Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZigBee IEEE What it is: Attributes: Applications:

Published byMarsha Gaines Modified over 6 years ago

Similar presentations

Presentation on theme: "ZigBee IEEE What it is: Attributes: Applications:"— Presentation transcript:

1 ZigBee IEEE 802.15.4 What it is: Attributes: Applications:
a high-level communication protocol for WSNs and WPANs a M2M Area Network Technology for WLANs. Attributes: Low power consumption, low-cost, low bitrate mesh networking standard supports meter range – highly reliable stable against node failover global standards for interoperability Applications: Home Automation, Building Automation, Smart Energy, Health and Fitness, 3D gaming, Telecommunications, Retail, Industrial Control.

2 Security Architecture:
Access Control Frame address validation MAC Layer Frame Integrity, Trust Center Architecture for Secure Network Admittance. Authentication and Data Confidentiality Symmetric Key Encryption for Frames Confidentiality :AES-CTR Authentication: AES-CBC-MAC with 32,-64,128bit MAC Confidentiality & Authentication: AES -CCM with 32-,64-,128 bit MAC Supports PKI. Frame Integrity Protection against tampering for data in transit MIC 32/64/128 bits based on AES-CBC-MAC Sequential Freshness Prevention of Replay Attacks 4-Byte Frame Counter Common security concerns: Long battery life of at least 2 years is a must to pass ZigBee certification. So resource-intensive security measures are avoided to keep power consumption low and limited. Interoperability among ZigBee profiles might force security slackening. ZigBee-based devices are essentially low-cost, thus lacking protection from physical attacks using serial interfaces such as GoodFet and BusPirate.

3 Golden Rules for Security in the Residential Mode
Building blocks of ZigBee security: Key establishment, key transport, frame protection and device management. Key management is all about secure initialization, installation, processing and storage of Network Keys and Link Keys. End-to-end Data Security – Only a source and a destination device can decrypt a message using a combination of keys. The APS and NWK layers can both independently process the secure MAC frames with either encryption (confidentiality) or authentication, or both. The ZigBee Device Object (ZDO) manages security policies and security configuration for devices.

4 A real world assessment environment:
In the lab… A real world assessment environment: Testing a smart device model for lighting and temperature control based on ZigBee Home Automation Profile Development Kits: Xbee and Texas Instruments ZigBee Coordinator (ZC/ZTC) – Xbee RF Module/CC2531 USB Dongle (0x0000) ZigBee End Device (ZED) – Xbee RF Module/CC2530 development board (0x6EC7) - set up as a monitoring node, fitted with: temperature sensor, LED and LDR for light sensing/emission and light intensity measurement. ZigBee Router (ZR) – Xbee RF Module/CC2530 development board (0xCEBC)

5 ZigBee Logical Device Types and Functions
Node Types RFD – Reduced Function Device FFD – Full Function Device ZigBee Coordinator (FFD, parent) starts the network, maintains neighbor and router lists. acts as Trust Center for secure node joining (authenticates new joiner). PAN Coordinator functions for network and security management. can update link key and network key periodically. transfers application packets. ZigBee End Devices (RFD or FFD, child) battery-powered radios with short duty-cycles. sensor nodes for data sampling. can be routed using a ZigBee gateway. transfers application packets. ZigBee Router (FFD) Allows devices to join the network Multi-hop communication

6 ZigBee deployment flaws in Residential Mode
Attack Vector Analysis Assessing insecure implementation risks

7 1. EAVESDROPPING FOR NETWORK DISCOVERY & DEVICE IDENTIFICATION
Network discovery: Sniffing of the Unencrypted MAC Header to identify configuration, node addresses, stack profile and PAN IDs from Beacon Responses sent to end devices by Coordinators and Routers. SENSOR NODE Legitimate Beacon Request Frame (0x07) Packet Capture Spoofed Beacon Request Frame COORDINATOR Unencrypted Beacon Response Frame [PAN ID, source address, stack profile, stack version, and IEEE address] EXPLOIT DEVICE SNIFFED

8 2. REPLAY ATTACK – OFFLINE MODE
The Frame Counter in the NWK layer drops replayed packets. But the MAC layer is vulnerable to replay of MAC command frames as the layer cannot process an incoming frame counter. SENSOR NODE Legitimate Data Request CAPTURED COORDINATOR Replay of the captured LED ON/OFF packets excluding ACK frame on the channel. Delay of 1/10th of a second between each frame. EXPLOIT DEVICE

9 3. DENIAL OF SERVICE (A). PACKET INJECTION IN REAL-TIME
Effecting short-term unavailability of the coordinator’s services for a legitimate device by causing bandwidth consumption and node energy draining. Continuous packet injection to expend bandwidth. Injecting a spoofed beacon request frame on a loop with a 1-sec delay COORDINATOR EXPLOIT DEVICE ZC does not respond to legitimate requests from network nodes. Node energy drain due to extended ‘wake’ state caused by its retransmission loop in anticipation of response.

10 3. ASSOCIATION FLOOD IN REAL-TIME
Disengaging a legitimate device and preventing rejoin using a syn flood attack. Some vendors defend against this using device identity tables to detect suspicious behavior. Injecting a forged combination of association request and data request on a loop with a 1-sec delay COORDINATOR Continuous stream of Association Responses Association table overflows, expending processing memory. EXPLOIT DEVICE Coordinator’s Communication with legitimate nodes is obstructed.

11 4. PAN ID CONFLICT ATTACK Sabotaging the PAN Coordinator’s network management by means of manipulation which is in essence, the initiation of a persistent conflict of PAN IDs. Continuous sniffing of the network to collect PAN IDs, extended PAN IDs and channel. Coordinator senses PAN ID Conflict and realigns network to a new PAN ID for every conflicting PAN ID replayed. EXPLOIT DEVICE 1 COORDINATOR 0x94ac 0x8b43 0x6335 Nodes struggle to keep up with rapid PAN ID rotation process which is triggered repetitively. After a few seconds, communication disintegrates. Continuous broadcast replay of forged association responses on the channel; impersonating the PAN Coordinator. 0x72bc EXPLOIT DEVICE 2

12 OTA key provisioning vs. Pre-configured Keys
Network key is delivered in plaintext to end device - higher susceptibility to key sniffing. Keys are pre-installed by vendor in manufacture - unless keys are updated, knowledge of the default keys of the vendor can be used to make an illegitimate node (of the same vendor) join the network. - physical attacks often attempted. Key rotation process is supported. Key rotation / revocation is not possible. All data is initially encrypted with network key until link keys are derived. After device pairing, all data is encrypted with pre-installed link key. Widely preferred for large scale deployments for ease of set up since employees need not handle activation procedures. Small deployments in home automation are more likely to use this method of key provisioning. Trust Center in the Residential Mode or Standard Security Mode maintains only the standard network keys. We deem it necessary for deployers to equip the TC host with enough resources to maintain a list of nodes and network policies to incorporate the resilience features of the High Security Mode to the extent possible while maintaining the low-cost factor. The OTA key provisioning mechanism must be bolstered by other security measures to reduce key sniffing/reuse vulnerabilities. Optimally leverage the AES-based security framework and Trust Center controls to harden the network ecosystem.

13 Best Practices Security at the MAC Layer Node Revival Nonce Reuse
MAC Layer only secures its own frames between neighboring nodes (no end-to-end protection as in APS layer) ACL-based node admission and Unsecured Mode are unreliable. MIC must be used to validate frame check sum and message sequence. Node Revival Association/Syn Floods and PAN ID Conflict Attacks aim at disengaging nodes and disrupting coordinator responses. Disconnected nodes are not immediately discernible. Set Node Join Time parameter to ’Always’. Nonce Reuse Sequential message numbers (nonces) can help detect and prevent replay attacks. Nonces must always be distinct although the security key is same for two messages. Attackers can spoof messages by copying the same nonce used by a previous message. Save nonces in NVRAM so that status is preserved after a power failure. Preventing Physical Attacks Debuggers and key sniffers are used to extract encryption keys from firmware on any node. Existing key is usually not invalidated once a node is removed from the network – this eases rogue entry into network. Tamper-proofing nodes and Out-of-band key loading via serial ports helps eliminate exposure to sniffing.

14 About Us: Aleph Tav Technologies is a security testing service provider founded in the year 2015 and headquartered in Chennai, India. We strive to equip companies with knowledge and actionable insights to help them put up a winning fight against threats to information security. Our vision is to help people and enterprises embrace technology whilst being fully aware of the danger that it can pose to their credibility and business Our services include: Ethical Hacking, Managed Security Services, Application Security, Network Security, Security Testing, Enterprise Security, Security for IoT, SCADA Security, Digital Forensics

Download ppt "ZigBee IEEE What it is: Attributes: Applications:"

Similar presentations

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.

Jason Li Jeremy Fowers. Background Information Wireless sensor network characteristics General sensor network security mechanisms DoS attacks and defenses.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Topic 3: Sensor Networks and RFIDs Part 4 Instructor: Randall Berry Northwestern University MITP 491: Selected Topics.

Topic 3: Sensor Networks and RFIDs Part 4 Instructor: Randall Berry Northwestern University MITP 491: Selected Topics.
Zigbee By: Adel Al-Ghamdi214919 Adel Al-Ghamdi214919 Yousef Al-Rasheedi 215715 Yousef Al-Rasheedi 215715For: Dr. Adnan Al-Andalusi.

Zigbee By: Adel Al-Ghamdi Adel Al-Ghamdi Yousef Al-Rasheedi Yousef Al-Rasheedi For: Dr. Adnan Al-Andalusi.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Wireless Sensors and Wireless Sensor Networks (WSN) Darrell Curry.

Wireless Sensors and Wireless Sensor Networks (WSN) Darrell Curry.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
ZIGBEE PROTOCOL FOR WIRLEESS SENSOR NETWORK ZIGBEE PROTOCOL FOR WIRLEESS SENSOR NETWORK Research paper Lina kazem 43580340.

ZIGBEE PROTOCOL FOR WIRLEESS SENSOR NETWORK ZIGBEE PROTOCOL FOR WIRLEESS SENSOR NETWORK Research paper Lina kazem
Fault Tolerance in ZigBee Wireless Sensor Networks

Fault Tolerance in ZigBee Wireless Sensor Networks
doc.: IEEE <doc#> ZigBee Technical Overview

doc.: IEEE <doc#> ZigBee Technical Overview
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
ZigBee. Introduction Architecture Node Types Network Topologies Traffic Modes Frame Format Applications Conclusion Topics.

ZigBee. Introduction Architecture Node Types Network Topologies Traffic Modes Frame Format Applications Conclusion Topics.
IEEE 802.15.4 and Zigbee Overview. Topics 802.15.4 ZigBee Competing Technologies Products Some Motorola Projects Slide 2Joe Dvorak, Motorola9/27/05.

IEEE and Zigbee Overview. Topics ZigBee Competing Technologies Products Some Motorola Projects Slide 2Joe Dvorak, Motorola9/27/05.
Zigbee Mesh Networking 16 August 2015 Raoul van Bergen Field Application Engineer Embedded – EMEA Digi International.

Zigbee Mesh Networking 16 August 2015 Raoul van Bergen Field Application Engineer Embedded – EMEA Digi International.
1 Hello ZigBee Speaker : 施創宏 Advisor : 吳坤熹. 2 Outline  1.3 ZigBee in the Marketplace  1.4 Hello ZigBee (A First ZigBee Network)  1.5 ZigBee Home Automation.

1 Hello ZigBee Speaker : 施創宏 Advisor : 吳坤熹. 2 Outline  1.3 ZigBee in the Marketplace  1.4 Hello ZigBee (A First ZigBee Network)  1.5 ZigBee Home Automation.
ZigBee.

ZigBee.
Software Solutions for Product Developers Copyright 2005 Software Technologies Group, Inc. All Rights Reserved. An Overview of ZigBee The Power of the.

Software Solutions for Product Developers Copyright 2005 Software Technologies Group, Inc. All Rights Reserved. An Overview of ZigBee The Power of the.
Security Considerations for IEEE 802.15.4 Networks Karthikeyan Mahadevan.

Security Considerations for IEEE Networks Karthikeyan Mahadevan.
Member of Radiocrafts What is ZigBee? -Open global standard with an alliance of members (175+) promoted by Chipcon, Mitsubishi, Philips, Honeywell ++.

Member of Radiocrafts What is ZigBee? -Open global standard with an alliance of members (175+) promoted by Chipcon, Mitsubishi, Philips, Honeywell ++.

Similar presentations

Ads by Google