ZigBee Smart Homes - A Hacker's Open House

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 20, 2015, 2:50 p.m. (50 minutes)

ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices. ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected? No, definitely not. Due to "requirements" on interoperability and compatibility as well as the application of ancient security concepts it is possible to compromise ZigBee networks and take over control of all included devices. For example it is easily possible for an external to get control over every smart light bulb that supports the ZigBee Light Link profile. Also the initial key transport is done in an unsecured way. It is even required by the standard to support this weak key transport. On top of that another vulnerability allows third parties to request secret key material without any authentication and therefore takeover the whole network as well as all connected ZigBee devices. Together with shortfalls and limitations in the security caused by the manufacturers itself the risk to this last tier communication standard can be considered as highly critical. This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities. Therefore new features in the ZigBee security testing tool SecBee will be demonstrated and made public available.

Presenters:

• Tobias Zillner - Cognosec GmbH
  Tobias Zillner works as Senior IS Auditor at Cognosec in Vienna. He conducts information systems audits in order to assess compliance to relevant internal and external requirements and to provide a customers management with an independent opinion regarding the effectiveness, and efficiency of IT systems. Furthermore, Tobias evaluates and assures security of Information Technology by performing webapplication and web service penetration tests, source code analysis as well as network and infrastructure penetration tests. He has a Bachelor degree in Computer and Media Security, a Master degree in IT Security and a Master degree in Information Systems Management. Tobias expertise also applies to the IT Governance, Risk and Compliance domains. He was speaking at well known international security conferences such as Black Hat or Defcon and also holds a wide range of certifications, like CISSP, CISA, QSA, CEH, ITIL or COBIT.
• Florian Eichelberger - Cognosec GmbH

Links:

• https://deepsec.net/archive/2015.deepsec.net/speaker.html#PSLOT223
• https://infocon.org/cons/DeepSec/DeepSec 2015/ZigBee Smart Homes - A Hacker s Open House - Tobias Zillner, Florian Eichelberger.mp4
• https://infocon.org/cons/DeepSec/DeepSec 2015/ZigBee Smart Homes - A Hacker s Open House - Tobias Zillner, Florian Eichelberger.srt (subtitles)

Similar Presentations:

• Nuit du Hack 2016 / Revue de sécurité du protocole ZigBee d'une box TV française
• Black Hat USA 2015 / ZigBee Exploited the Good, the Bad, and the Ugly
• DEF CON 23 (2015) / I'm A Newbie Yet I Can Hack ZigBee - Take Unauthorized Control Over ZigBee Devices