1. ZigBee (IEEE 802.15.4) is far more popular than Bluetooth, Wi-Fi or DECT for
these kind of scenarios, as it is simpler to implement – the complete stack
requires only 120 KB of space – and because the wireless technology uses
significantly less energy. Wright, however, concludes that "When both simplicity
and low cost are goals, security suffers."
KillerBee includes a number of tools which, taken together, look at lot like the
sort of attack programs familiar from Wi-Fi environments. According to Wright,
the security problems and the errors that underlie them, are reminiscent of the
design problems which dogged Wi-Fi. ZigBee offers no protection against replay
attacks, in which an attacker simply resends recorded packets to the network.
Wright's succinct comment, "Wi-Fi was dogged by the same errors – but that was
15 years ago."
KillerBee includes applications for sniffing out any ZigBee devices in the
surrounding area (zbid), for recording data streams from the wireless network
(zbdump) and for replaying recorded data streams (zbreplay). Replaying packets
could, according to Wright, be useful in contexts such as locks networked using
ZigBee. An attacker would merely need to record the data transmitted from the
lock to a control server located in the building at the moment at which a door
is opened. Sending this sequence to the server via ZigBee at a later date should
cause the lock to open again.
KillerBee also includes a program for cracking the secret key stored in ZigBee
devices. Since many ZigBee devices have no display or keypad, the code required
for encryption is frequently stored in factory-set Flash memory. Where keys are
exchanged over the air (OTA), they are exchanged in unencrypted form and can
easily by recorded using zbdump. Recordings can be subsequently analysed in
Wireshark without difficulty.
zbgoodfind uses a memory dump generated using sniffer hardware developed by
Travis Goodspeed to crack stored keys. Wright's tools all work with the Atmel
AVR RZ USBStick ZigBee USB stick, which costs just under $40, though if you want
to record and be able to replay data simultaneously, you'll need two. To replay
data, you'll also need to overwrite the device's firmware, for which you'll need
an on-chip debugger and programmer, such as Atmel's AVR JTAG ICE mkII, a clone
version of which can be picked up for around 50 euros. Wright is not officially
selling pre-flashed sticks, but intimated to heise Security, The H's associates
in Germany, that he was sure he could help out in 'individual cases'.