Testing Overview [Document subtitle]

Similar documents
Wireless Network Security

Cyber Security: Beginners Guide to Firewalls

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

Building a Basic Communication Network using XBee DigiMesh. Keywords: XBee, Networking, Zigbee, Digimesh, Mesh, Python, Smart Home

Security Issues with Integrated Smart Buildings

Synapse s SNAP Network Operating System

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Customer Specific Wireless Network Solutions Based on Standard IEEE

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Data Security Concerns for the Electric Grid

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Thingsquare Technology

INTRODUCTION TO PENETRATION TESTING

Why Can t We Be Friends?

Logitech Advanced 2.4 GHz Technology

The Internet of Things: Opportunities & Challenges

Logitech Advanced 2.4 GHz Technology With Unifying Technology

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Implementation of Wireless Gateway for Smart Home

Compulink Advantage Cloud sm Software Installation, Configuration, and Performance Guide for Windows

IT Networking and Security

Compulink Advantage Online TM

Network Security 101 Multiple Tactics for Multi-layered Security

DeltaV System Cyber-Security

Chapter 3 Safeguarding Your Network

TCP/IP Network Communication in Physical Access Control

Demystifying Wireless for Real-World Measurement Applications

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Sentrollers and The Internet of Things

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Analysis of Methods for Mobile Device Tracking. David Nix Chief Scientific Advisor

An Overview of ZigBee Networks

AMI security considerations

Over the PSTN... 2 Over Wireless Networks Network Architecture... 3

Applying Mesh Networking to Wireless Lighting Control

Introduction to Wireless Sensor Network Security

Network Management and Monitoring Software

Best Practices for DanPac Express Cyber Security

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Advanced Metering Infrastructure Security

Defense in Cyber Space Beating Cyber Threats that Target Mesh Networks

OPTIGUARD: A SMART METER ASSESSMENT TOOLKIT

How To Secure Your System From Cyber Attacks

A Research Study on Packet Sniffing Tool TCPDUMP

Mobile Security Wireless Mesh Network Security. Sascha Alexander Jopen

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SecureCom Mobile s mission is to help people keep their private communication private.

Home Automation and Cybercrime

Design and Implementation Guide. Apple iphone Compatibility

SECURITY ASPECTS IN MOBILE AD HOC NETWORK (MANETS)

DIY Device Cloud Documentation

Wireless Sensor Networks Chapter 14: Security in WSNs

This idea could limit unnecessary visits and help developing countries to provide healthcare remotely as well.

DEVELOPMENT OF INDIVIDUAL HOME SECURITY SYSTEM USING CAN AND ZIGBEE PROTOCOL

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

XBee Wireless Sensor Networks for Temperature Monitoring

IPv6 Based Sensor Home Networking

ZigBee Technology Overview

Security of MICA*-based / ZigBee Wireless Sensor Networks

Trust Digital Best Practices

Building A Secure Microsoft Exchange Continuity Appliance

Silabs Ember Development Tools

THE ROLE OF IDS & ADS IN NETWORK SECURITY

A Profile of PVA Capabilities with Remote Time Location Systems (RTLS) Profile of PVA Capabilities

PCI Wireless Compliance with AirTight WIPS

Domus, the connected home

Vehicle data acquisition using CAN By Henning Olsson, OptimumG

DOS ATTACKS IN INTRUSION DETECTION AND INHIBITION TECHNOLOGY FOR WIRELESS COMPUTER NETWORK

Getting a Secure Intranet

DoS: Attack and Defense

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

future data and infrastructure

bel canto The Computer as High Quality Audio Source A Primer

KillerBee: Practical ZigBee Exploitation Framework or "Wireless Hacking and the Kinetic World" Joshua Wright

The SIEM Evaluator s Guide

Online Communication of Critical Parameters in Powerplant Using ZIGBEE

Security & Trust in Wireless Sensor Networks

Firewall and UTM Solutions Guide

Network Based Intrusion Detection Using Honey pot Deception

Why should I care about PDF application security?

Evolving Bar Codes. Y398 Internship. William Holmes

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Covert Operations: Kill Chain Actions using Security Analytics

Traditionally, a typical SAN topology uses fibre channel switch wiring while a typical NAS topology uses TCP/IP protocol over common networking

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Network Instruments white paper

Transcription:

10/16/2015 ZigBee Penetration Testing Overview [Document subtitle] PURE INTEGRATION

Introduction Penetration testers have been focusing on wireless technologies for over a decade now, and industry researchers have seen the various families of wireless protocols evolve through a storm of security issues, incomplete encryption schemes, and mitigation tactics. The 802.11 wireless protocol is by far the most popular and has thus been the focus of much attention surrounding its security issues and development. Lately, other wireless protocols have become the focus of security researchers and attackers alike. The protocol that might be the area of immediate concern is the 802.15.4 protocol that ZigBee wireless rides on. New tools and techniques are constantly being developed by penetration testers to validate the security and configuration of ZigBee-enabled devices. In this paper, we ll take a closer look at the ZigBee protocol, some of the attacks that have been leveraged against it, and the security tools that penetration testers can use. ZigBee is not new technology as it was originally developed in 1998 but has only recently become more commonplace in industrial and consumer products. ZigBee was designed to fulfill a niche and previously untapped market in which regular wireless devices were unsuitable. The unique characteristics of ZigBee embedded wireless devices have opened a floodgate of new products that require its low power simplicity and functionality. Fig. 1: Globlal ZigBee penetration trajectory, by Navigant Research

ZigBee Primer ZigBee was designed to provide short distance wireless solutions in which running wires to transfer data is infeasible or cost prohibitive. ZigBee does not provide the bandwidth and advance error checking provided by the larger and more prevalent 802.11 standards, however this streamlined approach provides many advantages. Simple Setup ZigBee devices are designed to be versatile and have built-in protocol support for both mesh and star-based network topologies. Seemingly out-of-the-box, a ZigBee node can be joined to an existing mesh network or be assigned as the controller to manage the administration of other ZigBee nodes. Minimal Power Requirements ZigBee requires very little power to function and to maintain its association with other ZigBee devices. Many implementations can run for several years off one set of batteries and are designed for environments where it may be infeasible to access the device again after deployment Bandwidth Considerations ZigBee trades its high power efficiency for lower bandwidth capabilities with data rates reaching maximum speeds of 250Kbps. This is not well suited for cellphones or video but is a perfect match for solutions needing short communication bursts or infrequent sensor data transmissions. Range Considerations While the ZigBee specifications state that it can effectively transmit up to 100 meters, most devices are functioning closer to the 10-meter range. Without complex data and error checking, these devices will need to stay well within the maximum range of the specification to function properly. "No wireless technology has been more integrated or impacts the physical world more than ZigBee."

The World Around Us ZigBee radios have been integrated into all sorts of sensors and monitoring and control devices; and have found their way into hospitals, industrial facilities, and critical control systems expected to operate every day without fail. In clinical settings, ZigBee radios are more frequently found in patient-monitoring systems to provide data collection while allowing uninhibited mobility of the patient. They are also being implemented into implants (devices residing inside of the user) as a means to monitor and regulate internal biological processes in real time; ie connected defibrillator. The short range and low output power limits the problem of radio interference with other radio devices or medical equipment. Clinicians simply use another ZigBee radio to interact with the patient's device, collect data, or even change the configuration settings of the implanted device. ZigBee radios are also heavily used in industrial applications. They are integrated into refineries, chemical plants, and water-treatment facilities as sensors or to control processing equipment. The explanation and business drivers behind why companies are utilizing ZigBee radios are very simple to understand. Running physical wires has a significant labor and material cost, while using a self-contained, battery-operated ZigBee radio limits these costs and provides administrative advantages when troubleshooting issues. Other organizations are switching to ZigBee radio devices for monitoring and regulating the temperature in buildings, or communicating with controllers to shut down lights when people are not in the room. Another area where ZigBee devices have become very popular is in the home. New properties are often implemented with ZigBee enabled water and gas meters. Utility providers use specially configured ZigBee radios as data collectors to collect the water and gas meter's transmissions from their utility vehicles. This process greatly increases the efficiency of utility companies collecting meter and billing data.

ZigBee Security The prevalence of any device in mainstream use will attract the attention of attackers. An example being the Macs don t get viruses adage that once held some credibility, if only because there weren t enough Apple computers for attackers to deem worthy of the effort. ZigBee devices are being produced and released into the market place at such incredible speeds that many component manufacturers are experiencing a severe backlog. Large companies and sole proprietors are introducing devices into the marketplace and very few organizations are certifying their devices against any consistent standards. Attacks against ZigBee ZigBee wireless attacks and security has attracted a lot of interest by security professionals as well as the DIY maker and hacker communities. Each is looking at the security capabilities of the 802.15.4 protocol as well as how manufacturers are implementing the ZigBee radios into their products. Often it is these disparate implementations that cause most of the security risks. This is evident in the types of attacks used against the devices which typically fall into three categories: physical attacks, key attacks, and replay and injection attacks. Physical Attacks Physical access to a device containing a ZigBee radio, can easily compromise an entire network of devices. Physical attacks are so highly effective because they can be used to obtain an encryption key used by the target ZigBee network. Many ZigBee radios use a hard-coded encryption key that is loaded in RAM memory when the device is powered on. With these keys being flashed on all the devices in a ZigBee network, they will most likely never be changed. Knowing this, attackers can utilize off-the-shelf debugging interfaces on the ZigBee device to attempt to capture the encryption keys as those keys are moved from flash to RAM during power up. There are numerous low-cost and open-source tools that make this form of attack both simple and inexpensive. Two of the most popular are Bus Pirate and GoodFet. The Bus Pirate and GoodFet interface boards provide support of numerous industry standard serial protocols, including 1-wire, JTAG, SPI, and asynchronous serial. Once connected to a ZigBee device through a simple serial interface such as a Bus Pirate, an attacker can disassemble the security of an entire ZigBee network, intercept and even alter data.

Key Attacks In addition to physical means, it is also possible to use remote devices to capture encryption keys. ZigBee radios often use one of two encryption key methodologies to ensure that devices have the appropriate keys to talk to each other. These methodologies are known as pre-shared keying and Over the Air (OTA) key delivery. Larger, more sophisticated ZigBee networks will typically utilize OTA for security and ease of updating. The use of sniffers to monitor, capture and analyze packets; allows the key transmission to be intercepted and interpreted by anyone within range. With minimal session checking built into the 802.15.4 protocol and currently no intrusion-detection capabilities, this type of attack is nearly impossible to detect. One very effective toolset for this type of key analysis is called the KillerBee framework, which was created by Joshua Wright, a noted wireless security expert, and has been made freely available to everyone. KillerBee is really a suite of hardware and software tools that allow sophisticated interception, analysis, and even transmission of 802.15.4 packets. The software included in KillerBee is a collection of Python scripts that are easily modified and can be built upon to create even more capabilities and interaction with ZigBee radios. For Joshua s experiment, the recommended device of choice is the RZ Raven AVR, a $40 USB stick with monitoring and packet injection capabilities. An attacker using a combination of hardware and software based tools has the advantage of not needing to physically connect to the device to perform an attack. This makes it extremely unlikely that the attack will be discovered and even less likely that the attacker will be caught. Replay and Injection Attacks Another type of key based attack is blended with packet replay and/or injection to trick the ZigBee device into performing unauthorized actions. ZigBee radios are susceptible to these types of attacks because of the lightweight design of the protocol, which has very minimal replay protection. A malicious user can capture legitimate packets and essentially replay those same packets through the network. The controller will recognize the traffic as legitimate and accept the command. This has been demonstrated with devices ranging from water flow control devices to connected door locks.

Tools Most Information Security Professionals are not typically trained to mitigate against hardware-based attacks. With that said, Information Security Professionals with experience in wireless security mitigation tactics often have the building blocks to quickly get up to speed on the various attacks and defenses used with ZigBee radios. The first thing that an Information Security Processional needs is a collection of hardware and software tools that will help assess the environment and give them the ability to develop the traditional defense in depth. One of the biggest challenges for researchers looking into ZigBee security is the high cost and complexity of obtaining software and API code from major semiconductor providers. Without the software that allows interaction with commercial ZigBee radios, a researcher has limited ability to develop tools or other equipment that will run on multiple manufacturers' equipment. Conclusion The focus of attackers is changing, and Information Security professionals need to change with it. It is no longer acceptable to be an Information Security Professional with no working knowledge of hardware-based attacks. It's no longer acceptable to understand traditional 802.11 wireless security without knowing the other wireless protocols that are being rapidly adopted by businesses. New kinds of attacks are starting to emerge that are challenging our preconceived notions of what wireless security is all about. Unlike traditional wireless security, new ZigBee wireless technology risks can impact both corporate data and even the physical world. There is little doubt that ZigBee radios will continue to be widely deployed in both consumer and industrial applications. This rapid escalation and adoption of ZigBeeenabled devices requires trained and vigilant Information Security Professionals who can detect, assess, and defend against a myriad of new and emerging wireless attacks. While there are many tools that are at their disposal, it will take an increased awareness of ZigBee attacks and a deep understanding of these tools to better defend businesses.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information