ZigBee security review of a famous French set-top box

ZigBee security review of a famous French set-top box

ZigBee protocol is widely used for home automation and remote control operations. However, the protocol design and common implementations suffer from several vulnerabilities. We will talk about ZigBee (based on IEEE 802.15.4 standard) and ZigBee RF4CE security designs (the latest being popular in the USA) and review the security implementation of a well-known set-top box, using different commercial and home-made tools. We will focus in particular on various security mechanisms like key exchange, authentication and encryption. We will see that ZigBee main practical vulnerability is the lack of a secure key echange scheme and assess how easy it is to intercept and use the key for an attacker. We will talk about the associated risks and best practices in this field. The goal of the talk will be to sketch the minimal security basics for IoT devices and recommendations for future protocols.

- Keywords: IoT, ZigBEE, IEEE 802.15.4, RF4CE, home automation, set-top box, security

9b368ee76aa2b65a870563d4829a4d5e?s=128

Renaud Lifchitz

July 02, 2016
Tweet

Transcript

  1. Nuit Du Hack – Paris – July, 2nd 2016 Renaud

    Lifchitz (renaud.lifchitz@digitalsecurity.fr) ZigBee security review of a famous French set-top box
  2. Outline Introduction to ZigBee protocol ZigBee useful tools Study of

    our target Best practices for wireless security P. 2 ZigBee security review of a famous French set-top box - Digital Security
  3. Speaker's bio French senior security engineer Main activities:  Penetration

    testing & security audits  Security research  Security trainings Main interests:  Security of protocols (authentication, cryptography, information leakage, reverse engineering...)  Number theory (integer factorization, primality testing, elliptic curves...) ZigBee security review of a famous French set-top box - Digital Security P. 3
  4. About Digital Security Company founded in 2015 by a group

    of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for addressing technologies, data exchange protocols and specific operating systems Diamond sponsor of this event ZigBee security review of a famous French set-top box - Digital Security P. 4
  5. Introduction to ZigBee protocol

  6. ZigBee IEEE 802.15.4-based protocol to create PANs & mesh networks

    Mostly in 2.4 GHz ISM band in Europe Created in 1998, standardized in 2003, revised in 2006 High-level & low-power 10-100m. communications Supports AES-128-CCM* encryption A lot of variants:  ZigBee (2004/2006/2007)  ZigBee PRO qui définit une pile et des caractéristiques supplémentaires (2007/2012)  ZigBee 3.0 (in progress)  ZigBee IP  ZigBee RF4CE  ZigBee Green Power Introduction to ZigBee protocol P. 6 ZigBee security review of a famous French set-top box - Digital Security
  7. ZigBee RF4CE ZigBee RF4CE is an open standard for radio

    based remote controls for audio/video consumer electronics Commonly used in the USA Still quite rare in Europe Built onto the IEEE 802.15.4 standard MAC and PHY layers Introduction to ZigBee protocol P. 7 ZigBee security review of a famous French set-top box - Digital Security
  8. ZigBee RF4CE advantages over infrared remote controls No need for

    direct line of sight No sensibility to light Supports encryption Bidirectionnal Higher data rate (multimedia & games usage) Introduction to ZigBee protocol P. 8 ZigBee security review of a famous French set-top box - Digital Security
  9. ZigBee useful tools

  10. Hardware tools: TI CC2531 dongle 45€ USB stick http://www.ti.com/tool/cc2531emk ZigBee

    useful tools P. 10 ZigBee security review of a famous French set-top box - Digital Security
  11. Hardware tools: Atmel RZUSBstick 40€ USB stick Supports only sniffing

    with default firmware http://www.atmel.com/tools/RZUSBSTICK.aspx ZigBee useful tools P. 11 ZigBee security review of a famous French set-top box - Digital Security
  12. Software tools: Texas Instruments Packet Sniffer Pros:  Works out-of-the-box

    with TI CC2531 dongle  Windows GUI tool Cons:  Doesn’t support newer ZigBee variants (ex.: RF4CE) ZigBee useful tools P. 12 ZigBee security review of a famous French set-top box - Digital Security
  13. Software tools: KillerBee framework Framework of several Python tools to

    study ZigBee-based protocols KillerBee firmware allows Atmel RZUSBsticks to sniff & inject packets Hardware requirements to reflash the dongle https://github.com/riverloopsec/killerbee ZigBee useful tools P. 13 ZigBee security review of a famous French set-top box - Digital Security
  14. Software tools: Ubiqua Protocol Analyzer Pros:  Supports a lot

    of IEEE 802.15.4 variants  Windows GUI tool  Seamless support for encryption Cons:  Commercial license ZigBee useful tools P. 14 ZigBee security review of a famous French set-top box - Digital Security
  15. Study of our target

  16. About the target Famous French set-top box for Internet and

    TV access distributed by a well-known Internet service provider Study took place from December 2015 during spare time 3 components:  Internet box (not directly studied here)  TV box  Wireless ZigBee-based remote control (RF4CE) Study of our target P. 16 ZigBee security review of a famous French set-top box - Digital Security
  17. RF4CE key exchange protocol Key seed packets to LinkKey (Source:

    ZigBee RF4CE Specification Version 1.01) Study of our target P. 17 ZigBee security review of a famous French set-top box - Digital Security
  18. Key exchange protocol Vendor has chosen to distribute LinkKey across

    37 key seeds (not standard) 37 Key seeds of 80 bytes Every key seed is acknowledged in clear text Key exchange is literally « whispered », the link quality drops from -6dBm for normal keystrokes to -58dBm for key exchange!  Security by obscurity, key exchange is basically clear text! Study of our target P. 18 ZigBee security review of a famous French set-top box - Digital Security
  19. When will a key exchange occur? During a manual pairing

    When remote control batteries are replaced (decreasing signal power can be remotely monitored until replacement) Some firmware updates require re-pairing Disassociation from an attacker:  Jamming  Association flooding Study of our target P. 19 ZigBee security review of a famous French set-top box - Digital Security
  20. Sniffing the communication between STB and RC Steps:  1)

    Capture raw traffic (used channel is always 15 for this target)  2) Optionally convert it to XML (.opml extension) with Ubiqua for easier manipulation (lack of good other RF4CE protocol dissector)  3) Find « Key Seed » packets and extract their payload  4) Compute LinkKey using successive XORs  5) Decrypt traffic using AES-128-CCM* and the LinkKey Study of our target P. 20 ZigBee security review of a famous French set-top box - Digital Security
  21. Computing LinkKey Capture raw traffic using KillerBee: $ zbid Dev

    Product String Serial Number 001:008 KILLERB001 FFFFFFFFFFFF $ zbstumbler zbstumbler: Transmitting and receiving on interface '001:008' New Network: PANID 0x6689 Source 0x7F2A Ext PANID: Unknown Stack Profile: ZigBee Standard Stack Version: ZigBee Prototype Channel: 15 $ zbdump -c 15 -w rcdump.pcap zbdump: listening on '001:008', link-type DLT_IEEE802_15_4, capture size 127 bytes 102 packets captured Study of our target P. 21 ZigBee security review of a famous French set-top box - Digital Security
  22. Computing LinkKey Find key seed packets and compute the key:

    Study of our target P. 22 ZigBee security review of a famous French set-top box - Digital Security
  23. Computing LinkKey Find key seed packets and compute the key:

    $ python opml2key.py rcdump.opml 37 key seed packets found Computed key: 70247b83a1b8d23dd15c595a5b5bfb43 Study of our target P. 23 ZigBee security review of a famous French set-top box - Digital Security
  24. Computing LinkKey Successfully decrypted keystroke packet (Ubiqua) Mostly null bytes!

    Study of our target P. 24 ZigBee security review of a famous French set-top box - Digital Security
  25. Possible attacks Using sniffing of the key exchange:  Sniffing

    of keystrokes and decryption  Remote control of the set-top box (key injection)  All associated attacks Two kinds of attack scenarios:  Blind: Victim’s TV screen is not visible  Not blind: Victim’s TV screen is visible (for instance through a window) or attacker captures TV leaking emanations (up to 20 meters, depends on the TV monitor) Study of our target P. 25 ZigBee security review of a famous French set-top box - Digital Security
  26. Attack scenario 1 Arbitrary access to set-top box/subscription functions Requirements:

    none Attack type: mostly blind Impacts:  DoS (controlled power off/reboots of the TV/set-top box)  Subscriptions to pay channels  Pairing of additionnal remote contols Study of our target P. 26 ZigBee security review of a famous French set-top box - Digital Security
  27. Attack scenario 2 Arbitrary Bluetooth activation and device pairing: mouse,

    keyboard, headset, … Requirements: connected BT dongle Attack type: blind or not blind (PIN pairing depends on the BT device capability) Impacts: keystroke injection, listening to voicemail (through headset) Study of our target P. 27 ZigBee security review of a famous French set-top box - Digital Security
  28. Attack scenario 3 Arbitrary Internet browsing & downloading Requirements: none

    Attack type: blind Impacts: identity theft through:  mail sending and Twitter posting (for configured accounts)  illegal browsing & downloads (Bittorrent) Study of our target P. 28 ZigBee security review of a famous French set-top box - Digital Security
  29. Attack scenario 4 Arbitrary access to victim’s phone line through

    DECT pairing Requirements: none Attack type: blind (4-digit PIN bruteforce) or not blind Impacts: identity theft through:  Calls and call answers  Access to voicemail Study of our target P. 29 ZigBee security review of a famous French set-top box - Digital Security
  30. Attack scenario 5 Arbitrary access to victim’s LAN through Wi-Fi

    (key disclosure) Requirements: Wi-Fi used Attack type: not blind Impacts: identity theft through full internet access, LAN sniffing, MitM… Study of our target P. 30 ZigBee security review of a famous French set-top box - Digital Security
  31. Changes in the key exchange The key exchange protocol changed

    during the study (software updates are automatic at boot time) Now, every key seed is 22 bytes long instead of 80 Provider moves away from the RF4CE specification Still 37 different key seeds, but at a faster pace (some short packets like ACK can be dropped at capture time) How is the 16-byte AES key built from 22-byte key seeds? Is the new key echange more secure? No, still not a challenge, same security level Study of our target P. 31 ZigBee security review of a famous French set-top box - Digital Security
  32. Conclusion Attacks not specific to this target, any ZigBee set-top

    box might be vulnerable Attack not easy due to low signal level during key exchange but possible with:  a LNA for signal reception  and/or a power amplifier for signal reception & emission  and/or a directional antenna (Wi-Fi antenna) ZigBee-based key exchanges are generally vulnerable Few RF4CE protocol dissectors are good Study of our target P. 32 ZigBee security review of a famous French set-top box - Digital Security
  33. Best practices for wireless security

  34. Threats & countermeasures Best practices for wireless security P. 34

    ZigBee security review of a famous French set-top box - Digital Security Threats Good countermeasures Passive snooping - Secure key exchange (ex.: Diffie-Hellman) - Encryption Volontary or involuntary jamming - Spread spectrum - Frequency/channel hopping Usurpation (ex.: replay) - Anti-replay mechanisms (cryptographic « nonce » ) - Authentication using a challenge
  35. Best practices for wireless protocols Use suited wireless protocols according

    to your security needs Pairing is usually a critical stage, do it in a controlled environment Monitor continuously the network for anomalies Don’t re-invent the wheel, use well-known security recipes (previous slide): Bluetooth (not BLE) is nearly perfect When possible, protect physical perimeter of use (security-in-depth philosophy) Best practices for wireless security P. 35 ZigBee security review of a famous French set-top box - Digital Security
  36. Thanks! Questions? IoT Security Contact: info@digitalsecurity.fr P. 36 ZigBee security

    review of a famous French set-top box - Digital Security