Current Security Issue Demonstration Paper: Exploiting ZigBee Networks

Transcription

1 Current Security Issue Demonstration Paper: Exploiting ZigBee Networks Omar Taylor and Tyler Much The Vulnerability This exploit was performed specifically on a ZigBee pro 1.2 network, that was being run by Samsung SmartThings home security system. The purpose of this exploit is to steal the ZigBee network key; allowing you to decrypt all network traffic, spoof devices, or even commands. The exploit is possible on other ZigBee networks, but it will depend upon the implementation of the ZigBee protocol. Details: Using your choice of packet capture software and a USB ZigBee RF sniffer it is possible to intercept a ZigBee network key when devices are joined to the smart home system. This joining process can happen in many circumstances, one being a hard reset on the smart home central hub, a device losing connection and attempting to reconnect, or when trying to add a new device. Once the key is intercepted, it can be decrypted using a publicly available encryption key (usually found on the hardware manufacturer's website/documentation). Risk Exposure: The repercussions of the network key being stolen and decrypted are potentially high. With access to the ZigBee network key, all traffic over that network is visible. This would allow somebody to conduct extensive surveillance of that system, since all traffic is now decrypted. This could also be taken a step further and the key can be used to spoof devices on the network. An attacker using this key would be able to issue commands to connected systems. A dangerous and high impact example would be if an attacker issued an unlock/disconnect command to a connected SmartLock and was able to remotely unlock your doors and enter your home.

2 Class Relevance: This is type of attack is similar to some Man in the middle attacks we discussed in class (like the MD5 collision homework), although this one is even less complicated since they key doesn t have to be cracked, being that the symmetric decryption key is publicly available. The exploits are similar though, because once they key is decrypted it is possible to use it to authenticate and/or issue commands. This also relates back to the beginning of the semester when we covered cryptography, and decrypted encoded messages for homework. Tool Box: Finding and Exploiting the Vulnerability Where to find the tools While a variety of RF capturing devices can be used, we tested two: The Texas Instrument CC2531Emk and the Atmel RZ Raven USB stick flashed with the KillerBee Python framework. One of the devices requires RF capturing software to be flashed onto the device before using while the other comes with the software built-in. Your choice hardware is dependent on your purpose, but for our purposes, it was not necessary to use the KillerBee framework since we did not have time to fully test the attack suite that comes bundled with the software (something the CC2531Emk is not capable of). The TI CC2531 and RZ Raven can be purchased from multiple places such as the manufacturer's website, Digikey, Mouser, or even Amazon. If you re using the RZ Raven, RF capturing and key decryption can all be done in the command line. If you re using the TI CC2531(The one we used in the final exploit), sniffing and decryption can be done with an IEEE Protocol Analyzer software called Ubiqua. How the tool exploits the vulnerability: With the TI CC2531 connected to the attacker's computer and Ubiqua (Protocol Analyzer software), an attacker is able to exploit the vulnerability in the implementation of the ZigBee protocol. The attacker is able to get the symmetric decryption key from the manufacturer website (or anywhere online). Then the attacker is able to enter this key into protocol analyzer, which is then used to encrypt the private network key and capture the network traffic. Any time there is a network join the attacker will be able to see the contents of the transported key due to the systems weak (or essentially nonexistent) security for key transport. With the RZ Raven, the same is possible within the command-line. There are also methods of provoking the victim to rejoin their devices

3 with the RZ Raven by using the flashed KillerBee software attack suite (replay attacks, signal jamming, etc). Post-exploitation Once both symmetric keys are obtained, all traffic on the ZigBee network becomes visible. This would allow an attacker to monitor traffic in and out of the house, and see the status of devices connected to the system. There are also more complex attacks that could be carried out, such as spoofing, jamming or disabling the devices. This vulnerability in the ZigBee network is not a theoretical concept at this point. It would be fairly easy for an attacker to set this up, and exploit the vulnerability in its current state. The patch that is in development will make the vulnerability more theoretical since you would have to be monitoring the network constantly, and wait for a reset/new device setup. Reducing the Exploitability of your ZigBee Network There is currently no patch available for the vulnerabilities in this exploit. A patch is being developed, but it is not available for public release yet. The risk could still be reduced by not connecting systems that provide more important security. For example, by not connecting a door lock you would reduce the risk of the exploit having a significant impact. If the attacker was only able to gather data from a motion sensor and a smart light bulb, it is not likely they would find much useful information. When the patch is released (ZigBee 3.0) the symmetric key pair that was part of the exploit will be no more. Instead, each connected smart device will get a unique network key that is assigned to them. This change will make it so that the traffic across this network isn t all encrypted with the same key making it more challenging to decode traffic. The next patch will also give an option to disable insecure rejoin. This will make the current exploit obsolete because it prevents the network key from being transmitted on an auto-rejoin, and therefore requires the attacker to be listening when the device is initially added to the system (or the system is being reset). Tutorial

4 Setting up the Vulnerable System The system we used to perform the exploit on is the Samsung SmartThings home automation starter kit, a suite of ZigBee-enabled devices for which are susceptible to the attack we are going to carry out. In order to properly operate the system, it was necessary to download the recommended SmartThings application. To acquire and set up this system, follow the instructions below: 1. Acquire a Samsung SmartThings Kit ($ or less with coupon), an ethernet cord, and a lamp (optional). 2. Download the SmartThings app (Apple App Store, Google Play Store, Windows Store). 3. Sign-up for a SmartThings account a. Start the SmartThings application b. Tap the Sign Up button and fill out all the credentials (Name, , password) c. Tap the Create Account button d. Select a country and continue to the next screen, but don t do anything yet. 4. Setup the SmartThings Environment a. The SmartThings kit (depending on which your purchased) comes with a Hub (the node that begins the network can send and receive commands via Wi-Fi) and several devices that communicate with each other and the hub on personal area network (PAN). b. Connect the power cord that comes with the kit to the SmartThings Hub. You should see a flashing blue light on the front when power is being delivered. c.

5 d. The flashing blue light means a network cannot be found. To solve this, connect the ethernet cord to the Hub. You should see orange and green lights turn on in the port if done correctly. e. f. Return to the SmartThings application to link your Hub to your account. g. Your screen should have left off on a page that asks for an activation code. Enter that code (should have come with the kit) and hit next. h. Your Hub should now set itself up. If the blue light stops flashing, that means it has found a network and is trying to connect to it. If the light turns purple, your Hub is downloading firmware upgrades. If the light turns solid green, your hub is connected and ready to go (the application should notify you of this). i. Tap next and you ll move on to the next screen to set up your location. 5. Define a Location a. Tap Grant Location Permission and allow the app to know your GPS coordinates. b. Name your location. c. Tap This is My Location to confirm the area. You can always change the location if needed. d. If you get a message of success you are done and the environment should be ready to start adding devices to the network. Setting up the Exploitation Environment To carry out the exploit we will at least need a device capable of capturing (sniffing) ZigBee network traffic and software to decode the captured radio frequency packets. There are a

6 number of implementations of this environment. Some will require you to flash software to the radio device in order to even begin capturing traffic while other will have the software already packaged with the hardware. We will demonstrate two ways to do this. Option 1: Texas Instrument CC2531 USB Evaluation Module Kit In order for this to work, you need a Windows computer. 1. Acquire a TI CC2531 USB Evaluation Module Kit ($49.00). 2. Download the firmware for the USB module. 3. Run the Setup_SmartRF_Packet_Sniffer_ executable all the way through. 4. Wireshark is not configured to work for the CC2531 USB module so you ll have to use a software called Ubiqua (which is far more user friendly) Head to the Ubiqua website and click Try it out Click Activate Free Evaluation 4.3. Click Create a new account Download the stable build and run the executable all the way through Run Ubiqua and use the activation code you were given to activate the software. The software should look like this when you start it up. 5. In the Device Manager Window pane click Add Device and select the Texas Instrument local device. The device should now be added to the Device Manager Window pane.

7

8 6. Click the switch to begin capturing traffic. 7. You may not immediately start seeing traffic and that is most likely because the network is communicating on a different channel (Ubiqua defaults to channel 11). To figure out what channel your network is on: 7.1. Click the switch to stop the capture Right click the device in the Device Manager window pane Click Scan Channels In Scan each channel for: 5 seconds should be good enough.

9 Unless there are other ZigBee enabled devices in the vicinity, only one channel will show traffic. That should be your Hub Close the window and begin the capture again Right click the device in the Device Manager window pane Select Channel and choose the channel you believe your Hub is communicating on You are now ready to perform the exploit. Option 2: Atmel RZ Raven USB stick (with the KillerBee Python framework) In order for this option to work you will need a Linux system (preferably Ubuntu or Kali). The USB stick can technically be programmed with Windows, but we re not going to talk about that. If you don t currently have Linux system, you can always partition your computer and dual-boot or run the Linux system from a USB (not recommended). This method is recommended for more experienced users or users looking to perform other attacks. 1. Gathering Hardware and Software 1.1. The following hardware and software are necessary to build the toolkit: Hardware: Atmel RZ Raven USB Stick Hardware: Atmel AVR Dragon on-chip programmer Hardware: Atmel 100-mm to 50-mm JTAG standoff Adapter Hardware: 50mm male-to-male header Hardware: 10-pin (2x5) 100-mm female-to-female ribbon cable (or 10 jumpers) Hardware: USB A-Male to B-Male Hardware (optional): USB A-Male to A-Female Extension Cable Software: AVRDUDE utility

10 Software: KillerBee Firmware for the RZUSBSTICK Linux system for programming the RZ Raven USB Stick (one time operation) 1.2. All devices can be acquired from their manufacturer's website, Mouser, Digikey, or Amazon. 2. Install AVR Dragon 2.1. Open the terminal on your Linux system and type sudo apt-get install avrdude (Windows has more than 7 steps to do this). 3. Build the KillerBee RZ Raven 3.1. Connect the USB A-Male to your computer and the B-Male to the AVR Dragon Download the latest KillerBee release from here (You can use type apt-get install git on your Linux system and use git clone ) In the killerbee/firmware directory, you will find a file named kbrzusbstick-002.hex. Use this or the latest version to update the firmware on the RZUSBstick Open a terminal and change to the directory where you cloned the GitHub repository and move into the killerbee/firmware directory. 4. Build the link between the AVR Dragon and the RZ Raven As shown in the picture above: Connect the 50-mm Male-to-Male Header to the JTAG Standoff Adapter.

11 Connect one end of the Ribbon cable to the JTAG Standoff Adapter and the other to the AVR Dragon. Be sure to position the ribbon in the right direction (see picture. 5. Connect the RZ Raven to a USB port on your computer (or to the extension cable if you re afraid of snapping it off like us). A blue light will light up. Using the free end of the JTAG adapter, insert the JTAG adapter with the male-to-male header into the pins on the top of the RZ Raven, being sure that contact is being made between the header and the PCB socket. 6. Switching back to the terminal window, type the following command, but do not execute it yet: avrdude -P usb -c dragon_jtag -p usb1287 -B 10 -U flash:w:kb-rzusbstick- 002.hex 7. With contact between the AVR Dragon and the JTAG socket on the RZ Raven, run the command. You should see the following output: 7.1. avrdude: jtagmkii_initialize(): warning: OCDEN fuse not programmed, single-byte EEPROM updates not possible avrdude: AVR device initialized and ready to accept instructions Reading ################################################# 100% 0.05s avrdude: Device signature = 0x1e9782 avrdude: NOTE: FLASH memory has been specified, an erase cycle will be performed To disable this feature, specify the -D option. avrdude: erasing chip avrdude: jtagmkii_initialize(): warning: OCDEN fuse not programmed, single-byte EEPROM updates not possible avrdude: reading input file "kb-rzusbstick-001.hex" avrdude: input file kb-rzusbstick-001.hex auto detected as Intel Hex avrdude: writing flash (26778 bytes): Writing ################################################# 100% 3.44s avrdude: bytes of flash written avrdude: verifying flash memory against kb-rzusbstick-001.hex: avrdude: load data flash data from input file kb-rzusbstick-001.hex: avrdude: input file kb-rzusbstick-001.hex auto detected as Intel Hex avrdude: input file kb-rzusbstick-001.hex contains bytes avrdude: reading on-chip flash data: Reading ################################################# 100% 3.79s avrdude: verifying... avrdude: bytes of flash verified avrdude: safemode: Fuses OK avrdude done. Thank you If you ve done it right, the LED should switch to an amber LED. 8. To be able to run the suite of attacks, you ll want to configure them to your Linux PATH.

12 8.1. Type cd.. to go back to the killerbee to level folder Type sudo python setup.py install. 9. To run the capturing suites, you ll want to run these set of commands sudo apt-get install python-gtk2 python-cairo python-usb python-crypto pythonserial python-dev libgcrypt-dev 9.2. sudo apt-get install mercurial 9.3. hg clone cd scapy-com sudo python setup.py install 10. Discover the ZigBee networks within range and enumerate the network information of the devices Type sudo zbstumbler You should see information about your network printed in the commandline Now let s begin doing the real work. Begin capturing traffic and saving it to a file Type sudo zbdump -f [YOUR NETWORK CHANNEL] -w capture.dump The device should now be capturing your network traffic. Executing the Exploit 1. We will now begin adding the devices that will allow us to exploit the network. Your kit may provide with many devices, but we find the device that misbehaves the most is the light bulb that comes with the kit. When it gets kicked off the network by the user, it makes an unauthorized rejoin forcing the network decryption key to be transferred again. The other device we tested (the motion sensor) does not behave this way and requires the Hub owner to give the Hub permission to associate devices (but this is also fine). 2. Before we begin, you ll need provide the bulb with power (perhaps with that lamp we recommended). If you don t have a lamp, you can use the Motion Sensor. For that, all you need to do is remove the slip that says remove to pair when ready to pair. Remove that now. 3. If you re using the TI CC2531 and watching the Ubiqua window, you may start seeing Beacon Requests from the SmartThings device and Beacon Responses from the Hub. Nothing is connecting yet because the devices do not have permission to do so yet.

13 If you re using the RZ Raven, you won t see anything in the command-line, but all this information is being dumped into the capture.dump file we passed as an argument. 4. For the TI CC2531 (Skip to Step 5 for the RZ Raven): Before we tell the Hub to start looking for devices and capturing the traffic of that process, we will need to give Ubiqua the ZigBee Trust Center Link Key that is used to decrypt the network packet that is used to transport the personal area network key Here s the key: 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39. Googling ZigBee Trust Center Link Key will also return the same key In Ubiqua, go to Tools > Options > Security tab > Add button 4.3. For the Type, select Application of Trust Center Link Key 4.4. Copy and Paste the Key from the step three letters above into the Key input section and click Add, then Okay. 5. We are now ready to sniff out the key with our RZ Raven or the TI CC2531 and Ubiqua set to decrypt the transport key packet when we capture it. With your device(s) still

14 beaconing, on the Things page of the application, tap Add a Thing and the app will start looking for devices. 6. Your device(s) should connect quickly and Ubiqua should show the decrypted traffic. The RZ Raven should be capturing this. 7. You should see the transported key. Click on the packet and in the Packet View window right click and click Expand All. 8. Locate the tab titled Key Descriptor. You should see the the network key used to decrypt the entire network under that tab. 9. Ubiqua should automatically decrypt the rest of the traffic for you. 10. The network is yours. 11. The next steps are for the RZ Raven: 12. Stop the capture in the terminal by pressing CTRL+C. 13. Install Wireshark Type apt-get install wireshark You ll be asked if non-sudoers should be able to capture traffic. Select yes. 14. Open Wireshark Type sudo wireshark into the command-line 15. Open the capture.dump file:

15 15.1. Select File > Open To be sure that there are no errors in decoding the file, configure the Wireshark preferences as follows:

16

17

18 In the Pre-configured Keys section click Edit Enter the Trust Center Link Key Click the + button Copy and Paste the Key into the blank Key section and hit Enter or press Ok Press OK.

19 You if you scroll down far enough you should see the key exchanged decrypted by the Transport Link Key. Click Expand All to see the key.

20 You should see it here: The network is yours.