ZigBee Security Research
ZigBee Security Research
Philipp Morgner, Stephan Mattejat, Zinaida Benenson (Friedrich-Alexander-Universität Erlangen-Nürnberg) in cooperation with Christian Müller and Frederik Armknecht (University of Mannheim).
Hundred millions of Internet of Things devices implement ZigBee, a low-power mesh network standard, and the number is expected to be growing. To facilitate an easy integration of new devices into a ZigBee network, touchlink commissioning was developed. It was adopted in the latest specification, ZigBee 3.0, released to the public in December 2016, as one of two commissioning options for ZigBee devices. ZigBee 3.0 products can be used in various applications, also including security-critical products such as door locks and intruder alarm systems. We analyzed the security of touchlink commissioning procedure and presented novel attacks that make direct use of standard’s features, showing that this commissioning procedure is insecure by design. We released an open-source penetration testing framework [3] to evaluate the practical implications of these vulnerabilities. Evaluating our tools on popular ZigBee-certified products, we demonstrate that a passive eavesdropper can extract key material from a distance of 130 meters. Furthermore, an active attacker is able to exploit legitimate touchlink features to trigger the identify action, reset to factory-new, change the wireless channel, and to join a touchlink-enabled device to another or non-existing network. All these active attacks have been successfully executed from distances between 15 and 190 meters, depending on the product. Our analysis concludes that even a single touchlink-enabled device is sufficient to compromise the security of a ZigBee 3.0 network, and therefore, touchlink commissioning should not be supported in any future ZigBee products.
Our Publications
We published a preliminary technical report [1] in 2016, and presented a peer-reviewed paper [2] at WiSec’17. Also, we released the open-source penetration testing framework Z3sec on Github [3].
[1] Philipp Morgner, Stephan Mattejat, Zinaida Benenson. All Your Bulbs Are Belong to Us: Investigating the Current State of Security in Connected Lighting Systems. Technical Report, CoRR abs/1608.03732 (2016) [Download]
[2] Philipp Morgner, Stephan Mattejat, Zinaida Benenson, Christian Müller, Frederik Armknecht. Insecure to the Touch: Attacking ZigBee 3.0 via Touchlink Commissioning. In Proceedings of WiSec’17, Boston, MA, USA, July 18-20, 2017, 11 pages. [Download]
[3] https://github.com/IoTsec/Z3sec
Related Research by Other Groups
[4] Eyal Ronen, Colin O’Flynn, Adi Shamir, Achi-Or Weingarten. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In IEEE Symposium on Security and Privacy, S&P 2017. [Download]
Response of ZigBee Alliance
We had open and forthcoming discussions with representatives of the ZigBee Alliance about the security of the touchlink commissioning procedure. In the following, we present the comment of the ZigBee Alliance regarding the findings published in the technical report [1]:
| ZLL, with TouchLink as its main feature, was development from 2010-2012. Its main goal was to reduce the complexity of commissioning ZigBee-PRO devices, enabling over-the-counter ZigBee products for the average consumers wanting to create a colorful ambiance in the home. Being a security researcher, you understand that there is always a trade-of between the user-experience and security. The fact that light bulbs (and also most luminaries) lack the possibility of a user interface (e.g. a simple button), gives additional constrains in balancing user-experience and security.
At the same time as the ZLL Standard was developed, the penetration of Smartphones sky-rocketed. The combination of a Smartphone and the TCP/IP to ZigBee technology within Bridges also proved to overcome the complexity of commissioning a ZigBee-PRO network for average consumers. However, ZLL proved its relevancy as it offered a simple entry-level system with the ability to migrate to a bridge based system where the number of devices in the network can grow significantly. Meanwhile it became clear to our members that the vulnerabilities of the TouchLink feature could jeopardize such systems. This knowledge and experience was taken into account during the development of ZigBee 3.0, in which TouchLink is an optional feature. Although the TouchLink procedures themselves are have not changed, more attention is paid to the enabling / disabling of the TouchLink feature under application control. For example, a ZigBee 3.0 light may only accept TouchLink commands within a certain amount of time (e.g., a few minutes) after power-up. This approach significantly shortens the window of vulnerability in our opinion. |
We comment that although this restriction limits the vulnerability time frame, the users can be motivated by social engineering techniques to power up devices at predictable times. For example, jamming of ZigBee communication may motivate the consumers to disconnect a device from the power source and power it up again. Furthermore, the recommendation of putting touchlink commissioning under application control is not included in the specifications and so, it is not quite clear how the manufacturers should become aware of this.
Evaluated Products
During our research, we investigated ZigBee-certified products by GE, IKEA, Philips, and Osram. All these products implement the ZigBee Light Link standard with touchlink as a mandatory commissioning mode.
Philips Hue products
In 2012, Philips introduced Hue, which is considered the most popular connected lighting system for homes today. Philips Hue has an open API for developers to build third-party applications.
With our attack setup, we were able to trigger attacks that exploit touchlink features from a distance of 36 meters (line-of-sight). We reported the results of our security analysis to Philips in August 2016. Philips responded to our report stating that touchlink is only used in products for home consumer use. The reported attacks are still possible as of today.
In October 2016, a bug in the touchlink proximity check was patched as a result of the research by Ronen et al. [4].
GE Link products
In 2014, GE Lighting entered the market with their connected lighting systems called Link, which supplies only white-color LED light bulbs focusing on the US market. All these lighting devices can be controlled via smartphones or tablets.
In the evaluation of our attacks, we were able to exploit touchlink features from a distance of 28 meters (line-of-sight). We reported these results to the GE PSIRT in August 2016.
In May 2017, we reported that the implementation bug in the touchlink proximity check also affects GE Link products. This bug allowed us to send valid touchlink commands to GE Link products from a distance of at least 190 meters (line-of-sight). Due to limitations of our testing location, we were not able to measure wider distances.
For both reports, we did not receive a response by GE, except a message that indicates that our reports have been received. We are not aware of any firmware updates that relate to our research.
Osram Lightify products
In 2014, Osram released their connected lighting systems called Lightify, which can be controlled via wall switches, mobile phones or tablets.
Using our experimental test setup, we were able to send touchlink commands to Osram Lightify products from a distance of 15 meters (line-of-sight). We reported these results to Osram in August 2016.
In May 2017, we reported to Osram that Lightify products are also vulnerable to the bug in the touchlink proximity check. Exploiting this bug, we were able to send touchlink commands to Osram Lightify products from a distance of at least 190 meters (line-of-sight). Due to limitations of our testing location, we were not able to measure wider distances.
Osram responded immediately and discussed strategies of mitigating these threats with us. A firmware update, which will be rolled out in July 2017, patches the bug in the proximity check and puts touchlink under application control. Then, touchlink is only activated on factory-new devices or if the user turns the device on and off in specific pattern.
IKEA Tradfri products
We tested IKEA Tradfri products as of March 2017.
In May 2017, we reported to IKEA that we were able to send touchlink commands to IKEA Tradfri products from a distance of 190 meters (line-of-sight). Due to limitations of our testing location, we were not able to measure wider distances.
Officials of IKEA responded to our report in May 2017 with following statement:
| Safety and security is of highest importance to IKEA. Like all our products, the IKEA smart lighting collection complies with all relevant regulatory requirements. To further secure our smart lighting products, we have chosen a closed platform solution, based on commonly used technologies on the market.
Since your research was conducted, we have launched the TRÅDFRI gateway and app, allowing us to send out TRÅDFRI software updates that we recommend our customers to install. Currently, the IKEA smart lighting products use the ZigBee touch link commissioning to set up and adjust lighting. IKEA has chosen to use ZigBee as part of our ambition to make smart home products easy to use. We are continuously evaluating and updating our solution for the smart home, making sure that it is affordable, easy to use and secure. We are aware of the issues raised in the report and we take them seriously. Most of them are related to the ZigBee standard, which we are continuously evaluating. The report also includes some issues that are not related to the standard and could potentially improve the susceptibility for attacks on touch link. We will look into these and if needed update the software in our products accordingly. |
Although the vendor states that IKEA Tradfri products are not affected by the bug in the proximity check (Transaction ID = 0), they confirmed that the misinterpretation of malformed/unexpected inter-PAN frames leads to the accpetance of inter-PAN commands without enforcing the proximity check.
As of July 2017, IKEA is working with the stack vendor on a patch.
Acknowledgement
This work is supported by the German Research Foundation (DFG) under Grant AR 671/3-1: WSNSec – Developing and Applying a Comprehensive Security Framework for Sensor Networks.
Last Update: July 04, 2017.