Zigbee security vulnerability analysis

Others 2021-03-28 23:52:03 views: null

1. Summary

ZigBee is considered a secure communication protocol. Its security architecture is a supplement to the security services provided by the IEEE 802.15.4 standard. The range of security services provided by ZigBee includes: security key establishment, security key transmission, frame protection through symmetric encryption, and security device management.

However, its safety function is based on certain inherent assumptions:

  • ZigBee uses an "open trust" model; that is, the protocol stack layers trust each other, and the layer that initiates the frame is responsible for protecting it initially.
  • The security service only protects the interface between different devices with a password.
  • The interfaces between different stack layers on the same device are arranged in a non-encrypted manner.
  • The secret key will not be unintentionally revealed during the key transmission process. (The exception is during the pre-configuration join of a new device, where a single key may be sent unprotected.)
  • High availability of random number generator
  • High availability of tamper-proof hardware.

This article discusses the security model provided by the ZigBee standard, various keys used for secure communication, the key management methods recommended by ZigBee, and other inherent security mechanisms, such as authentication, replay protection, etc.

2. Zigbee Protocol

The Zigbee network structure diagram is as follows:
Zigbee network structure diagram

  • Coordinator: The ZigBee coordinator is a device responsible for establishing, executing and managing the entire ZigBee network. It is responsible for configuring the security level of the network and configuring the address of the trust center (the default value of this address is the address of the ZigBee coordinator, otherwise the ZigBee coordinator can designate a backup trust center). The ZigBee coordinator also maintains a list of currently associated devices and promotes support for orphan scanning and rejoining processing so that previously associated devices can rejoin the network. Each network has only one coordinator, so it can never go to sleep (there may not be a coordinator in the network). The coordinator can also double as a router if needed
  • Router: A ZigBee router is an intermediate node device that is responsible for routing data packets between terminal devices or between terminal devices and the coordinator. If security is enabled on the network, the router needs permission from the trust center to join the network, and it can also double as a terminal device. In some cases, the router can allow other routers and terminal devices to join the network, and will maintain a list of currently associated devices, and promote support for orphan scanning and rejoin processing, so that previously associated devices can rejoin the network. Because routers link multiple parts of the network, they cannot go to sleep.
  • End Device: ZigBee terminal devices are usually sensor node devices that monitor and collect environmental data. Unlike routers or coordinators, end devices are low-power or battery-powered. Therefore, if there is no activity to monitor, as long as the router or coordinator does not double as a terminal device, they can sleep for a certain period of time to save energy. Terminal devices usually do not route traffic or allow other nodes to join the network, as long as routers or coordinators do not double as terminal devices.

3. Zigbee security model

ZigBee supports two types of security models, as shown in the figure below, the main difference lies in how they allow new devices to enter the network and how to protect the messages on the network.
Zigbee security model
Centralized security model: the complex but most secure model, involving the third logical device; the trust center (network coordinator, such as smart home gateway). The Trust Center is responsible for:

  • Configure and verify routers and terminal devices joining the network
  • Generate a network key for encrypted communication over the network
  • Switch to a new network key periodically or as needed. Therefore, if an attacker obtains a network key, the key will have a limited lifetime before it expires
  • When each device joins the network to communicate securely with the trust center, a unique trust center link key is established for each device
  • Maintain the overall security of the network

Distributed security model: simple, but low security. This model only supports routers and terminal devices. The router forms a distributed network and is responsible for registering other routers and terminal devices. The router distributes the network key (used to encrypt messages) to newly joined routers and terminal devices. All nodes in the network use the same network key to encrypt messages. Similarly, all nodes have been pre-configured with a link key (used to encrypt the network key) before registering into the network.

4. Security Key

4.1 Key type

Three types of keys are used in the ZigBee standard (each key has a length of 128 bits).

Network key: used for broadcast communication, APL application by NWK and ZigBee. Each node needs a network key in order to communicate securely with other devices on the network. The trust center will generate the network key and distribute it to all devices on the network. Devices on the network obtain the network key through key transmission (the network key used to protect the transmission) or pre-installation. There are two different types of network keys: standard (the network key is publicly sent) and high security (the network key is encrypted). The type of network key determines how the network key is distributed. And can control how to initialize the network frame counter. However, its type does not affect the way the message is protected.

Link key: used for unicast communication, and used by the APS application of the ZigBee stack. The device obtains the chain through key transmission (the key loading key is used to protect the transmitted link key), key establishment (based on the "master" key and other network parameters) or pre-installation (for example, during the installation process) Road key. Factory installed). Usually, the link key related to the trust center is pre-configured using out-of-band methods, such as the QR code in the package, and the link key between nodes is generated by the trust center and sent to the node using the network key encryption before use .

ZigBee defines two types of link keys: global and unique (there can be two types in turn: the first is the trust center link key; the key is established between the trust center and the device, and the second is between the two The application link key established between two devices is in a network outside the trust center). The type of link key determines how the device processes various trust center messages (APS commands), including whether to apply APS encryption.

In addition, each node can also have the following pre-configured link keys, which will be used to derive the trust center link key (through a certificate-based key establishment protocol (if SE security is enabled), APS request secret Key method to export, Touchlink debugging or by using the Matyas-Meyer-Oseas hash function):

  • A default global trust center link key is defined by the ZigBee Alliance. Its default value is 5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 (ZigBeeAlliance09) , and if the application does not specify another link key when connecting, the device will use or support this default value.
  • A distributed secure global link key, a manufacturer-specific key used for interaction between devices from the same manufacturer.
  • The installation code is a pre-configured link key. All ZigBee devices can contain a unique installation code, which is a random 128-bit number protected by a 16-bit cyclic redundancy check (CRC). The trust center may require each new device to use a unique installation code to join the centralized security network, and the installation code must match the code (ie QR code) previously entered into the trust center out-of-band. After verifying the installation code, joining the device and the trust center will use the Matyas-Meyer-Oseas (MMO) hash function to obtain a unique 128-bit trust center link key from the installation code.
  • Touchlink pre-configured link ley.

Master key: It forms the basis of long-term security between two devices and is only used by APS. Its function is to keep secret the link key exchange between two nodes in the symmetric key key establishment protocol (SKKE). The device obtains the master key through key transmission (the key loading key is used to protect the transmitted master key), pre-installed or user-entered data (such as PIN or password).

4.2 Key Management

One feature of ZigBee is that, as mentioned above, it has a variety of key management mechanisms:

Pre-installation: The manufacturer installs the key into the device itself. The user can select an installed key using a series of jumpers in the device (in devices with multiple keys pre-installed).

Key establishment: This is a local method of generating a link key based on the master key. The different security services of the ZigBee network use keys derived from the one-way function (using the link key as input) to avoid security leaks due to unnecessary interactions between services. The use of unrelated keys ensures logical isolation of the execution of different security protocols. The key establishment is based on the SKKE (symmetric key key establishment) protocol. The equipment involved in the communication must have a master key, which may be obtained through pre-installation or key transmission or user input.

Key transmission: The network device sends a request to the trust center for the key to be sent to it. This method is suitable for requesting any one of the three keys in the business model, while in the residential model, the trust center only keeps the network key. The trust center uses the key to load the key to protect the transmission of the master key.

In addition, in a centralized model, a certificate-based key establishment protocol (CBKE) can be used to distribute keys. CBKE provides a mechanism to negotiate a symmetric key with a trust center based on a certificate stored in two devices and signed by a certification authority (CA) at the time of manufacture.

5. ZigBee Stack security measures

Insert picture description here
IEEE 802.15.4 provides robustness against interference from other networks, and uses AES (Advanced Encryption Standard) with a 128-bit key length (16 bytes) for:

  • Data security – by encrypting the data payload and
  • Data integrity-Use Message Integrity Code (MIC) or Message Authentication Code (MAC) attached to the message to be sent to achieve. This code ensures the integrity of the MAC header and additional payload data. It is created by encrypting part of the IEEE MAC frame using a 128-bit key)

In the IEEE 802.15.4 MAC frame, the "Auxiliary Security Header" is only enabled when the "Security Enabled" subfield of the "Frame Control Field" is turned on. This special header contains 3 fields:

  • Security controls specify the type of protection provided by the network. This is where the global security policy is set. The choice of security level determines the length of the key and the content to be encrypted. That is, each security level provides a certain degree of frame encryption and integrity checking. ZigBee defines 8 different security levels for NWK and APS layers, as shown in the figure below.
    Insert picture description here
  • The frame counter is a counter given by the source of the current frame to prevent the message from being replayed.
  • The key identifier specifies the information required to understand the type of key used by the node for communication.

Although IEEE 802.15.4 provides security measures, it does not specify how keys must be managed or the types of authentication policies to be applied. These issues are managed by ZigBee. The ZigBee standard supports the following optional security services:

  • Encryption/Decryption: ZigBee frames can optionally be protected with the security suite AES-CCM* to provide data confidentiality, data authentication and data integrity. AES-CCM* is a smaller variant of AES (Advanced Encryption Standard) with modified CCM mode (counter with CBC-MAC).
  • Replay protection: Each node in the ZigBee network contains a 32-bit frame counter, which is incremented every time a data packet is transmitted. Each node also keeps track of the previous 32-bit frame counter of each device (node) it is connected to. If the frame counter value received by the node from the neighboring node is the same as or smaller than the previously received frame counter value, the data packet will be discarded. This mechanism enables replay protection by tracking data packets and discarding them if the node has already received them. The maximum value of the frame counter can be 0XFFFFFFFF, but if it reaches the maximum value, the transmission cannot be performed. The only time the frame counter is reset to 0 is when the network key is updated.
  • Device certification: ZigBee standard supports device certification and data certification. Device authentication is the act of confirming that a new device joining the network is a real device. The new device must be able to receive the network key within a given time and set the appropriate attributes in order to be considered authenticated. Device authentication is performed by the trust center. In residential and business models, the identity verification process is different.
  • Secure over-the-air (OTA) firmware upgrades: OTA updates allow manufacturers to add new features, fix defects in their products, and apply security patches when new threats are discovered. However, if the protocol does not provide adequate protection, or the device manufacturer does not use all available protective measures, OTA updates may also constitute potential security vulnerabilities. The ZigBee device and the associated silicon platform provide multiple layers of security to update the device in the field and ensure that the updated code image is not maliciously modified.
  • Encryption based on logical links: Another key security tool is the ability to create application-level security links between a pair of devices in the network. Management is performed by establishing a unique set of AES-128 encryption keys between a pair of devices. This allows a logical, secure link to be established between any two devices in the network, thereby supporting a "virtual private link" between a pair of devices in the network and many other devices. This measure limits the ability of an attacker to obtain network keys by intercepting or injecting messages that other devices will execute.
  • Runtime key update: The trust center will actively change the network key regularly or when needed. The trust center will generate a new network key and encrypt it with the old network key to distribute it throughout the network. After the update, all devices will continue to retain the old network key for a short time until each device on the network has switched to the new network key. In addition, the device will initialize its frame counter to zero after receiving the new network key.
  • Network interference protection: In low-cost ZigBee nodes, due to cost or node size constraints, it may not be possible to choose to use band selective filters to protect the network from interference. However, the basic attributes of IEEE 802.15.4 and ZigBee networks (such as low RF transmission power, low duty cycle and CSMA/CA channel access mechanism) help reduce the impact of the existence of ZigBee wireless networks on other nearby systems, and vice versa . vice versa. There are two ways to improve the coexistence performance of ZigBee networks: cooperative and non-cooperative.

6. Zigbee security vulnerabilities

Key distribution sniffing attack

The key distribution attack is mainly to eavesdrop on the key when a new node enters the network to request the key from the trust center. There are many tools that can be used for eavesdropping, such as Killerbee, Ubiqua, Packet Sniffer, etc. When the key is distributed by the coordinator instead of being preset in the device, the distribution key is likely to be stolen by sniffing, and the attacker can use the obtained key to decrypt the communication.

  • Passive key sniffing is the process by which ZigBee devices join a secure network. There will be a process of transmitting keys. Therefore, an attacker can monitor the traffic of the ZigBee network and wait for a new device to join the network to sniff the transmission key. Packet.
  • Active key sniffing is to obtain the key for the security weakness of the Trust Center Rejoin. The rejoining of the Trust Center is when the device may not have the currently used network key (for example: network key update) When the device does not receive it.), it is necessary to send the rejoin command without network layer security, and allow the device to obtain the current network key. According to the above process, the attacker may easily forge the packet of this process to actively obtain the transmission key by using the information security weakness that the trust center rejoins.

Get the key from the device

If the key is deployed in the way of key preset or key derivation, the preset network key or master key needs to be stored in the ROM of the device together with the firmware, and these keys are in the network Shared by all devices, if you can read the firmware of the device, you can try to find the key.

Tampering attack

Modify the Frame Counter to be larger than the frame counter of the latest data packet, use the link key to re-encrypt the data after tampering and send it out.

Denial of service attack

EPID conflict, media access control address conflict, maximum Frame Counter, insecure Leave

Common attack tools: KillerBee is
a framework and tool for attacking ZigBee and IEEE 802.15.4 networks. Using the killerBee tool and a compatible IEEE 802.15.4 wireless interface, you can steal zigbee network traffic, replay traffic, attack cryptographic systems, and more. Using the KillerBee framework, you can build your own tools, define zigbee
fuzzing, imitate and attack terminal devices, router devices and coordinator devices, etc. Killerbee can be downloaded and used on GitHub .

7. Summary

Although ZigBee is designed with security in mind, trade-offs still need to be made to maintain the low cost, low energy consumption and high compatibility of the device. It allows the same keying material to be reused between different layers on the same device, and allows end-to-end implementation on a device-to-device basis rather than between pairs of specific layers (or even pairs of applications) Security) on two communication devices. In addition, in order to achieve device interoperability, ZigBee uses the same security level for all devices and all layers of devices on a given network. However, these measures will inevitably lead to security risks. Therefore, developers are responsible for solving these problems and include strategies for detecting and handling errors, losing key synchronization, and regularly updating keys.

Guess you like

Origin blog.csdn.net/qq_32505207/article/details/107682978
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com