ConBee ZigBee USB Gateway: Usage

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This is a description of how to set up and use a ConBee ZigBee USB Gateway USB stick to sniff out keys of ZigBee end point devices in smart home networks.

Requirements

Operating system:

  • Ubuntu 18.04

Applications:

  • Wireshark
  • ZShark (Interface between sniffer and Wireshark, available [here]
  • Smart Home Management App, e.g. Philips Hue for Android, available in the [Google Play Store]

Network traffic generating devices, e.g.

  • Philips Hue Bridge
  • Philips Hue White LED

Sniffing tool

  • ConBee ZigBee USB Gateway

In order to complete these steps, it is recommended to be familiar with Wireshark.

Description

Step 0: ZigBee Smart Home Provision

Be sure to have permission to hack into the ZigBee network you want to analyse. Even better, set up your own network to generate some traffic. Minimal requirements: 1 bridge and 1 connected smart home device, such as an LED lamp, preferably with an additional app e.g. for your phone, to control/manage the smart home devices.

Step 1: ConBee Setup

Plug ConBee into a USB Port.

Install firmware using ZShark

Open ZShark. You will see this window:

ZSharkInst.png

Select "ConBee" and click "Connect".

If the dialog tells you there is "No or wrong firmware found", and pressing the "Install Firmware" button doesn't prompt you to the next dialog, make sure no other USB devices are connected to your computer and try again.

If it still doesn't change, you can also install the firmware manually. For this open a terminal and change into the ZShark-folder (that is where you have installed the application) and run this command (as root):

GCFFlasher_internal -d /dev/ttyUSB0 -f /usr/share/zshark/fw/sniffer_v1_0.bin

where

  1. /dev/ttyUSB0 is the path to your device
  2. /usr/share/zshark/fw/sniffer_v1_0.bin is the path to the firmware you want to install

Both paths are the absolute paths, and they may certainly differ from this solution. Make sure you look up the correct paths on your own system and use them accordingly.

If everything worked fine, you should see a dialogue like this

ZSharkReady.png

where the path in the COM port identifier shows you the sniffer was detected correctly.

The remote capture IP is to use if you decide to send the captured data to Wireshark on another machine. In my case this was not necessary, as I used Wireshark on the same device.

Choose ZigBee channel

Channel 11 is the default ZigBee channel, so there you find your traffic unless you configured your network otherwise (in that case you obviously change it to the applicable channel).

Start capturing packets with "Start".

You should see the number identified by "Received Packets" in the dialogue to increase immediately.

Step 2: Wireshark Configuration

Open Wireshark.

Select interface

Choose the loopback interface. This is where ZShark sends packets by default.

WiresharkInterfaces.png

Leave the input field for capture filter empty.

Apply display filter

udp.port==17754 && !icmp
  • UDP because our ZigBee devices rely on this protocol
  • Port 17754 is designated for ZigBee packets
  • And we don't need the ICMP output for our analysis

It won't do no harm if you forget to apply the filter, though you will get packets displayed you won't be interested in. You can also apply it afterwards or add additional filters to easier find specific packets.

Add symmetric key of bridge

Go to:

Edit > Preferences > Protocols > ZigBee

Border

Leave the Security Level in its default value (AES-128 Encryption, 32-bit Integrity Protection). Choose Edit at "Pre-configured keys" and add the key of your bridge, which in most cases is

5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39

or, in this case using the Philips Hue Bridge, is

81:42:86:86:5D:C1:C8:B2:C8:CB:C5:2E:5D:65:D1:B8

as these are mostly universal default keys so that communication in ZigBee networks can be established with lots of different devices from different vendors without further ado.

In both cases, choose the Byte Order "Normal".

Without the brigde key, you are still able to capture traffic, though you will not get access to additional information, or important insight into the payload respectively. For example, you would not be able to display the end-point device keys, which will be explained in the next step.

Start capturing the packets in Wireshark as well.

Step 3: Wireshark Network Traffic Analysis

Now you will see traffic similar to this:

WiresharkTraffic2.jpg

It shows there was data broadcasted, unfortunately without any further details. The circled output shows contained data is encrypted.

Locate Packet with Symmetric Key

To get hold of an end-point device key in a ZigBee network, look out for specific packets. A device newly entering a network sends its key decrypted until it is established and ingested into the network by the bridge. If you have configured the bridge key correctly, you should see a new device advertising its symmetric key in packets which are tagged as "Device Announcement" in the information column of Wireshark (although there are other packets as well with visible key, this is the first one where this happens).

WiresharkDA.png

To simulate a device entering into a network, you have to reset it. With the light bulb, I simply disconnected it from its socket and re-attached it. Switching the light on and off won't help, it has to be taken off the electricity completely.

Add end-point device key in Wireshark

Go to:

Edit > Preferences > Protocols > ZigBee

and add the key with Byte Order "Normal".

From this point on, you are able to see all information, as you can adequatly decrypt it.

Border

This is the same packet as the first one in this section, only with added key. As you can see, the payload is now clearly visible, and it shows detailed information about the transported commands.

Used Hardware

ConBee ZigBee USB Gateway

Philips Hue Bridge 2.0, Gateway

Philips Hue White LED E27 9.5W/827, white

Courses

  • (nothing here yet)

References