ZigBee Replay

Summary

After successfully sniffing the Network Key of a ZigBee network as described in ZigBee Sniffing the next step is to conduct a replay attack by resending the decrypted on/off commands with adjusted counters.

Requirements

• Operating system of attacking host: Kali Linux 64 Bit
  • Version 2018.2
• Packages: KillerBee
• Operating system of Raspberry Pi: RaspBee Gateway SD card image Raspbian Jessi RaspBee (Stable)
  • Version 01-2017

Authors

• Daniel Tod
• Luca Strobl

Results

• zbreplay does not work due to counter queries
• Python script to log the latest counters and create a packet with updated counters
  • Data is misinterpreted and therefore the FCS and MIC are wrong
  • Packet is not constructed
• Documentation of the conducted project and source code of the python script

The authors suppose that the misinterpretation of data results from the limited hardware capacities of the [Atmel RZ Raven USB stick. The solution would be a Software Defined Radio (SDR). The drivers of scapy were only written for the Ettus USRP but the authors were not provided with this SDR.

Used Hardware

• Raspberry Pi 3 Model B+
• SD card with at least 8 gigabyte of memory
• Raspbee module
• Philips Hue light bulb
• Atmel RZ Raven USB stick
• Kali Linux host
• USB mouse and keyboard
• external monitor
• HDMI cable

Courses

• Vertiefendes Wahlfachprojekt (2019)