Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ZigBee security review of a famous French set-top box

ZigBee security review of a famous French set-top box

ZigBee protocol is widely used for home automation and remote control operations. However, the protocol design and common implementations suffer from several vulnerabilities. We will talk about ZigBee (based on IEEE 802.15.4 standard) and ZigBee RF4CE security designs (the latest being popular in the USA) and review the security implementation of a well-known set-top box, using different commercial and home-made tools. We will focus in particular on various security mechanisms like key exchange, authentication and encryption. We will see that ZigBee main practical vulnerability is the lack of a secure key echange scheme and assess how easy it is to intercept and use the key for an attacker. We will talk about the associated risks and best practices in this field. The goal of the talk will be to sketch the minimal security basics for IoT devices and recommendations for future protocols.

- Keywords: IoT, ZigBEE, IEEE 802.15.4, RF4CE, home automation, set-top box, security

Renaud Lifchitz

July 02, 2016
Tweet

More Decks by Renaud Lifchitz

Other Decks in Research

Transcript

  1. Nuit Du Hack – Paris – July, 2nd 2016
    Renaud Lifchitz ([email protected])
    ZigBee security review of a famous French set-top box

    View full-size slide

  2. Outline
    Introduction to ZigBee protocol
    ZigBee useful tools
    Study of our target
    Best practices for wireless security
    P. 2 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  3. Speaker's bio
    French senior security engineer
    Main activities:
     Penetration testing & security audits
     Security research
     Security trainings
    Main interests:
     Security of protocols (authentication, cryptography,
    information leakage, reverse engineering...)
     Number theory (integer factorization, primality testing,
    elliptic curves...)
    ZigBee security review of a famous French set-top box - Digital Security
    P. 3

    View full-size slide

  4. About Digital Security
    Company founded in 2015 by a group
    of experts with the support of Econocom Group
    Provides advanced services in security audit, consulting and
    support
    Our expertise combine traditional security for infrastructure
    and application, and skills oriented to the ecosystem of
    connected objects
    Has created the CERT-UBIK, first European CERT™ specialized
    on IoT security (OSIDO monitoring service)
    Has a laboratory for addressing technologies, data exchange
    protocols and specific operating systems
    Diamond sponsor of this event
    ZigBee security review of a famous French set-top box - Digital Security
    P. 4

    View full-size slide

  5. Introduction to ZigBee protocol

    View full-size slide

  6. ZigBee
    IEEE 802.15.4-based protocol to create PANs
    & mesh networks
    Mostly in 2.4 GHz ISM band in Europe
    Created in 1998, standardized in 2003, revised in 2006
    High-level & low-power 10-100m. communications
    Supports AES-128-CCM* encryption
    A lot of variants:
     ZigBee (2004/2006/2007)
     ZigBee PRO qui définit une pile et des caractéristiques supplémentaires
    (2007/2012)
     ZigBee 3.0 (in progress)
     ZigBee IP
     ZigBee RF4CE
     ZigBee Green Power
    Introduction to ZigBee protocol
    P. 6 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  7. ZigBee RF4CE
    ZigBee RF4CE is an open standard for radio based
    remote controls for audio/video consumer
    electronics
    Commonly used in the USA
    Still quite rare in Europe
    Built onto the IEEE 802.15.4 standard MAC and PHY
    layers
    Introduction to ZigBee protocol
    P. 7 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  8. ZigBee RF4CE advantages over
    infrared remote controls
    No need for direct line of sight
    No sensibility to light
    Supports encryption
    Bidirectionnal
    Higher data rate (multimedia & games usage)
    Introduction to ZigBee protocol
    P. 8 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  9. ZigBee useful tools

    View full-size slide

  10. Hardware tools:
    TI CC2531 dongle
    45€ USB stick
    http://www.ti.com/tool/cc2531emk
    ZigBee useful tools
    P. 10 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  11. Hardware tools:
    Atmel RZUSBstick
    40€ USB stick
    Supports only sniffing with default firmware
    http://www.atmel.com/tools/RZUSBSTICK.aspx
    ZigBee useful tools
    P. 11 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  12. Software tools:
    Texas Instruments Packet Sniffer
    Pros:
     Works out-of-the-box with TI CC2531 dongle
     Windows GUI tool
    Cons:
     Doesn’t support newer ZigBee variants (ex.: RF4CE)
    ZigBee useful tools
    P. 12 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  13. Software tools:
    KillerBee framework
    Framework of several Python tools to study
    ZigBee-based protocols
    KillerBee firmware allows Atmel RZUSBsticks to sniff
    & inject packets
    Hardware requirements to reflash the dongle
    https://github.com/riverloopsec/killerbee
    ZigBee useful tools
    P. 13 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  14. Software tools:
    Ubiqua Protocol Analyzer
    Pros:
     Supports a lot of IEEE 802.15.4 variants
     Windows GUI tool
     Seamless support for encryption
    Cons:
     Commercial license
    ZigBee useful tools
    P. 14 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  15. Study of our target

    View full-size slide

  16. About the target
    Famous French set-top box for Internet and TV access
    distributed by a well-known Internet service provider
    Study took place from December 2015 during spare time
    3 components:
     Internet box (not directly studied here)
     TV box
     Wireless ZigBee-based remote control (RF4CE)
    Study of our target
    P. 16 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  17. RF4CE key exchange protocol
    Key seed packets to LinkKey
    (Source: ZigBee RF4CE Specification Version 1.01)
    Study of our target
    P. 17 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  18. Key exchange protocol
    Vendor has chosen to distribute LinkKey across 37 key seeds
    (not standard)
    37 Key seeds of 80 bytes
    Every key seed is acknowledged in clear text
    Key exchange is literally « whispered »,
    the link quality drops from -6dBm for normal keystrokes to
    -58dBm for key exchange!
     Security by obscurity, key exchange is basically clear text!
    Study of our target
    P. 18 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  19. When will a key exchange occur?
    During a manual pairing
    When remote control batteries are replaced
    (decreasing signal power can be remotely monitored until
    replacement)
    Some firmware updates require re-pairing
    Disassociation from an attacker:
     Jamming
     Association flooding
    Study of our target
    P. 19 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  20. Sniffing the communication between
    STB and RC
    Steps:
     1) Capture raw traffic (used channel is always 15 for this target)
     2) Optionally convert it to XML (.opml extension) with Ubiqua for easier
    manipulation
    (lack of good other RF4CE protocol dissector)
     3) Find « Key Seed » packets and extract their payload
     4) Compute LinkKey using successive XORs
     5) Decrypt traffic using AES-128-CCM* and the LinkKey
    Study of our target
    P. 20 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  21. Computing LinkKey
    Capture raw traffic using KillerBee:
    $ zbid
    Dev Product String Serial Number
    001:008 KILLERB001 FFFFFFFFFFFF
    $ zbstumbler
    zbstumbler: Transmitting and receiving on interface '001:008'
    New Network: PANID 0x6689 Source 0x7F2A
    Ext PANID: Unknown Stack Profile: ZigBee Standard
    Stack Version: ZigBee Prototype
    Channel: 15
    $ zbdump -c 15 -w rcdump.pcap
    zbdump: listening on '001:008', link-type DLT_IEEE802_15_4, capture size
    127 bytes
    102 packets captured
    Study of our target
    P. 21 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  22. Computing LinkKey
    Find key seed packets and compute the key:
    Study of our target
    P. 22 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  23. Computing LinkKey
    Find key seed packets and compute the key:
    $ python opml2key.py rcdump.opml
    37 key seed packets found
    Computed key: 70247b83a1b8d23dd15c595a5b5bfb43
    Study of our target
    P. 23 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  24. Computing LinkKey
    Successfully decrypted
    keystroke packet (Ubiqua)
    Mostly null bytes!
    Study of our target
    P. 24 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  25. Possible attacks
    Using sniffing of the key exchange:
     Sniffing of keystrokes and decryption
     Remote control of the set-top box (key injection)
     All associated attacks
    Two kinds of attack scenarios:
     Blind:
    Victim’s TV screen is not visible
     Not blind:
    Victim’s TV screen is visible (for instance through a window) or attacker
    captures TV leaking emanations (up to 20 meters, depends on the TV
    monitor)
    Study of our target
    P. 25 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  26. Attack scenario 1
    Arbitrary access to set-top box/subscription functions
    Requirements: none
    Attack type: mostly blind
    Impacts:
     DoS (controlled power off/reboots of the TV/set-top box)
     Subscriptions to pay channels
     Pairing of additionnal remote contols
    Study of our target
    P. 26 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  27. Attack scenario 2
    Arbitrary Bluetooth activation and device pairing:
    mouse, keyboard, headset, …
    Requirements: connected BT dongle
    Attack type: blind or not blind
    (PIN pairing depends on the BT device capability)
    Impacts: keystroke injection, listening to voicemail (through headset)
    Study of our target
    P. 27 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  28. Attack scenario 3
    Arbitrary Internet browsing & downloading
    Requirements: none
    Attack type: blind
    Impacts: identity theft through:
     mail sending and Twitter posting (for configured accounts)
     illegal browsing & downloads (Bittorrent)
    Study of our target
    P. 28 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  29. Attack scenario 4
    Arbitrary access to victim’s phone line through DECT pairing
    Requirements: none
    Attack type: blind (4-digit PIN bruteforce) or not blind
    Impacts: identity theft through:
     Calls and call answers
     Access to voicemail
    Study of our target
    P. 29 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  30. Attack scenario 5
    Arbitrary access to victim’s LAN through Wi-Fi (key disclosure)
    Requirements: Wi-Fi used
    Attack type: not blind
    Impacts: identity theft through full internet access, LAN sniffing, MitM…
    Study of our target
    P. 30 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  31. Changes in the key exchange
    The key exchange protocol changed during the study
    (software updates are automatic at boot time)
    Now, every key seed is 22 bytes long instead of 80
    Provider moves away from the RF4CE specification
    Still 37 different key seeds, but at a faster pace
    (some short packets like ACK can be dropped at capture time)
    How is the 16-byte AES key built from 22-byte key seeds?
    Is the new key echange more secure?
    No, still not a challenge, same security level
    Study of our target
    P. 31 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  32. Conclusion
    Attacks not specific to this target, any ZigBee set-top box
    might be vulnerable
    Attack not easy due to low signal level during key exchange
    but possible with:
     a LNA for signal reception
     and/or a power amplifier for signal reception & emission
     and/or a directional antenna (Wi-Fi antenna)
    ZigBee-based key exchanges are generally vulnerable
    Few RF4CE protocol dissectors are good
    Study of our target
    P. 32 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  33. Best practices for wireless
    security

    View full-size slide

  34. Threats & countermeasures
    Best practices for wireless security
    P. 34 ZigBee security review of a famous French set-top box - Digital Security
    Threats Good countermeasures
    Passive snooping - Secure key exchange
    (ex.: Diffie-Hellman)
    - Encryption
    Volontary or involuntary
    jamming
    - Spread spectrum
    - Frequency/channel hopping
    Usurpation
    (ex.: replay)
    - Anti-replay mechanisms
    (cryptographic « nonce » )
    - Authentication using a
    challenge

    View full-size slide

  35. Best practices for wireless protocols
    Use suited wireless protocols according to your security
    needs
    Pairing is usually a critical stage, do it in a controlled
    environment
    Monitor continuously the network for anomalies
    Don’t re-invent the wheel, use well-known security recipes
    (previous slide): Bluetooth (not BLE) is nearly perfect
    When possible, protect physical perimeter of use
    (security-in-depth philosophy)
    Best practices for wireless security
    P. 35 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide

  36. Thanks!
    Questions?
    IoT Security
    Contact:
    [email protected]
    P. 36 ZigBee security review of a famous French set-top box - Digital Security

    View full-size slide