ZigBee in the Laboratory
In the article “Security in ZigBee Communications” the characteristics of this protocol, the different elements that a network conforms to and the different keys and means of achieving them were described. In this article, the problems that might be caused for a ZigBee network from the lack authentication between devices and encryption of communication, and how such a situation is vulnerable to attacks that might compromise security.
The use of ZigBee networks with comprised of multiple distributed nodes is very common in industrial environments with wireless communication infrastructures, whether throughout the entire organisation or in specific but equally extensive spaces (industrial warehouses, along kilometres of pipes, etc.). This involves a great challenge for network security and therefore it is important to know the type of threats that an organisation faces in using this technology for communication between its devices.
There are various situations in which, without the protection necessary, ZigBee networks would be jeopardised. Four of the scenarios that could have the biggest impact on an industrial network will be highlighted.
Denial of Service Attacks
For industrial environments, an attack with this aim can cause serious damage, since an interruption in communication can delay parameter readings or cause certain devices incapable of recovering from this type of problem to malfunction.
One possible scenario in which service can be denied is through the incorporation of multiple phoney devices, thanks to the influx of plots to create false devices achieved by connecting the coordinating element to the network and exceeding the maximum allowed by a ZigBee network; established on a maximum of 65535 distributed nodes in subnetworks of 255 nodes. This scenario has been simulated in a laboratory in order to test the attack with a simulation of the attack.
-Influx of frames in coordinator communications in order to simulate non-existing nodes-
Another way to provoke denial of service would be to use jamming techniques, through which an attacker would be able to override communication in order to force the mechanism to reassociate with the network. When the nodes are associated to a ZigBee network, they send their association request to the coordinator or to one of the routers. The request that they receive becomes the parent node. In the case that the node loses contact with its parent node, it must be re-associated with the network and obtain a new parent. The fact that it re-associates has implications on the node updates between the routes of different start and finish nodes. These routes are found threatened in routing tables in the routers.
The execution of these attacks against specific routers in different instances can provoke instability in network routers and, as a consequence, communication can be affected. This attack can also increase battery consumption in part of the attacked nodes.
-Example of denial of service through a node in a ZigBee network-
As a result of the attack, the network redistributes and incorporates itself into devices that it is not allowed in, which can generate confusion in the coordinator and leave nodes that serve as routers or final devices outside of the networks, without service. As a counter-measure, it is suggested that a list (WhiteList) of authorised devices on the network be used.
Given the size of the networks that can be found in industrial environments, the use of countermeasures against denials of service is very complex.
Spoofing
In ZigBee networks, knowing the previous MAC address of the node victim can make it possible to assume their identity. The aim of this attack can be to carry out denials of service or to transmit data to third parties coming to steal data that is often sensitive to the organisation.
-Router spoofing attack-
An attack node would be able to send constant messages indicating that it has the chosen address. This would oblige the coordinator or router to choose a new address and report it, therefore forcing numerous sent messages to be broadcast. The successive repetition of this attack could mean a delay in connecting the node to the network, and could even prevent it from being completed successfully.
A malicious node can also generate schemes directed at false ZigBee addresses. In the case of using Cskip o assign addresses, which uses a tree scheme, the attacking node can send data directed to non-existing addresses, which will therefore be transmitted towards non-existing branches in the tree of addresses, causing problems in the routing and as a consequence, the malfunction of the ZigBee network.
One feature that the ZigBee protocol has that mitigates this type of situation is the use of access control over network devices (authorised), maintaining a list of authorised devices in the network (WhiteList). The fact that the coordinator is supplier of the master key makes spoofing difficult (it would only be possible if the master key were known).
Listening on the network
The use of devices for listening to this type of network in order to intercept transmitted information, as has already been demonstrated with the tests carried out in the article “Security in ZigBee Communications”; could help an attacker in the information collection phase necessary to carry out more advanced and guided attacks.
-ZigBee network traffic sniffing-
The possibility of traffic sniffing can be prevented through the use of strongly encrypted algorithms. ZigBee allows AES 128 bits encryption (the strongest of those defined in the standard IEEE 802.15.4) using key symmetric cryptography and also allowing the period rotation of network keys, which support an extra level of security and ensuring external network devices cannot be joined to it.
Forwarding of data packets
Forwarding a data packet is another scenario that ZigBee networks can offer. It consists of fishing schemes that are later reintroduced, modified or not, with the aim of destabilising the network or the node that receives the information and that only waits for one item of data.
-Replay of current scheme-
In order to avoid forwarding schemes, it is necessary to use the integrity characteristic that the ZigBee protocol has, in order to check and verify schemes to ensure others have not replaced them. The network controller checks these schemes afresh, checking their value to see if they are expected.
After the tests are carried out it is possible to understand the reach that a good ZigBee network configuration has when all its security options are used in the correct way. As well as the measures that can be incorporated into its own network, it is important to control the physical aspects of the devices in order to avoid possible attackers manipulating the nodes physically, given the possible exposure of the ZigBee network in an industrial environment.