802.15.4/ZigBee Security Tools

Activity Leads: 
Industry Collaborators: 

Radiant Machines
River Loop Security
Travis Goodspeed
Joshua Wright
... and other contributors

Research Summary: 

Mission-critical services and infrastructure, such as the power grid, are increasingly dependent upon digital radio communications protocols to facilitate monitoring, control, and automation. IEEE 802.15.4/ZigBee is one of the most popular such protocols, together with proprietary protocols such as Z-Wave that build upon the IEEE 802.15.4 standard. Unlike wired networks where an attacker needs physical access to a network to inject crafted traffic into it, wireless networks may allow attackers to inject traffic remotely, with a powerful enough transmitter and antenna. Thus administrators of control networks using these digital radio protocols must be able to easily observe the radio footprint of their networks, understand the view they expose to would-be attackers of various levels of sophistication, and explore potential responses of their network and control systems assets to crafted and/or malformed digital radio traffic. Operators and owners thus need cheap and simple-to-operate tools for self-assessment; exposed and brittle networks must be fixed and protected. The APImote digital radio peripheral we developed offers this capability to asset owners and network administrators, together with simple tools to configure their wireless peripherals, observe their communications, and to explore the responses of their control systems with just a regular laptop with a USB port to connect the APImote peripheral. In addition to producing this digital radio peripheral and utilities for the passive mapping of 802.15.4/ZigBee digital radio deployments and assets--such as smart meter networks and building energy management systems--we developed several new techniques of active fingerprinting. Active fingerprinting for identification of digital radio devices works through exercising unique characteristics, introduced by the analog circuitry and firmware implementations in their response to crafted traffic. Active fingerprinting allows us to observe network responses to malformed traffic, identify trusted nodes, and explore potential vulnerabilities in both the PHY layer and firmware implementations. It also reveals and pre-empts a number of possible WIDS bypasses that we discovered and documented. Active fingerprinting is both faster and more accurate than traditional passive techniques currently used in self-assessments. The low-cost APImote hardware based on commodity components was designed and developed, in partnership with River Loop Security, a startup security company founded by Dartmouth alumni. Further, a Python framework codenamed Isotope was developed to facilitate the active fingerprinting of multiple commodity IEEE 802.15.4/ZigBee-compliant network radio devices. The hardware has been made available to power companies operating IEEE 802.15.4 assets and to security researchers working in digital radio security. The prototype devices and our results have been presented at several security industry conferences and at three academic conferences in wireless security.

Research Demo:

ZigBee Tools - Observing Home Area Networks: Presented by Ira Jenkins, Dartmouth College, at the TCIPG Industry Workshop in November 2014.

More Information: