Presented at
Black Hat USA 2015,
Aug. 6, 2015, 12:10 p.m.
(50 minutes).
ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have, for example, a smart light bulb at home, the chance is very high that you are actually using ZigBee. Popular lighting applications, such as Philips Hue or Osram Lightify are based on this standard. Usually, IoT devices have very limited processing and energy resources, and therefore not capable of implementing well-known communication standards, such as Wifi. ZigBee is, however, an open, publicly available alternative that enables wireless communication for such devices.
ZigBee also provides security services for key establishment, key transport, frame protection, and device management that are based on established cryptographic algorithms.
So, is a ZigBee home automation network with applied security and smart home communication protected? No, absolutely not. Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices. For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself.
Due to these shortfalls and limitations created by the manufacturers themselves, the security risk in this last tier communication standard can be considered as very high.
This talk will provide an overview of the actual applied security measures in ZigBee, highlight the included weaknesses, and show practical exploitations of actual product vulnerabilities, as well as our recently developed ZigBee security-testing framework tool.
Presenters:
-
Sebastian Strobl
- Cognosec GmbH
Sebastian Strobl manages the delivery of Cognosec GmbH's auditing services. He has over 8 years practical experience in the areas of information security, IT governance, compliance, risk management, and information systems auditing. He is a certified professional in information systems, PCI DSS and application security auditing, and has a master's degree in Information Management and Computer Security. Prior to his role at Cognosec GmbH he was leading information systems audits for organizations in the online gaming and finance industry, providing a strong background in the online payment and gaming value chain, the underlying technology thereof, and industry specific regulations. He has an extreme depth of knowledge in security tools, technologies, and industry best practices, and is recognized for delivering top-level, value-adding IT audits. He is also responsible for the creation and deployment of innovative solutions to mitigate risks by protecting networks and application systems, safeguarding information assets and ensuring business continuity. He specializes in delivering effective assurance and consultancy services, focusing on application and web-security architecture, as well as the integration with payment processing value chains.
-
Tobias Zillner
- Cognosec GmbH
Tobias Zillner works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements and to provide a customers management with an independent opinion regarding the effectiveness, and efficiency of IT systems. Furthermore, Tobias evaluates and assures security of Information Technology by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a Bachelor degree in Computer and Media Security, a Master degree in IT Security and a Master degree in Information Systems Management. Tobias expertise also applies to the IT Governance, Risk and Compliance domains. He also holds a wide range of certifications, like CISSP, CISA, QSA, CEH, ITIL or COBIT.
Links:
Similar Presentations: