ZigBee (IEEE 802.15.4) is far more popular than Bluetooth, Wi-Fi or DECT forthese kind of scenarios, as it is simpler to implement the complete stackrequires only 120 KB of space and because the wireless technology usessignificantly less energy. Wright, however, concludes that "When both simplicityand low cost are goals, security suffers."KillerBee includes a number of tools which, taken together, look at lot like thesort of attack programs familiar from Wi-Fi environments. According to Wright,the security problems and the errors that underlie them, are reminiscent of thedesign problems which dogged Wi-Fi. ZigBee offers no protection against replayattacks, in which an attacker simply resends recorded packets to the network.Wrights succinct comment, "Wi-Fi was dogged by the same errors but that was15 years ago."KillerBee includes applications for sniffing out any ZigBee devices in thesurrounding area (zbid), for recording data streams from the wireless network(zbdump) and for replaying recorded data streams (zbreplay). Replaying packetscould, according to Wright, be useful in contexts such as locks networked usingZigBee. An attacker would merely need to record the data transmitted from thelock to a control server located in the building at the moment at which a dooris opened. Sending this sequence to the server via ZigBee at a later date shouldcause the lock to open again.KillerBee also includes a program for cracking the secret key stored in ZigBeedevices. Since many ZigBee devices have no display or keypad, the code requiredfor encryption is frequently stored in factory-set Flash memory. Where keys areexchanged over the air (OTA), they are exchanged in unencrypted form and caneasily by recorded using zbdump. Recordings can be subsequently analysed inWireshark without difficulty.zbgoodfind uses a memory dump generated using sniffer hardware developed byTravis Goodspeed to crack stored keys. Wrights tools all work with the AtmelAVR RZ USBStick ZigBee USB stick, which costs just under $40, though if you wantto record and be able to replay data simultaneously, youll need two. To replaydata, youll also need to overwrite the devices firmware, for which youll needan on-chip debugger and programmer, such as Atmels AVR JTAG ICE mkII, a cloneversion of which can be picked up for around 50 euros. Wright is not officiallyselling pre-flashed sticks, but intimated to heise Security, The Hs associatesin Germany, that he was sure he could help out in individual cases.