SlideShare a Scribd company logo

IoT security zigbee -- Null Meet bangalore

veerababu penugonda(Mr-IoT)
veerababu penugonda(Mr-IoT)

How Start In Zigbee

Devices & Hardware
1 of 30
Download to read offline
IoT Security-Zigbee Null Bangalore/G4H/OWASP
; cat /dev/user(Mr-IoT) • Veerababu Penugonda • Working @Aujas – IoT/OT Security Consultant • Delivered talks in Open security communities • Maintaining www.iotpentest.com , Hack B4 Secure (YouTube) • More comfortable with hardware stuff
What is IOT/OT..? • IoT – Internet of things • A device which is connected to internet and receiving or sharing data directly or indirectly called Internet of thing ▪ OT – Operational Technology – Which is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Scenario IoT OT security Challenging Challenging pentesting Difficult Difficult malware High Medium
Why Wireless communication..? Instead of this
Wireless Communication Protocols in IoT Name Type BLE designed for lower-powered devices Zwave mesh network protocol ZigBee mesh local area network 6LoWPAN lightweight IP-based communication RFID radio frequency identification NFC Near field communication etc
What is Zigbee..? Wikipedia : Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation A Zigbee module https://en.wikipedia.org/wiki/File:ETRX357_ZigBee_module_with_si ze_ref.JPG
Why Zigbee..? • Support for multiple network topologies such as point-to-point, point-to-multipointand mesh networks • Low duty cycle – provides long battery life • Low latency • Direct Sequence Spread Spectrum (DSSS) • Up to 65,000 nodes per network • 128-bit AES encryptionfor secure data connections • Collision avoidance,retries and acknowledgements https://www.digi.com/getattachment/resources/standards-and-technologies/zigbee-wireless-standard/Zigbeestack.png
How it works..?
Where it is Used..? Home Automati on Healthca re Smart Energy Building Automati on
Zigbee Certified Products http://www.zigbee.org/zigbee-products- 2/#zigbeecertifiedproducts/?view_30_filters=%5B%7B%22field%22%3A%22field_1%22%2C%22operator%22%3A%22i s%20not%20blank%22%7D%5D&view_30_page=1
Zigbee vulnerability Test Cases https://youtu.be/Ed1OjAuRARU
Zigbee vulnerability Test Cases
Known Vulnerabilities in Zigbee Implementation Vulnerabilities • Insecure key storage – (attacker extract key from the chip or nwk) • Insecure key transportation–( Plaintext key on OTA ) • ReusingInitializationVector (IV) – (where secret key stored for data encryption(AES-CTR) • Sending security headers in clear text – (cause to device damage – lack of replay protection – MiC(messagein code)) • Predictable sensor polling rates - (cause to device damage – sleep and wakeup)
Known Vulnerabilities in Zigbee • Default link key values (5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 (ZigBeeAlliance09)) • Unauthenticated acknowledgementpackets (ACK) • CSMA/CA trade-off • Unencrypted keys • Predictable PAN IDs and limited channels • Insufficient replay protections • Signal interference • Unauthorizednetwork commissioning • Lack of DDoS Protection Mechanisms • Re-usinglink key • TouchLink Factory reset • Privacy issues Protocol Vulnerabilities https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/
Pen-testing Tools Hardware • Bus Pirate (Hardware) • GoodFET (Hardware) • RZUSBSTICK (Protocol) • Chibi • Memsic TelosB (TPR2420) Software • KillerBee • SECBEE • Z3sec • Api-do • Attify ZigBee framework
Killerbee - Arsenal zbassocflood zbcat zbconvert zbdsniff zbdump zbfakebeacon zbfind zbgoodfind zbid zbjammer
Killerbee – Arsenal zbkey zbopenear zborphannotify zbpanidconflictflood zbrealign zbreplay zbscapy zbstumbler zbwardrive zbwireshark • zbid - Identifies availableinterfacesthat can be used by KillerBeeand associatedtools. • zbwireshark - Similarto zbdump but exposes a namedpipe for real-timecapture and viewingin Wireshark. • zbdump - A tcpdump-liketook to capture IEEE 802.15.4 framesto a libpcap or Daintree SNA packet capture file. Does not display real-timestats like tcpdump when not writing to a file. • zbreplay - Implementsa replay attack, readingfrom a specified DaintreeDCF or libpcap packet capture file, retransmittingthe frames. ACK framesare not retransmitted. • zbstumbler - Active ZigBee and IEEE 802.15.4 network discovery tool. Zbstumbler sends beacon request frames out while channel hopping, recordingand displaying summarizedinformationabout discovereddevices. Can also log results to a CSV file. • zbpanidconflictflood- Requirestwo Killerbeeinterfaces one Killerbee interfacelistens for packets and marks their PAN ID. The other interfaceconstantly sends out beacon packets with found PAN ID's. The beacon packets with the same PAN ID cause the PAN coordinatorto believe that there is a PAN ID
How it works.. No Demo Device reached just yesterday Killerbee To Attack the Philips Hue
Attify Zigbee Framework GUI wrapper for killerbee https://www.youtube.com/watch?v=uivlSdqWS48
Custom vulnerable lab development..? Requirements Arduino * 1 https://www.sparkfun.com/products/11021 DHT11 basic temperature-humidity sensor+ extras https://www.adafruit.com/product/386 2LDR/Photocell * 1 https://www.sparkfun.com/products/9088 BC547*1 https://www.sparkfun.com/products/8928 LED * any number https://www.sparkfun.com/products/10635 Jumper cables https://www.sparkfun.com/products/13870 Breadboard https://www.sparkfun.com/products/12046 Xbee shield * 2 https://www.sparkfun.com/products/12847 https://www.cybrary.it/channelcontent/zigbee-security-and-exploitation-for-iot-devices/
https://github.com/attify/zigbee-security-exploitation https://images.digi.com/products/xctu_layout Device being identified in XCTU
Pentest Methods..! • Physical pentesting -- GoodFET and Bus pirate -- Extracting the key which is loaded on the RAM or EEPROM Chips • OTA – Over the Air – device updating securely or not • Sniff • MiTM • Replay and Injection - With packets replay / injection to gain unauthorized devices of Zigbee devices
How to pentest..? Attack 1 : Key Sniffing Make it successfully flashed the RZUSB device Step 1 : RZUSB with our custom killerbee firmware to a Ubuntu Virtual Machine Step 2: Select channel number to sniff with zbdump (channels) Step 3: output the packet capture data to a libpcap file Step 4: stopped sniffing and ported the packet capture data to WireShark Step 5: encrypted key might looks like (0xcc 0x60 0x47 0x4c 0x93 0x42 0xe2 0xf7 0x7f 0x78 0x1b 0xfb 0x26 0xe1 0xbb 0x0f 0xa1 0x15 0x79 0x13 0x64 0x92 0xde 0x6b 0xda 0x7c 0x0d 0xe2 0xd5 0xc5 0xc0 0x57 0x78 0xc4 0xa5) Step 6: Decrypt Keys with AES Decrypter
Example sniffed cap file of ZigBee
Attack 2 : Association Flooding • After successfully sniff the keys from the zigbee • Add the device into network without owner pernmision • we could determine the PANIDs for each of the devices • n flooded each of these device PANIDs in turn with hundreds of Association Requests (one every 10 milliseconds • While we performed our Association Flooding attack, • we tried to access 14 functionality from the SmartThings by turning on and off the Centralite.
Attack 3: Replay Attack • After getting the information from the flooding attack • Start the attack using commands like ON/OFF to play with device like bulb Attack 4: Device Spoofing • MAC Spoofing attack where the device need to add into owner attack • After associationflooding attack all these attacks easy to do
Example MAC Address http://learn.linksprite.com/wp-content/uploads/2016/05/Screen-Shot-2016-05-12-at-10.56.14-PM- 1024x455.png
Remediation's.. • Reconfigure the device securely after finding the installationbugs • Out-of-band key loading method - Using factory generated and pre-loaded key • Secure network admission - Secure network admission • Dynamic device ID rotation – To Remediated the Spoofing attacks Follow the link : https://courses.csail.mit.edu/6.857/2017/project/17.pdf
References • Cache, Johnny, Wright, Joshua, and Liu, Vincent. Hacking Exposed: Wireless. Second Edition. McGraw-Hill, 2010. • 15.4-2011 – IEEE Standard for Local and metropolitan area networks–Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) <http://standards.ieee.org/findstds/standard/802.15.4-2011.html> • ZigBee Security at Dartmouth Trust Lab. <http://www.cs.dartmouth.edu/~rspeers/> • ZigBee Specification, ZigBee Document 053474r17, ZigBee Alliance, January 17, 2008 • Radmand, M. Domingo, J. Singh, J. Arnedo, A. Talevski, S. Petersen, and S. Carlsen. “ZigBee/ZigBee PRO security assessment based on compromised cryptographic keys”. Digital Ecosystem and Business Intelligence Institute, Curtin University of Technology, Perth, Australia • Olawumi, K. Haataja, M. Asikainen, N. Vidgren, and P. Toivanen “Three Practical Attacks Against ZigBee Security: Attack Scenario Definitions, Practical Experiments, Countermeasures, and Lessons Learned”, in IEEE 14th International Conference on Hybrid Intelligent Systems (HIS2014), At Kuwai. DOI: 10.1109/HIS.2014.7086198 • N. Whitehurst, T.R. Andel, and J.T.McDonald. “Exploring Security in ZigBee Networks”, in 9th Cyber and Information Security Research Conference, 2014. ACM 978-1-4503-2812- 8/14/4 • ZigBee wireless networks and Transceivers – Shahin Farahani • Y. Vasserman and N. Hopper, “Vampire attacks: draining life from wireless ad hoc sensor networks,” IEEE Trans. Mobile Computing, vol. • 12, no. 2, pp. 318–332, 2013. • Devu Manikantan Shila, Xianghui Cao, Yu Cheng, Senior Member, Zequ Yang, Yang Zhou, and Jiming Chen, “Ghost- in-the-Wireless: Energy Depletion Attack on ZigBee”
References •Ivan Vaccari, Enrico Cambiaso, and Maurizio Aiello, “Remotely Exploiting AT Command Attacks on ZigBee Networks” •https://phys.org/news/2017-09-flaws-smart-home-products.html •Philipp Morgner, Stephan MaŠejat, Zinaida Benenson, “Insecure to the Touch: Attacking ZigBee 3.0 via Touchlink Commissioning” •Vidgren, K. Haataja, J. L. Patiño-Andres, J. J. Ramírez-Sanchis, and P. Toivanen, “Security threats in ZigBee-enabled systems: Vulnerability evaluation, practical experiments, countermeasures, and lessons learned,” in Proceedings of the 46th Annual Hawaii International Conference on System Sciences, HICSS 2013, pp. 5132–5138, January 2013. •Krivtsova, I. Lebedev, M. Sukhoparov et al., “Implementing a broadcast storm attack on a mission- critical wireless sensor network,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 9674, pp. 297–308, 2016. •https://www.google.co.in/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwie1vqPv5bcA hVZWH0KHe96DoQQjRx6BAgBEAU&url=https%3A%2F%2Flearn.sparkfun.com%2Ftutorials%2Fxbee- shield-hookup-guide%2Fexample-communication- test&psig=AOvVaw37z4gVuWXNC25FnyKvNlY5&ust=1531379444262934

Recommended

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
Florian Roth
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
Attila Kanto
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 

Recommended

Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
Florian Roth
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Networking in Docker Containers
Networking in Docker ContainersNetworking in Docker Containers
Networking in Docker Containers
Attila Kanto
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
Vipin Varghese
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Rust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyRust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with Embassy
Juraj Michálek
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Trace kernel code tips
Trace kernel code tipsTrace kernel code tips
Trace kernel code tips
Viller Hsiao
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
ConFoo
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
Olle E Johansson
 
Wireshark
WiresharkWireshark
Wireshark
Kasun Madusanke
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
Abe Arredondo
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 

More Related Content

What's hot

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
ConFoo
 

What's hot (20)

Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Rust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with EmbassyRust Embedded Development on ESP32 and basics of Async with Embassy
Rust Embedded Development on ESP32 and basics of Async with Embassy
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Trace kernel code tips
Trace kernel code tipsTrace kernel code tips
Trace kernel code tips
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
Wireshark
WiresharkWireshark
Wireshark
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 

Similar to IoT security zigbee -- Null Meet bangalore

IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 

Similar to IoT security zigbee -- Null Meet bangalore (20)

ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Day4
Day4Day4
Day4
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 

Recently uploaded

Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
amitlee9823
 
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
amitlee9823
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
amitlee9823
 
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
gajnagarg
 
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
amitlee9823
 
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
ehyxf
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
gajnagarg
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
MOHANI PANDEY
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
amitlee9823
 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
ahmedjiabur940
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
amitlee9823
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
amitlee9823
 

Recently uploaded (20)

Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
Hosa Road Call Girls Service: ☎ 7737669865 ☎ High Profile Model Escorts | Ban...
 
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Mayapuri (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
 
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Bhiwandi Escorts ☎️9352988975 Two shot with one girl...
 
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
➥🔝 7737669865 🔝▻ Deoghar Call-girls in Women Seeking Men 🔝Deoghar🔝 Escorts...
 
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
 
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Th...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Th...Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Th...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Th...
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
 
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Dharwad 7001035870 Whatsapp Number, 24/07 Booking
 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
 
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chikhali Call Me 7737669865 Budget Friendly No Advance Booking
 
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime GuwahatiGuwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
 
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in DammamAbortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
➥🔝 7737669865 🔝▻ kakinada Call-girls in Women Seeking Men 🔝kakinada🔝 Escor...
 

IoT security zigbee -- Null Meet bangalore

  • 2. ; cat /dev/user(Mr-IoT) • Veerababu Penugonda • Working @Aujas – IoT/OT Security Consultant • Delivered talks in Open security communities • Maintaining www.iotpentest.com , Hack B4 Secure (YouTube) • More comfortable with hardware stuff
  • 3. What is IOT/OT..? • IoT – Internet of things • A device which is connected to internet and receiving or sharing data directly or indirectly called Internet of thing ▪ OT – Operational Technology – Which is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. Scenario IoT OT security Challenging Challenging pentesting Difficult Difficult malware High Medium
  • 5. Wireless Communication Protocols in IoT Name Type BLE designed for lower-powered devices Zwave mesh network protocol ZigBee mesh local area network 6LoWPAN lightweight IP-based communication RFID radio frequency identification NFC Near field communication etc
  • 6. What is Zigbee..? Wikipedia : Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation A Zigbee module https://en.wikipedia.org/wiki/File:ETRX357_ZigBee_module_with_si ze_ref.JPG
  • 7. Why Zigbee..? • Support for multiple network topologies such as point-to-point, point-to-multipointand mesh networks • Low duty cycle – provides long battery life • Low latency • Direct Sequence Spread Spectrum (DSSS) • Up to 65,000 nodes per network • 128-bit AES encryptionfor secure data connections • Collision avoidance,retries and acknowledgements https://www.digi.com/getattachment/resources/standards-and-technologies/zigbee-wireless-standard/Zigbeestack.png
  • 9. Where it is Used..? Home Automati on Healthca re Smart Energy Building Automati on
  • 11. Zigbee vulnerability Test Cases https://youtu.be/Ed1OjAuRARU
  • 13. Known Vulnerabilities in Zigbee Implementation Vulnerabilities • Insecure key storage – (attacker extract key from the chip or nwk) • Insecure key transportation–( Plaintext key on OTA ) • ReusingInitializationVector (IV) – (where secret key stored for data encryption(AES-CTR) • Sending security headers in clear text – (cause to device damage – lack of replay protection – MiC(messagein code)) • Predictable sensor polling rates - (cause to device damage – sleep and wakeup)
  • 14. Known Vulnerabilities in Zigbee • Default link key values (5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 (ZigBeeAlliance09)) • Unauthenticated acknowledgementpackets (ACK) • CSMA/CA trade-off • Unencrypted keys • Predictable PAN IDs and limited channels • Insufficient replay protections • Signal interference • Unauthorizednetwork commissioning • Lack of DDoS Protection Mechanisms • Re-usinglink key • TouchLink Factory reset • Privacy issues Protocol Vulnerabilities https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/
  • 15. Pen-testing Tools Hardware • Bus Pirate (Hardware) • GoodFET (Hardware) • RZUSBSTICK (Protocol) • Chibi • Memsic TelosB (TPR2420) Software • KillerBee • SECBEE • Z3sec • Api-do • Attify ZigBee framework
  • 17. Killerbee – Arsenal zbkey zbopenear zborphannotify zbpanidconflictflood zbrealign zbreplay zbscapy zbstumbler zbwardrive zbwireshark • zbid - Identifies availableinterfacesthat can be used by KillerBeeand associatedtools. • zbwireshark - Similarto zbdump but exposes a namedpipe for real-timecapture and viewingin Wireshark. • zbdump - A tcpdump-liketook to capture IEEE 802.15.4 framesto a libpcap or Daintree SNA packet capture file. Does not display real-timestats like tcpdump when not writing to a file. • zbreplay - Implementsa replay attack, readingfrom a specified DaintreeDCF or libpcap packet capture file, retransmittingthe frames. ACK framesare not retransmitted. • zbstumbler - Active ZigBee and IEEE 802.15.4 network discovery tool. Zbstumbler sends beacon request frames out while channel hopping, recordingand displaying summarizedinformationabout discovereddevices. Can also log results to a CSV file. • zbpanidconflictflood- Requirestwo Killerbeeinterfaces one Killerbee interfacelistens for packets and marks their PAN ID. The other interfaceconstantly sends out beacon packets with found PAN ID's. The beacon packets with the same PAN ID cause the PAN coordinatorto believe that there is a PAN ID
  • 18. How it works.. No Demo Device reached just yesterday Killerbee To Attack the Philips Hue
  • 19. Attify Zigbee Framework GUI wrapper for killerbee https://www.youtube.com/watch?v=uivlSdqWS48
  • 20. Custom vulnerable lab development..? Requirements Arduino * 1 https://www.sparkfun.com/products/11021 DHT11 basic temperature-humidity sensor+ extras https://www.adafruit.com/product/386 2LDR/Photocell * 1 https://www.sparkfun.com/products/9088 BC547*1 https://www.sparkfun.com/products/8928 LED * any number https://www.sparkfun.com/products/10635 Jumper cables https://www.sparkfun.com/products/13870 Breadboard https://www.sparkfun.com/products/12046 Xbee shield * 2 https://www.sparkfun.com/products/12847 https://www.cybrary.it/channelcontent/zigbee-security-and-exploitation-for-iot-devices/
  • 22. Pentest Methods..! • Physical pentesting -- GoodFET and Bus pirate -- Extracting the key which is loaded on the RAM or EEPROM Chips • OTA – Over the Air – device updating securely or not • Sniff • MiTM • Replay and Injection - With packets replay / injection to gain unauthorized devices of Zigbee devices
  • 23. How to pentest..? Attack 1 : Key Sniffing Make it successfully flashed the RZUSB device Step 1 : RZUSB with our custom killerbee firmware to a Ubuntu Virtual Machine Step 2: Select channel number to sniff with zbdump (channels) Step 3: output the packet capture data to a libpcap file Step 4: stopped sniffing and ported the packet capture data to WireShark Step 5: encrypted key might looks like (0xcc 0x60 0x47 0x4c 0x93 0x42 0xe2 0xf7 0x7f 0x78 0x1b 0xfb 0x26 0xe1 0xbb 0x0f 0xa1 0x15 0x79 0x13 0x64 0x92 0xde 0x6b 0xda 0x7c 0x0d 0xe2 0xd5 0xc5 0xc0 0x57 0x78 0xc4 0xa5) Step 6: Decrypt Keys with AES Decrypter
  • 24. Example sniffed cap file of ZigBee
  • 25. Attack 2 : Association Flooding • After successfully sniff the keys from the zigbee • Add the device into network without owner pernmision • we could determine the PANIDs for each of the devices • n flooded each of these device PANIDs in turn with hundreds of Association Requests (one every 10 milliseconds • While we performed our Association Flooding attack, • we tried to access 14 functionality from the SmartThings by turning on and off the Centralite.
  • 26. Attack 3: Replay Attack • After getting the information from the flooding attack • Start the attack using commands like ON/OFF to play with device like bulb Attack 4: Device Spoofing • MAC Spoofing attack where the device need to add into owner attack • After associationflooding attack all these attacks easy to do
  • 28. Remediation's.. • Reconfigure the device securely after finding the installationbugs • Out-of-band key loading method - Using factory generated and pre-loaded key • Secure network admission - Secure network admission • Dynamic device ID rotation – To Remediated the Spoofing attacks Follow the link : https://courses.csail.mit.edu/6.857/2017/project/17.pdf
  • 29. References • Cache, Johnny, Wright, Joshua, and Liu, Vincent. Hacking Exposed: Wireless. Second Edition. McGraw-Hill, 2010. • 15.4-2011 – IEEE Standard for Local and metropolitan area networks–Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs) <http://standards.ieee.org/findstds/standard/802.15.4-2011.html> • ZigBee Security at Dartmouth Trust Lab. <http://www.cs.dartmouth.edu/~rspeers/> • ZigBee Specification, ZigBee Document 053474r17, ZigBee Alliance, January 17, 2008 • Radmand, M. Domingo, J. Singh, J. Arnedo, A. Talevski, S. Petersen, and S. Carlsen. “ZigBee/ZigBee PRO security assessment based on compromised cryptographic keys”. Digital Ecosystem and Business Intelligence Institute, Curtin University of Technology, Perth, Australia • Olawumi, K. Haataja, M. Asikainen, N. Vidgren, and P. Toivanen “Three Practical Attacks Against ZigBee Security: Attack Scenario Definitions, Practical Experiments, Countermeasures, and Lessons Learned”, in IEEE 14th International Conference on Hybrid Intelligent Systems (HIS2014), At Kuwai. DOI: 10.1109/HIS.2014.7086198 • N. Whitehurst, T.R. Andel, and J.T.McDonald. “Exploring Security in ZigBee Networks”, in 9th Cyber and Information Security Research Conference, 2014. ACM 978-1-4503-2812- 8/14/4 • ZigBee wireless networks and Transceivers – Shahin Farahani • Y. Vasserman and N. Hopper, “Vampire attacks: draining life from wireless ad hoc sensor networks,” IEEE Trans. Mobile Computing, vol. • 12, no. 2, pp. 318–332, 2013. • Devu Manikantan Shila, Xianghui Cao, Yu Cheng, Senior Member, Zequ Yang, Yang Zhou, and Jiming Chen, “Ghost- in-the-Wireless: Energy Depletion Attack on ZigBee”
  • 30. References •Ivan Vaccari, Enrico Cambiaso, and Maurizio Aiello, “Remotely Exploiting AT Command Attacks on ZigBee Networks” •https://phys.org/news/2017-09-flaws-smart-home-products.html •Philipp Morgner, Stephan MaŠejat, Zinaida Benenson, “Insecure to the Touch: Attacking ZigBee 3.0 via Touchlink Commissioning” •Vidgren, K. Haataja, J. L. Patiño-Andres, J. J. Ramírez-Sanchis, and P. Toivanen, “Security threats in ZigBee-enabled systems: Vulnerability evaluation, practical experiments, countermeasures, and lessons learned,” in Proceedings of the 46th Annual Hawaii International Conference on System Sciences, HICSS 2013, pp. 5132–5138, January 2013. •Krivtsova, I. Lebedev, M. Sukhoparov et al., “Implementing a broadcast storm attack on a mission- critical wireless sensor network,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 9674, pp. 297–308, 2016. •https://www.google.co.in/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwie1vqPv5bcA hVZWH0KHe96DoQQjRx6BAgBEAU&url=https%3A%2F%2Flearn.sparkfun.com%2Ftutorials%2Fxbee- shield-hookup-guide%2Fexample-communication- test&psig=AOvVaw37z4gVuWXNC25FnyKvNlY5&ust=1531379444262934