IoT devices: The good, the bad and the ugly

Cognosec has revealed critical security flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices today.

Speaking at Black Hat USA 2015 in Las Vegas NV, researchers outlined the main security risks in ZigBee implementations, the devices affected and provided practical exploitations of actual product vulnerabilities.

Most commonly found in smart homes, the ZigBee standard was created to enable secure wireless communication for IoT devices. However, low per-unit-costs, interoperability and compatibility requirements, as well as the application of legacy security concepts, has led to the persistence of known security risks.

Having conducted numerous real world assessments on identified vulnerabilities, Cognosec discovered that it is possible to compromise ZigBee networks and take over control of all connected devices on a network.

The practical security analysis of every device assessed showed that the solutions are designed for easy setup and usage but lack configuration possibilities for security and perform a vulnerable device pairing procedure that allows external parties to sniff the exchanged network key. This represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.

Tests with light bulbs, motion sensors, temperature sensors and even door locks have also shown that the vendors of the tested devices implemented the minimum of the features required to be certified. No other options to raise the level of security were implemented and available to the end-user.

One use case highlighted in the whitepaper and presentation was of external parties able to gain control over home automation systems, which have high privacy requirements and are a huge source of personalized data. The key to communicating between devices on a ZigBee network is the usage of application profiles.

A ZigBee home automation profile permits a series of device types to exchange control messages to form a wireless home automation application. These devices are designed to exchange well-known messages to effect control, such as turning a lamp on or off, sending a light sensor measurement to a lighting controller, or sending an alert message if an occupancy sensor detects movement.

If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile. However, the use of a default link key introduces a high risk to the secrecy of the network key.

Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialization and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.

“The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers,” said Tobias Zillner at Cognosec. “Companies want to create the latest and greatest products, which today means they are likely to be internet connected. Simple units such as light switches have to be compatible with a whole host of other devices and, unsurprisingly, little consideration is made to security requirements – most likely to keep costs down. Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high.”

During DEF CON, Tobias Zillner, Senior IS Auditor at Cognosec demonstrated SecBee, a ZigBee security testing tool. Currently it supports command injection, scan for enabled join, sniff network keys in plaintext and encrypted with the ZigBee default key and a return to factory device reset.