ZigBee Replay

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

After successfully sniffing the Network Key of a ZigBee network as described in ZigBee Sniffing the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters.

Requirements

Authors

  • Daniel Tod
  • Luca Strobl

Results

  • zbreplay does not work due to counter queries
  • Python script to log the latest counters and create a packet with updated counters
    • Data is misinterpreted and therefore the FCS and MIC are wrong
    • Packet is not constructed
  • Documentation of the conducted project and source code of the python script

The authors suppose that the misinterpretation of data results from the limited hardware capacities of the Atmel RZ Raven USB stick. The solution would be a Software Defined Radio (SDR). The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR.

Used Hardware

Courses