet of Things Design and Implementation10.1145/3576842.3582326(315-326)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3576842.3582326
Ren MRen XFeng HMing JLei Y(2023)Security Analysis of Zigbee Protocol Implementation via Device-agnostic FuzzingDigital Threats: Research and Practice10.1145/35518944:1(1-24)Online publication date: 7-Mar-2023
https://doi.org/10.1145/3551894
Zohourian ADadkhah SNeto EMahdikhani HDanso PMolyneaux HGhorbani A(2023)IoT Zigbee device security: A comprehensive reviewInternet of Things10.1016/j.iot.2023.10079122(100791)Online publication date: Jul-2023
https://doi.org/10.1016/j.iot.2023.100791
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents