Nt1310 Unit 3 Summary
Although Zigbee implements a wide assortment of security measures, there are still a variety of vulnerabilities and attack methods that can be used. These attacks and how they can be carried out will be described in this Section. The first and possibly easiest attack to implement is the denial of service attack. These types of attacks overload the network such that service is denied to the network’s end users. In a typical wired network this is accomplished by having a huge number nodes simultaneously requesting data from a server. The server will not be able to process all of the requests and valid requests will be dropped. In Zigbee networks this attack is made significantly easier because Zigbee operates in the wireless domain. Valid users can be denied service to the network simply by creating noise on the wireless channel. This noise creates errors in
…show more content…
valid packets and prevents them from being decoded at their destination. [11, 12] Denial of service of attack can to be used to keep the individual sensor devices awake by sending a signal that will result in a huge number of retransmitted packets. This will drain the battery of the Zigbee module and can be used to disable the device. [9] The second and most overlooked attack is a physical attack on the actual Zigbee device. Zigbee devices are not very secure. They often store the network key information in plain text without encryption of password protection. Simple AT commands can often be used to retrieve this information if the device is physically accessible. All Zigbee devices in the network have access to the encryption keys so that packets can be encoded and decoded. As a result, an attacker only needs to find the weak link in the network and exploit it to gain access to the key information. Zigbee devices are often separate out or are in remote locations. This provides an easy target for a potential be attacker. [11, 12] The third attack method is key sniffing.
Although the Zigbee protocol implements the Advanced Encryption Standard (AES) protocol the initial key exchange is not protected against sniffing. The network keys are often exchanged in plain text or are encoded using the default factory key. Consequently, if an attacker were to sniff the initial exchange of packets, that attacker would be able to gain access to the network keys and the entire network. The difficulty with this type of attack is that the key exchange only occurs when a new node registers with the network. After this initial exchange all packets are encoded. The trick for these types of attacks, is forcing the network to enter an initialization state. This can be accomplished by creating RF interference that will result in dropped packets. After a certain number of dropped packets a wireless node will think that it has lost connection to the network and will try to reconnect. Then when this occurs the network key can be sniffed. These types of attacks have been carried out by a large number of security researchers [6, 7, 8, 9,
10]. The final attack method consists of routing attacks. These types of attacks, spoof, sniff, alter, redirect, forward, and confuse the routing paths of Zigbee networks. The upside is that all of these attacks require access to the network. This means that the network must either be unencrypted or the network key must be obtained by attack methods two or three above. The easiest way to carry out these types of attacks is to inject spoofed data into the network. This data can confuse the network by generating unnecessary loops, dropping valid traffic, and creating invalid routes. This can cause havoc or allow the attacker to manipulate the network. Selective forwarding, Sybil, wormholes, and hello floods attacks are some of the attacks that can be used on Zigbee network. For selective forwarding, the attacker adds itself to the routing path and selects which packets it will forward or drop. The Sybil attack creates confusing within the network by sending packets with multiple identification into the network. The wormhole attack creates a tunnel between two points in the network. Packets at one point can be sniffed and then injected into the network at another location. For hello flood attacks, the attack broadcasts hello messages with a high power transmitter so that many nodes think they are neighbors to the attacking node. [13]
valid packets and prevents them from being decoded at their destination. [11, 12] Denial of service of attack can to be used to keep the individual sensor devices awake by sending a signal that will result in a huge number of retransmitted packets. This will drain the battery of the Zigbee module and can be used to disable the device. [9] The second and most overlooked attack is a physical attack on the actual Zigbee device. Zigbee devices are not very secure. They often store the network key information in plain text without encryption of password protection. Simple AT commands can often be used to retrieve this information if the device is physically accessible. All Zigbee devices in the network have access to the encryption keys so that packets can be encoded and decoded. As a result, an attacker only needs to find the weak link in the network and exploit it to gain access to the key information. Zigbee devices are often separate out or are in remote locations. This provides an easy target for a potential be attacker. [11, 12] The third attack method is key sniffing.
Although the Zigbee protocol implements the Advanced Encryption Standard (AES) protocol the initial key exchange is not protected against sniffing. The network keys are often exchanged in plain text or are encoded using the default factory key. Consequently, if an attacker were to sniff the initial exchange of packets, that attacker would be able to gain access to the network keys and the entire network. The difficulty with this type of attack is that the key exchange only occurs when a new node registers with the network. After this initial exchange all packets are encoded. The trick for these types of attacks, is forcing the network to enter an initialization state. This can be accomplished by creating RF interference that will result in dropped packets. After a certain number of dropped packets a wireless node will think that it has lost connection to the network and will try to reconnect. Then when this occurs the network key can be sniffed. These types of attacks have been carried out by a large number of security researchers [6, 7, 8, 9,
10]. The final attack method consists of routing attacks. These types of attacks, spoof, sniff, alter, redirect, forward, and confuse the routing paths of Zigbee networks. The upside is that all of these attacks require access to the network. This means that the network must either be unencrypted or the network key must be obtained by attack methods two or three above. The easiest way to carry out these types of attacks is to inject spoofed data into the network. This data can confuse the network by generating unnecessary loops, dropping valid traffic, and creating invalid routes. This can cause havoc or allow the attacker to manipulate the network. Selective forwarding, Sybil, wormholes, and hello floods attacks are some of the attacks that can be used on Zigbee network. For selective forwarding, the attacker adds itself to the routing path and selects which packets it will forward or drop. The Sybil attack creates confusing within the network by sending packets with multiple identification into the network. The wormhole attack creates a tunnel between two points in the network. Packets at one point can be sniffed and then injected into the network at another location. For hello flood attacks, the attack broadcasts hello messages with a high power transmitter so that many nodes think they are neighbors to the attacking node. [13]