Wednesday, November 25, 2015

Fun with Zigbee Wireless - Part III (Software)

By Tony Lee

Introduction

In our previous zigbee articles, we covered ZigBee usage, history, and one hardware option:
History:  http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-i.html 
Hardware: http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-ii.html


This time, let's explore some software options.  There are both free and commercial options available.  For this series, we focused on free (although some require email registration).  the following options are explored in this article:
  • Atmel AVR Tools - Free with email registration
  • Luxoft BitCatcher ZigBee Network Analyzer Tool - Free with email registration
  • Killerbee - Free on Github

Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

Atmel AVR Tools

This software is offered for free (http://www.atmel.com/tools/RZUSBSTICK.aspx) with email registration from the same maker as our RZUSBSTICK hardware.  It runs on Windows, including a Windows 7 virtual machine which is what our environment used.  Best of all, AVR tools works with the stock firmware so there is no need to flash the RZUSBSTICK.  Included in the download is the following:

  • Windows drivers
  • rfservicesserver.exe - Command line tool that creates a socket
  • AVR Wireless Services - GUI that connects to the socket created by rfservicesserver
The component architecture is shown below:

RF Services Server creates the bridge between the RZUSBSTICK hardware and the software to which the user interacts.  AVR Wireless Services Suite provides the UI for human interaction.



The screenshot above shows the software download on the left, rfservicesserver running in the command prompt on the top right, and AVR Wireless Services GUI running in the bottom right.  AVR Wireless Services provides packet history, a graphical node display, and a packet drill down feature similar to Wireshark.  Of course Atmel offers more capable software at a price, but this is not too bad of a start for a free offering.

Luxoft BitCatcher ZigBee Network Analyzer Tool

Luxoft offers a tool called BitCatcher (http://www.luxoft.com/embedded-systems-development/bitcatcher/) which is also free with email registration.  This tool runs in Windows (binary) and Linux (Java app).  The biggest downside is that it requires custom firmware to be loaded onto the RZUSBSTICK via a flash upgrade (will discuss in a later article).  The flash upgrade changes the hardware ID which allows a custom driver to convert USB to COM which BitCatcher then uses to interact with the hardware.

Our setup process was the following:

  • Flashed in Linux with avrdude (Will demo in a later article)
  • Ran the BitCatcher Sniffer tool in a Windows 7 VM
    • Loaded the "Sniffer" driver
    • Added the device, connected the device, started the sniffing


The software download is shown on the left and the BitCatcher software is shown on the right.  There is a packet timeline and drilldown functionality similar to Wireshark, but with less detail.

    Killerbee

    The last software we will mention is the Killerbee framework from Josh Wright and River Loop security.  Killerbee is a free download from github found here:  https://github.com/riverloopsec/killerbee.  Some tools work with the default Atmel firmware while some require Killerbee firmware.

    The tools that work with the default firmware:

    • zbid – List available devices
    • zbfind – GUI for Zigbee location tracking – Never got this working 
    • zbopenear - ZigBee/802.15.4 many channel listener (need 1 RZUSB per channel)
    • zbwireshark - Sends sniffed ZigBee packets to Wireshark via a named pipe
    • zbdump – tcpdump clone (libpcap or commercial Daintree SNA format)
    • zbconvert – Convert capture file formats (libpcap -> Daintree)
    • zbdsniff – Scans capture files for Zigbee encryption keys (takes a capture file)
    • zbgoodfind – Search a binary file to identify encryption key for encrypted packet

    The tools that require the killerbee firmware:
    • zbreplay – Replay network traffic from libpcap or Daintree files
    • zbscapy – scapy for ZigBee
    • zbkey – Attempts to retrieve a key by fake association and request/response
    • zbassocflood – Transmit a flood of associate requests to a target network
    Killerbee comes pre-installed with most Kali distributions, however your success will vary.  Here was our out-of-the-box experience:

    Kali 1.1:
    Exception: Unable to open device.  Ensure the device is free and plugged-in.



    Kali 2.0:

    usb.core.USBError: [Errno 110] Operation timed out

    The moral of the story here is that just because the tools are pre-installed, does not mean they will work.

    The github page recommends installing the latest version of the software anyway.  These are the steps we used in a Kali 2.0 installation:


    Setup:


    mkdir tools; cd tools
    git clone https://github.com/riverloopsec/killerbee.git
    apt-get install libgcrypt-dev
    cd killerbee
    python setup.py install

    sudo rm -rf /usr/lib/pymodules/python2.7/killerbee
    python setup.py install

    Conclusion

    This article outlined the software we will use to examine the 2.4 GHz ZigBee frequency range.  We are very appreciative for those who released free software--Atmel, Luxoft, Josh Wright and River Loop security.  Here are some general observations:

    • Atmel - Worked well and with default firmware
    • Luxoft - Worked well after the firmware upgrade and driver install
    • Killerbee - Most capable and diverse tool set by far, but had the some minor issues:
      • Some tools don't work well - but hey, they are free.
      • Most tools don't terminate well
      • Thus, after running a tool, it may be necessary to reseat the card
        • Easiest reseat method is to virtually reseat the card via VMware/Virtual box
        • If virtual reseat does not work, physical reseat will be necessary (hooray for USB stands)

    The next article will cover some potential passive attacks.

    Sunday, November 22, 2015

    Fun with Zigbee Wireless - Part II (Hardware)

    By Tony Lee

    Introduction

    In our previous zigbee article, we covered ZigBee usage and history:

    This time, let's explore some hardware.  Keep in mind though that this is just one possible hardware platform that can be used.  The hardware will also vary depending on the frequency you are targeting.  As mentioned in our previous article, these are the applicable ZigBee frequencies:
    • 2.4 GHz - Worldwide
    • 915 MHz - US/AUS
    • 868 MHz - Europe
    • 784 MHz – China

    For the rest of this article, we will be targeting the 2.4 GHz frequency range—thus our hardware will reflect this decision.

    The 2.4 GHz range along 802.11 overlap is shown below:


    Figure 1: Source https://www.digi.com/wiki/developer/index.php/Channels,_Zigbee


    Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

    Hardware

    Our test environment consists of an unnamed home automation system and a ZigBee power outlet.  This really could have been any ZigBee devices which range from thermostats to light bulbs to deadbolts.

    The attack hardware consists of the following:


    The only component used for actual attacks in the list above is the Atmel RZUSBSTICK.  We included two RZUSBSTICKs so we could launch the attack with one stick and monitor with the other.  The rest of the components below the first line item are used in the firmware flashing process.  Unfortunately much of the available software requires custom firmware—hence the AVR Dragon and other components.

    The hardware list provided is the bare minimum to complete the activities outlined in this series, however there is one “nice to have” item that may save you a little frustration:  a USB extension/stand (one per RZUSBSTICK).  The reason for this is due to some instability with some of the software, thus there will be times where you will need to reseat the RZUSBSTICK.  Most of the time this can be done virtually via VMWare or Virtual box, however, there may be times when this must be done physically.  Since the RZUSBSTICKs are fragile, these stands will help prevent you from handling the PCB itself.  Instead you can disconnect the stand from the PC and have the same effect.  These stands run about $3.22 on Amazon and are well worth the price. 



    Attack Environment

    Both Ubuntu 14.04.3 and Kali Linux (version 1.1 and 2.0) detect the RZUSBSTICK and load the appropriate drivers.  Both virtualbox and VMWare were used to virtualize Ubuntu and Kali.  Out of all of the combinations, it appears that Kali 2.0 running on virtualbox was the most reliable environment.

    Before:

    root@kali:~# lsusb
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
    Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
    Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
    Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub


    After:

    root@kali:~# lsusb
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 002 Device 005: ID 03eb:210a Atmel Corp.
    Bus 002 Device 004: ID 0e0f:0008 VMware, Inc.
    Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
    Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
    Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

    Conclusion


    This article outlined the hardware we will use to examine the 2.4 GHz ZigBee frequency range.  The next article will cover software options that are available to match the Atmel RZUSBSTICK.  Keep in mind this is just one possible hardware platform.  We would love to hear about experiences with other gear as well.  Feel free to leave comments in the section below.  

    Sunday, November 15, 2015

    Fun with ZigBee Wireless - Part I (Background)

    By Tony Lee

    Introduction

    In our previous articles, we have covered quite a bit of 802.11 hacking:

    This time, let's explore a different wireless medium: ZigBee! In this series we will look at the following:
    • Why Zigbee matters
    • Background/history
    • Hardware
    • Software
    • Passive attacks
    • Firmware upgrades
    • Active attacks
    A good deal of research has already been completed -- so we give a head nod to all that have pioneered this space. But there truly is nothing like trying it yourself. A warning to the weary:  The documentation at times is lacking (unless source code counts). But hopefully this series will give you some key tidbits that will help you on your way to getting up and running faster.

    Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

    Why ZigBee matters

    The primary reason why ZigBee matters is because you can control the physical environment through a wireless medium. This mostly applies to embedded device applications -- such as home automation/Internet of Things (IoT), but it can also apply to more sensitive applications such as SCADA equipment.

    Here are some categories and examples of how ZigBee is used in the world around you:
    • Sensors: Temperature, humidity, water
    • Control: Lighting, HVAC, appliances, power
    • SCADA specific: Smart meters/water/gas


    Figure 1:  The Zen Thermostat is an example of a ZigBee capable device


    Figure 2:  Diagram of ZigBee Alliance smart meters



    The most interesting thing about wireless technologies is that vendors are usually very proud in announcing details of their usage--to the extent that they even include the protocols, protection, and chosen frequency.

    Quick Background

    ZigBee is a IEEE 802.15.4-based specification designed to create Personal Area Networks (PANs). This PAN differs from others such as Bluetooth because it is designed to be simpler and cheaper. ZigBee is also designed to have lower power consumption. In fact, the battery must last at least 2 years in order to meet ZigBee certification standards. However, much of the home automation devices seem to have 5+ year battery life. The transmission distance is anywhere from 10-100 meters (or more if you consider the built-in mesh support).

    Brief History
    ZigBee has been around for quite some time.  In fact, over a decade.  The following three bullets summarize the major advancements.  For more information, visit the ZigBee wiki page found here:  https://en.wikipedia.org/wiki/ZigBee
    • 2004:  IEEE 802.15.4 ratified
    • Zigbee-2006:   added encryption support
    • Zigbee-2007 Zigbee-PRO:  Compatible with 2006, “Trust center” security model, etc.

    Frequencies
    The first ZigBee frequency consideration largely depends on geographic location.  Aside from location, the application (based on signal propagation) can help determine the chosen frequency.  For example, much of the home automation/IoT space uses the 2.4 GHz range and some outdoor applications tend to use the 915 MHz range.  Geographically, the frequencies are assigned as follows:
    • 2.4 GHz - Worldwide
    • 915 MHz - US/AUS
    • 868 MHz - Europe
    • 784 MHz - China
    Encryption
    ZigBee uses 128-bit AES encryption.  Two keys are used for communication.  A network key is shared by everyone and used for broadcast traffic, while a link key is unique per 2 devices.  Both network and link keys are established through a Master key—thus key distribution is critical to security.

    Attack Goals
    When looking at this space from a security perspective it is important to establish the attack goals.  Here are just a few possible goals along with examples:
    • Read sensitive data
      • Ex:  Proprietary data, processes, etc.
    • Inject incorrect information
      • Ex:  Report false information
    • Replay commands
      • Ex:  Increase, decrease
    • Denial of service
      • Ex:  Stop reporting data
    • Leverage connected networks
      • Ex:  Breach an internal network using ZigBee

    Conclusion


    This article outlined why we are examining ZigBee and provides some background to include usage, history, and frequency ranges and encryption.  The next article will cover one of the many hardware options.