2. ; cat /dev/user(Mr-IoT)
• Veerababu Penugonda
• Working @Aujas – IoT/OT Security Consultant
• Delivered talks in Open security communities
• Maintaining www.iotpentest.com , Hack B4 Secure (YouTube)
• More comfortable with hardware stuff
3. What is IOT/OT..?
• IoT – Internet of things
• A device which is connected to internet
and receiving or sharing data directly
or indirectly called Internet of thing
▪ OT – Operational Technology
– Which is hardware and software that
detects or causes a change through the
direct monitoring and/or control of
physical devices, processes and events in
the enterprise.
Scenario IoT OT
security Challenging Challenging
pentesting Difficult Difficult
malware High Medium
5. Wireless Communication Protocols
in IoT
Name Type
BLE
designed for lower-powered
devices
Zwave mesh network protocol
ZigBee mesh local area network
6LoWPAN
lightweight IP-based
communication
RFID radio frequency identification
NFC Near field communication
etc
6. What is Zigbee..?
Wikipedia : Zigbee is an IEEE 802.15.4-based specification for
a suite of high-level communication protocols used to
create personal area networks with small, low-power digital
radios, such as for home automation
A Zigbee module
https://en.wikipedia.org/wiki/File:ETRX357_ZigBee_module_with_si
ze_ref.JPG
7. Why Zigbee..?
• Support for multiple network topologies
such as point-to-point,
point-to-multipointand mesh networks
• Low duty cycle – provides long battery
life
• Low latency
• Direct Sequence Spread Spectrum
(DSSS)
• Up to 65,000 nodes per network
• 128-bit AES encryptionfor secure data
connections
• Collision avoidance,retries and
acknowledgements
https://www.digi.com/getattachment/resources/standards-and-technologies/zigbee-wireless-standard/Zigbeestack.png
13. Known Vulnerabilities in Zigbee
Implementation Vulnerabilities
• Insecure key storage – (attacker extract key from the chip or nwk)
• Insecure key transportation–( Plaintext key on OTA )
• ReusingInitializationVector (IV) – (where secret key stored for data encryption(AES-CTR)
• Sending security headers in clear text – (cause to device damage – lack of replay protection –
MiC(messagein code))
• Predictable sensor polling rates - (cause to device damage – sleep and wakeup)
14. Known Vulnerabilities in Zigbee
• Default link key values (5A 69 67 42 65 65 41 6C 6C 69
61 6E 63 65 30 39 (ZigBeeAlliance09))
• Unauthenticated acknowledgementpackets (ACK)
• CSMA/CA trade-off
• Unencrypted keys
• Predictable PAN IDs and limited channels
• Insufficient replay protections
• Signal interference
• Unauthorizednetwork commissioning
• Lack of DDoS Protection Mechanisms
• Re-usinglink key
• TouchLink Factory reset
• Privacy issues
Protocol Vulnerabilities
https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/
17. Killerbee –
Arsenal
zbkey
zbopenear
zborphannotify
zbpanidconflictflood
zbrealign
zbreplay
zbscapy
zbstumbler
zbwardrive
zbwireshark
• zbid - Identifies availableinterfacesthat can be used by
KillerBeeand associatedtools.
• zbwireshark - Similarto zbdump but exposes a namedpipe
for real-timecapture and viewingin Wireshark.
• zbdump - A tcpdump-liketook to capture IEEE 802.15.4
framesto a libpcap or Daintree SNA packet capture file.
Does not display real-timestats like tcpdump when not
writing to a file.
• zbreplay - Implementsa replay attack, readingfrom a
specified DaintreeDCF or libpcap packet capture file,
retransmittingthe frames. ACK framesare not
retransmitted.
• zbstumbler - Active ZigBee and IEEE 802.15.4 network
discovery tool. Zbstumbler sends beacon request frames
out while channel hopping, recordingand displaying
summarizedinformationabout discovereddevices. Can also
log results to a CSV file.
• zbpanidconflictflood- Requirestwo Killerbeeinterfaces one
Killerbee interfacelistens for packets and marks their PAN
ID. The other interfaceconstantly sends out beacon packets
with found PAN ID's. The beacon packets with the same PAN
ID cause the PAN coordinatorto believe that there is a PAN
ID
18. How it works..
No Demo
Device reached just
yesterday
Killerbee
To Attack the Philips
Hue
22. Pentest Methods..!
• Physical pentesting
-- GoodFET and Bus pirate
-- Extracting the key which is loaded on the RAM or EEPROM Chips
• OTA – Over the Air
– device updating securely or not
• Sniff
• MiTM
• Replay and Injection
- With packets replay / injection to gain unauthorized devices of Zigbee devices
23. How to pentest..?
Attack 1 : Key Sniffing
Make it successfully flashed the RZUSB device
Step 1 : RZUSB with our custom killerbee firmware to a Ubuntu Virtual Machine
Step 2: Select channel number to sniff with zbdump (channels)
Step 3: output the packet capture data to a libpcap file
Step 4: stopped sniffing and ported the packet capture data to WireShark
Step 5: encrypted key might looks like (0xcc 0x60 0x47 0x4c 0x93 0x42 0xe2 0xf7 0x7f
0x78 0x1b 0xfb 0x26 0xe1 0xbb 0x0f 0xa1 0x15 0x79 0x13 0x64 0x92 0xde 0x6b 0xda
0x7c 0x0d 0xe2 0xd5 0xc5 0xc0 0x57 0x78 0xc4 0xa5)
Step 6: Decrypt Keys with AES Decrypter
25. Attack 2 : Association Flooding
• After successfully sniff the keys from the zigbee
• Add the device into network without owner pernmision
• we could determine the PANIDs for each of the devices
• n flooded each of these device PANIDs in turn with hundreds of Association
Requests (one every 10 milliseconds
• While we performed our Association Flooding attack,
• we tried to access 14 functionality from the SmartThings by turning on and off the
Centralite.
26. Attack 3: Replay Attack
• After getting the information from the flooding attack
• Start the attack using commands like ON/OFF to play with device like bulb
Attack 4: Device Spoofing
• MAC Spoofing attack where the device need to add into owner attack
• After associationflooding attack all these attacks easy to do
28. Remediation's..
• Reconfigure the device securely after finding the installationbugs
• Out-of-band key loading method - Using factory generated and pre-loaded key
• Secure network admission - Secure network admission
• Dynamic device ID rotation – To Remediated the Spoofing attacks
Follow the link : https://courses.csail.mit.edu/6.857/2017/project/17.pdf
29. References
• Cache, Johnny, Wright, Joshua, and Liu, Vincent. Hacking Exposed: Wireless. Second Edition. McGraw-Hill, 2010.
• 15.4-2011 – IEEE Standard for Local and metropolitan area networks–Part 15.4: Low-Rate Wireless Personal Area
Networks (LR-WPANs) <http://standards.ieee.org/findstds/standard/802.15.4-2011.html>
• ZigBee Security at Dartmouth Trust Lab. <http://www.cs.dartmouth.edu/~rspeers/>
• ZigBee Specification, ZigBee Document 053474r17, ZigBee Alliance, January 17, 2008
• Radmand, M. Domingo, J. Singh, J. Arnedo, A. Talevski, S. Petersen, and S. Carlsen. “ZigBee/ZigBee PRO security
assessment based on compromised cryptographic keys”. Digital Ecosystem and Business Intelligence Institute,
Curtin University of Technology, Perth, Australia
• Olawumi, K. Haataja, M. Asikainen, N. Vidgren, and P. Toivanen “Three Practical Attacks Against ZigBee Security:
Attack Scenario Definitions, Practical Experiments, Countermeasures, and Lessons Learned”, in IEEE 14th
International Conference on Hybrid Intelligent Systems (HIS2014), At Kuwai. DOI: 10.1109/HIS.2014.7086198
• N. Whitehurst, T.R. Andel, and J.T.McDonald. “Exploring Security in ZigBee Networks”, in 9th Cyber and Information
Security Research Conference, 2014. ACM 978-1-4503-2812- 8/14/4
• ZigBee wireless networks and Transceivers – Shahin Farahani
• Y. Vasserman and N. Hopper, “Vampire attacks: draining life from wireless ad hoc sensor networks,” IEEE Trans.
Mobile Computing, vol.
• 12, no. 2, pp. 318–332, 2013.
• Devu Manikantan Shila, Xianghui Cao, Yu Cheng, Senior Member, Zequ Yang, Yang Zhou, and Jiming Chen, “Ghost-
in-the-Wireless: Energy Depletion Attack on ZigBee”
30. References
•Ivan Vaccari, Enrico Cambiaso, and Maurizio Aiello, “Remotely Exploiting AT Command Attacks on
ZigBee Networks”
•https://phys.org/news/2017-09-flaws-smart-home-products.html
•Philipp Morgner, Stephan MaŠejat, Zinaida Benenson, “Insecure to the Touch: Attacking ZigBee 3.0 via
Touchlink Commissioning”
•Vidgren, K. Haataja, J. L. Patiño-Andres, J. J. Ramírez-Sanchis, and P. Toivanen, “Security threats in
ZigBee-enabled systems: Vulnerability evaluation, practical experiments, countermeasures, and
lessons learned,” in Proceedings of the 46th Annual Hawaii International Conference on System
Sciences, HICSS 2013, pp. 5132–5138, January 2013.
•Krivtsova, I. Lebedev, M. Sukhoparov et al., “Implementing a broadcast storm attack on a mission-
critical wireless sensor network,” Lecture Notes in Computer Science (including subseries Lecture
Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 9674, pp. 297–308, 2016.
•https://www.google.co.in/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwie1vqPv5bcA
hVZWH0KHe96DoQQjRx6BAgBEAU&url=https%3A%2F%2Flearn.sparkfun.com%2Ftutorials%2Fxbee-
shield-hookup-guide%2Fexample-communication-
test&psig=AOvVaw37z4gVuWXNC25FnyKvNlY5&ust=1531379444262934