Security in IEEE 802.15.4/zigbee
Kiana soleimany
Kiana_soleimany@yahoo.com
Abstract
2. Zigbee (IEEE 802.15.4)
In 2000 two standards groups, ZigBee alliance,
a HomeRF spinoff, and IEEE 802 Working
Group 15, combined efforts to address the
need for low-power low-cost wireless
networking in the residential and industrial
environments[5], they named it Zigbee.
ZigBee is a developing low-power wireless
technology being utilized for applications
which require a simple protocol stack, low
data rate and long battery life. ZigBee has
ZigBee is a low-rate wireless personal
area network (LR-WPAN) standard, which
is
developing
low-power
wireless
technology being utilized for applications
which require a simple protocol stack, low
data rate and long battery life[6]. ZigBee
is based on the IEEE 802.15.4
specification. This standard is suitable for
communication
between
electrical
appliances, security systems, lighting
controls and Heating, Ventilating, and Air
Conditioning (HVAC) systems and one of
the largest application is home automation
and networking. In this article, we
consider the networks compliant with the
recent IEEE 802.15.4 standard and
describe a number of possible attacks .
already been deployed for a variety of
applications from smart thermostat
communication to hospital patient
monitoring systems.
ZigBee is based on the IEEE 802.15.4
specification [1] and supports data rates up
to 250 Kbps. This is considerably lower
than Bluetooth which supports data rates
of 3 Mbps and Wi-Fi which is now
capable of data rates in excess of 54 Mbps.
However, ZigBee can be implemented in
only 120 KB of memory and is capable of
operating on embedded, battery-powered
devices for years as opposed to days or
hours as can typically be expected from
Bluetooth or Wi-Fi enabled portable
devices. These attributes make ZigBee
appealing for applications which do not
require high data rates.
Keywords:
IEEE 802.15.4 , Security
1. Wireless Personal Area Network :
The wireless technology is an important
element to provide low-cost networks for
information
transmission.
Recent
developments is made possible by
technology and new patterns of networks,
such as Wireless LANs (WLAN) and
wireless personal area networks(WPAN).
The scope of WPAN is to define PHY and
MAC
specifications
for
wireless
connectivity with fixed, portable and
moving devices within or entering a
Personal Operating Space (POS) with one
goal to achieve a level of inter-operability
which could allow the transfer of data
between a WPAN device and a WLAN
device. The best example of WPAN, is the
industrial standard Bluetooth and the other
one is Zigbee protocol.
3. Network topologies that
supported by the Zigbee protocol:
are
The network must be in one of two
networking topologies specified in IEEE
802.15.4: star and peer-to-peer.
1
products developed by different vendors
for a specific application.
3.1. peer-to-peer Topology:
In a peer-to-peer topology each device can
communicate directly with any other
device if the devices are placed close
enough together to establish a successful
communication link. In this type of
networking, routing operation is performed
by Full Function Devices (FFD). Each
FFD can communicate with other Reduced
Function Devices (RFD). A peer-to-peer
network can take different shapes by defining
4.2. Network layer:
The network layer interfaces between the
MAC and the APL and is responsible for
managing the network formation and
routing. the network layer is responsible
for
topology
construction
and
maintenance, as well as naming and
binding services, which incorporate the
necessary tasks of addressing, routing, and
security multi-hop transfer.
restrictions on the devices that can
communicate with each other. If there is no
restriction, the peer-to-peer network is known
as a mesh topology . Another form of peer-topeer network ZigBee supports is a tree
topology. In this case, a ZigBee coordinator
(PAN coordinator) establishes the initial
network. ZigBee routers form the branches
and relay the messages. ZigBee end devices
act as leaves of the tree and do not participate
in message routing. ZigBee routers can grow
the network beyond the initial network
established by the ZigBee coordinator[1]
4.3. Data link layer:
The IEEE 802 project splits the DLL into
two sublayers:
4.3.1. Medium Access Control (MAC): is
closer to the hardware and may vary with
the physical layer implementation.
The MAC layer provides the interface
between the PHY layer and the network
layer. The MAC is responsible for
generating beacons and synchronizing the
device to the beacons (in a beacon-enabled
network) [1].
Confirming successful reception of a
received
frame.
association
and
disassociation,
acknowledged
frame
delivery, channel access mechanism,
frame validation, guaranteed time slot
management.
The IEEE 802.15.4 defines four MAC
frame structures:
3.2. Star topology:
In the star topology, the PAN coordinator
acts as the initiation point for the network
and other FFDs and RFDs connect to it.
Communications are performed between
RFDs/FFDs and the PAN coordinator,
which is in charge of managing all the star
functionality[4].
4. Zigbee protocol layers:
4.1. Application layer:
The application (APL) layer is the highest
protocol layer in the ZigBee wireless
network Application objects control and
manage the protocol layers in a ZigBee
device.
4.3.1.1. The Beacon Frame
The beacon frame is not only used to
synchronize the devices in a network but is
also used by the coordinator to let a
specific device in a network know there is
data pending for that device in the
coordinator. The device, at its discretion,
will contact the coordinator and request
that it transmit the data to the device.
4.1.1 Application profile:
The ZigBee standard offers the option to
use application profiles in developing an
application. An application profile is a set
of agreements on application-specific
message formats and processing actions.
The use of an application profile allows
further interoperability between the
4.3.1.2.The Data Frame
The MAC data frame is referred to as the
MAC Protocol Data Unit (MPDU) and
2
becomes the PHY payload. It is composed
of the MAC header (MHR), MAC service
data unit (MSDU), and MAC footer
(MFR).
- Frame control field: The first field of the
MAC header is the frame control field. It
indicates the type of MAC frame being
transmitted, specifies the format of the
address
field,
and
controls
the
acknowledgment. In short, the frame
control field specifies how the rest of the
frame looks and what it contains.
- The payload field: It is variable in length;
however, the complete MAC frame may
not exceed 127 bytes in length. The data
contained in the payload is dependent on
the frame type.
- Address field: Specifies the source and
destination address. The size of the address
field may vary between 0 and 20 bytes.
- sequence number and frame check
sequence(FCS): The sequence number in
the
MAC
header
matches
the
acknowledgment frame with the previous
transmission. The transaction is considered
successful only when the acknowledgment
frame contains the same sequence number
as the previously transmitted frame. The
FCS helps verify the integrity of the MAC
frame .The frame check sequence (FCS)
helps verify the integrity of the MAC
frame.
The FCS in an IEEE 802.15.4 MAC frame
is
a
16-bit
International
Telecommunication
Union
Telecommunication
Standardization
Sector (ITU-T) cyclic redundancy check
(CRC).
4.3.2. logical link control (LLC):
Is an interface between upper layers and
MAC layer.
4.4. PHY layer:
The IEEE 802.15.4 specification supports
two PHY options based on direct sequence
spread spectrum (DSSS), which allows the
use of low-cost digital IC realizations. The
PHY adopts the same basic frame structure
for low-duty-cycle low-power operation,
except that the two PHYs adopt different
frequency bands: low-band (868/915
MHz) and high band (2.4 GHz).
Determining power consumption and bit
rate in network Seeking and selecting an
empty channel .
Transforming packets on physical media.
5. Zigbee Applications:
- PC peripherals: Human interface
devices, wireless mice, keyboards,
joysticks, low-end PDAs, and games.
consumer
electronics:
Radios,
televisions, VCRs, CDs, DVDs, remote
controls, and so on, and a truly universal
remote control to control them
- Home automation: Heating, ventilation,
and air conditioning (HVAC), security,
lighting, and the control of objects such as
curtains, windows, doors, and locks.
- health monitoring: Fittness and patient
monitoring.
- Precision agriculture: Such as the
sensing of soil moisture, pesticide,
herbicide, and pH levels.
- Industrial control: Asset management,
Process control, Energy management.
4.3.1.3. The Acknowledgment Frame
The acknowledgment frame is sent by one
device to another to confirm successful
reception of a packet.
6. Security
In a wireless network, the transmitted
messages can be received by any nearby
device, including an intruder. There are
two main security concerns in a wireless
network.
The first one is data confidentiality . The
intruder device can gain sensitive
information by simply listening to the
transmitted messages. Encrypting the
4.3.1.4. The Command Frame
The MAC commands such as requesting
association or disassociation with a
network are transmitted using the MAC
command frame .
3
messages before transmission will solve
the confidentiality problem. An encryption
algorithm modifies a message using a
string of bits known as the security key,
and only the intended recipient will be able
to recover the original message. The IEEE
802.15.4 standard supports the use of
Advanced Encryption Standard (AES) [12]
to encrypt their outgoing messages.
The second concern is that the intruder
device may modify and resend one of the
previous messages even if the messages
are encrypted. Including a message
integrity code (MIC) with each outgoing
frame will allow the recipient to know
whether the message has been changed in
transit. This process is known as data
authentication .
One of the main constraints in
implementing security features in a ZigBee
wireless network is limited resources. The
nodes are mainly battery powered and
have limited computational power and
memory size. ZigBee is targeted for lowcost applications and the hardware in the
nodes might not be tamper resistant. If an
intruder acquires a node from an operating
network that has no tamper resistance, the
actual key could be obtained simply from
the device memory. A tamper-resistant
node can erase the sensitive information,
including the security keys, if tampering is
detected[1].
communicate to the network.
6.1.2. frame integrity: A secure network
should
provide
message
integrity
protection if an adversary modifies a
message from an authorized sender while
the message is in transit, the receiver
should be able to detect this tampering. Including a message authentication code
(MAC) with each packet provides message
authentication and integrity. This objective
is to prevent changes to be made by an
invalid intruder and to provide assurance
that the messages from the source device
have not been manipulated by the invalid
intruder.
6.1.3 Confidentialit:
Confidentiality
means keeping information secret from
unauthorized parties. It is typically
achieved with encryption a common
technique for achieving security is to use a
unique nonce for each invocation of the
encryption algorithm.
Since the receiver must use the nonce to
decrypt messages, the security of most
encryption schemes do not rely on nonces
being secret. Nonces are typically sent in
the clear and are included in the same
packet with the encrypted data[3].
6.1.4. Replay Protection: An adversary
that eavesdrops on a legitimate message
sent between two authorized nodes and replays it at some later time engages in a
replay attack. replay protection prevents
these types of attacks. the sender typically
assigns a monotonically increasing
sequence number to each packet and the
receiver rejects packets with smaller
sequence numbers than it has already seen.
6.1. Zigbee protocol security services
Zigbee security protocol provides four
basic security services: access control,
message integrity, message confidentiality,
and replay protection.
6.1.1 Access control: Access control
means the link layer protocol should
prevent
unauthorized
parties from
participating in the network. Legitimate
nodes should be able to detect messages
from unauthorized nodes and reject them.
It provides a Access Control List (ACL) of
valid devices from which the device can
receive the frames. This mechanism
prevents the unauthorized devices to
6.2. There are two important packet
types that are relevant to the security
of 802.15.4:
data packets and acknowledgment packets.
6.2.1. Data packet: A data packet, has
variable length and is used by a node to
send a message to a single node or to
broadcast a message to multiple nodes.
Each data packet has a flags field that
4
MAC . The sender can compute either a 4,
8, or 16 byte MAC using the CBC-MAC
algorithm, leading to three different AESCBC-MAC variants. The MAC can only
be computed by parties with the symmetric
key. The MAC protects packet headers as
well as the data payload. The sender
appends the plaintext data with the
MAC.The recipient verifies the MAC by
computing the MAC and comparing it
with the value included in the packet.
indicates the packet type, whether security
is enabled or not, the addressing modes
that are in use, and whether the sender
requests an acknowledgment. A 1 byte
sequence number serves to identify the
packet number for acknowledgments. The
packet optionally includes source and
destination addresses. As noted above,
each field is variably sized between 0 and
10 bytes. The data payload field comes
after the addressing fields. It is less than
102 bytes. Finally, a 2 byte CRC
checksum field protects the packet against
transmission errors.
6.2.2. The acknowledgment packet: It is
sent by the recipient only if the
corresponding data packet was not sent to
a broadcast address and the sender
requested an acknowledgment. Its format
is simple: a 2 byte flags field similar to the
one in the data packet, the 1 byte sequence
number from the packet that it is
acknowledging, and a 2 byte CRC. There
is no addressing information in the
acknowledgment packet.
6.3.4. AES-CCM: This security suite uses
CCM
mode for
encryption and
authentication [13]. Broadly, it first applies
integrity protection over the header and
data payload using CBC-MAC and then
encrypts the data payload and MAC using
AES-CTR mode.
6.4. ACL security table:
802.15.4 radio chips have an access
control list (ACL) Compliant devices
may support up to 255 ACL entries.
If no security is requested, the packet is
sent out as is. If security is enabled, the
media access control layer looks up the
destination address in its ACL table. If
there is a match ACL entry, the security
suite, key, and nonce specified in that
ACL entry are used to encrypt and/or
authenticate the outgoing packet, and the
ags field on outgoing packet is set
accordingly. If the destination address
is not listed in the ACL table, a default
ACL entry is used instead; the default
ACL entry is similar to the other ACL
entries except that it matches all
destination addresses. If the default ACL
entry is empty and the application has requested security, the media access control
layer returns an error code.
On packet reception, the media access
control layer consults the ags field in the
packet to determine if any security suites
have been applied to that packet. If no
security was used, the packet is passed as
is to the application. Otherwise, the media
access control layer uses a similar process
to find the appropriate ACL entry, this
6.3. security suites:
security suites are using in packets:
6.3.1. Null: This is the simplest security
suite. Its inclusion is mandatory in all
radio chips. It does not have any security
material and operates as the identity
function. It does not provide any security
guarantees.
6.3.2. AES-CTR: This suite provides
confidentiality protection using the AES
block cipher [14] with counter mode. To
encrypt data under counter mode, the
sender breaks the clear text packet into 16byte blocks ( p1,……, pn) and computes
ci = pi Ek(xi). Each 16-byte block uses
its own varying counter, which we call x1.
The recipient recovers the original
plaintext by computing pi = ci
Ek(xi).
Clearly, the recipient needs the counter
value xi in order to reconstruct pi. The xi
counter, known as a nonce or IV.
6.3.3. AES-CBC-MAC: This suite
provides integrity protection using CBC5
time based on the sender's address. It then
applies the appropriate security suite, key,
and replay counter to the incoming packet,
presenting the application with an error
message if no appropriate ACL entry
could be located.
6.5.4. Hybrid approaches: Some systems
may use a combination of the above
keying models simultaneously in the same
application. For example, we might use
pairwise keying for all links between a
node and a base station and use a network
shared key for all other links[3].
6.5. Keying Models : Each node only
needs to keep track of a single key, which
eases the management problems. We
present a few of the more common keying
models that are appropriate for sensor
networks:
7. Security problems:
7.1.
Key
Management
Problems
The first class of problems results from
inadequate support in the ACL table for
many keying models.
6.5.1. Network shared keying: With a
single network wide shared key, each node
in the system possesses the same key and
uses it to communicate with all other
nodes.
However, the management
simplicity comes at the cost of a
vulnerability to insider attacks. It is more
vulnerable than other keying models to a
single key compromise, as happens when
an adversary compromises a single node.
An adversary can use the compromised
node to undermine the security guarantees
of the entire network.
7.1.1.No Support for Group Keying:
Supporting group keying under 802.15.4 is
unwieldy. For example, suppose that nodes
(n1,……,n5) wish to communicate
amongst themselves using key k1, while
nodes (n6,…….,n9) use key k2. Because
each ACL entry can only be associated to
a single destination address (x7.5.8.1),
there is no good way to support this
desired model. One tempting approach is
to create five ACL entries, one for each of
nodes (n1,….,n5) all mentioning the same
key k1. This requires that the 802.15.4
radio's ACL table be large enough to hold
all these entries[3]. Pairwise Keying
Inadequately Supported In a pairwise
keying model, a radio chip with support
for n ACL entries will limit us to networks
containing at most about n nodes. This
poses a significant limit to scalability, and
it means that pairwise keying will only be
feasible on radio chips with support for a
large
number
of
ACL
entries.
To support pairwise keying, we submit
that it may make sense to revise the
specification to mandate a reasonable
minimum number of ACL entries.
6.5.2. Pairwise keying: Pairwise keying
tolerates node compromise by limiting the
scope of every key . With pairwise keying,
each pair of nodes share a different key. This provides better security
than network shared keying. On devices
with minimal resources, the storage costs
can be prohibitive.
6.5.3. Group keying: Group keys are a
compromise between network shared keys
and pairwise keys. A single key is shared
among a set of nodes and is used on all
links between any two nodes in that group.
The partition into groups may be made
based on location, network topology, or
similarity of function. The advantage of
group keying is that it provides an intermediate tradeoff between network shared
keying and pairwise keying, with partial
resistance to node compromise at a lower
cost than pairwise keying.
7.1.2. Pairwise Keying Inadequetly
Supported: The specification could
include stronger support for pairwise
communication. The specification allows a
802.15.4 radio to have up to 255 ACL
entries but it does not specify a required
6
minimum number of ACL entries. An
ACL entry cannot be safely shared among
a group of multiple nodes. This means that
in a pairwise keying model, a radio chip
with support for n ACL entries will limit
us to networks containing atmost about n
nodes. This poses a significant limit to
scalability , and it means that pairwise
keying will only be feasible on radio chips
with support for a large number of ACL
entries. To support pairwise keying , we
submit that it may make sense to revise the
specification to mandate a reasonable
minimum number of ACL entries.
properly maintained even during power
interruptions and low-power operation.
7.3.1. Power Failure: Consider what
happens if the ACL state is lost when the
node encounters a power failure. If no
special precautions are taken, the node will
emerge with a cleared ACL table when
power is restored. Presumably, the node's
software can then repopulate the ACL
table with the appropriate keys. However,
it is not clear what to do about the nonce
states. If all nonces are reset to a known
value, such as 0, nonces will be reused,
Compromising security. Actually fails to
secure
communications
against
eavesdroppers.
Application designers
must take this into account in order to
design nodes that are secure across power
interruptions[3].
7.1.3. Network Shared Keying
Incompatible with Replay Protection :
When using a single network-wide shared
key, there is no way to protect against
replay attacks. To use the network shared
key model, an application must use the
default ACL entry, the other ACL entries
are not useful for group communication.
Recall that the default ACL entry will be
used when there is no matching ACL
entry. This is not feasible when there are
more than a handful of members in a
group, precluding the use of replay
protection with the shared network key.
8. ATTACKS AND
VULNERABILITIES
8.1.Physical Attacks
If a knowledgeable attacker can gain
physical access to a device containing a
ZigBee radio, chances are good that they
can compromise it. What makes physical
attacks so effective is being able to interact
physically with the device to obtain an
encryption key used by the target ZigBee
network. Many ZigBee radios use a hardcoded encryption key that is loaded in
RAM memory when the device is
powered.
Since these keys are typically written
(flashed) on all the devices in a ZigBee
network, it's highly unlikely that the keys
will ever be changed. Knowing this,
attackers can utilize special serial
interfaces on the ZigBee device to attempt
to capture the encryption keys as those
keys are moved from flash to RAM during
power up.
There are numerous low-cost and opensource tools that make this form of attack
within the grasps of any attacker. Two of
the most popular are Bus Pirate and
GoodFet.
7.2. Denial of service Attacks on AESCTR:
The second class of problems results from
Insufficient Integrity Protection . singlepacket
denial-of-service
attack
is
applicable when a 802.15.4 network uses
the AES-CTR suite with replay protection
enabled. This shows that an attacker can
permanently disrupt a 802.15.4 link, if that
link uses AES-CTR with replay protection
enabled. The attack is easy to mount,
because it only requires sending a single
forged packet; the attacker needs no
special access or equipment[3].
7.3. Loss of ACL State Due to Power
Interruptions:
We expect that many 802.15.4 devices will
be battery or solar powered. Radio chip
designers must ensure that the ACL state is
7
programmed ZigBee radio, but don't let
that fool you into thinking they are hard to
obtain.
While several low-cost ZigBee radios are
supported, the recommended device of
choice is the RZ Raven AVR, which can
be obtained online for approximately $40.
This puts the hardware and programs well
within the reach of security researchers
and malicious hackers alike.
An attacker using a combination of
hardware- and software-based tools to
perform their illicit actions has the obvious
advantage of not needing to physically
connect to the device to perform an attack.
This makes it extremely unlikely that the
attack will be discovered and even less
likely that the attacker will be caught. To
make matters worse, an attacker could use
specially
crafted
high-powered
transmitters or special Yagi antennas so
the attacker could potentially be a great
distance away from the devices they
attempting to compromise.
8.3.Replay and Injection Attacks
This type of attack can utilize key-based
attacks blended with packet replay and/or
injection attacks to trick the ZigBee device
into performing unauthorized actions.
ZigBee radios are susceptible to these
types of attacks because of the lightweight
design of the protocol, which has very
minimal replay protection. A simple
The Bus Pirate and GoodFet interface
boards provide support of numerous
industry standard
serial
protocols,
including 1-wire, JTAG, SPI, and
asynchronous serial. Once physically
connected to a ZigBee device through a
simple serial interface such as a Bus
Pirate, an attacker can unravel the security
of an entire ZigBee network and
potentially intercept and alter data.
8.2.Key Attacks
Other forms of key attacks are possible by
utilizing remote means to obtain
encryption keys. ZigBee radios often use
one of two encryption key methodologies
to ensure that devices have the appropriate
keys to talk to each other. These
methodologies are known as pre-shared
keying and Over the Air (OTA) key
delivery. Larger, more sophisticated
ZigBee networks will typically utilize
OTA for security and ease of updating.
Unfortunately, this methodology can be
attacked by having a device that mimics a
node on the ZigBee network and collects
the network's wireless transmissions. The
collected packets can be further analyzed
or potentially decrypted using free and
open-source equipment.
Since there is minimal session checking
built into the 802.15.4 protocol and
currently
no
intrusion-detection
capabilities, this type of attack is nearly
impossible to detect.
One toolset that is very effective for this
type of key analysis is called the KillerBee
framework, which was created by Joshua
Wright, a noted wireless security expert,
and has been made freely available to
everyone. KillerBee is really a suite of
hardware and software tools that allow
sophisticated interception, analysis, and
even transmission of 802.15.4 packets.
The software included in KillerBee is a
collection of Python scripts that are easily
modified and can be built upon to create
even more capabilities and interaction with
ZigBee radios. The hardware portion of
the framework requires a specially
scenario will help drive the point home.
Bob, our malicious user, uses a ZigBee
radio that is collecting packets transmitted
from a target ZigBee network. While Bob
may not be able to decode the packets perse, he knows enough about the system to
know that the target node controls the
water flow for a cooling system.
All Bob has to do in this case is to replay
the captured packets back to other nodes
on the ZigBee network mimicking the
originating node. Since there is minimal
session checking performed by the ZigBee
radios, the network will think the traffic is
legitimate and respond as if the commands
came from a valid node. A spinoff of this
8
type of attack was used at the 7th annual
Mid-Atlantic Collegiate Cyber Defense
Challenge.
8.6. MAC protocol's Attack
A simple but not very efficient attack
against network availability is to flood the
network by simply transmitting a large
number of packets , and cause discharging
the battery . In this manner, an adversary
may degrade the network performance and
drastically reduce throughput . If the goal
of the attack is the depletion of the power
source for a specific node (and the PAN
coordinator), all injected packets may
target that node. Since the downlink
packets have to be explicitly requested
from the PAN coordinator, this will keep
the both the PAN coordinator and the
chosen destination device busy and
eventually exhaust their respective power
sources.
8.4. Same-nonce attack
Same-nonce attack [16] is defined as
follows. There is a chance that in a
sender's ACL entry table, there are entries
with the same key and the same nonce. If
such a thing happens, a security attack is
possible. Note that the nonce is also used
as the frame counter. Assume that there
are two plaintexts (P1, P2) and two cipher
texts (C1 and C2) using the same key (K)
and the same nonce (N). Also assume that
an adversary can obtain C1 and C2, but
cannot obtain P1 or P2. Then the adversary
can obtain P1 P2 = C1 C2 since the
counters are the same and the keys are the
same although the adversary does not
know the key. The adversary may obtain
much useful information from P1
P2.
The same nonce occurs in many situations
such as power failure, sleep mode, and so
forth. Same keys happen in many
situations too such as using broadcasting
key, grouping key, and so forth[4].
8.7. Sybil Attack
The Sybil attack consists of a node
assuming several node identities while
using only one physical device. The
additional identities can be obtained either
by impersonating other nodes or by
making use of false identities. These
identities can all be used simultaneously
or over a period of time. This attack can
impact several services in ad hoc
networks.
For example it can impact multipath
routing, where a set of supposedly disjoint
paths can all be passing through the same
malicious node which is using several
Sybil identities. This attack can also
impact data aggregation where the same
node can contribute multiple readings each
using a different identity.
8.5. ACK attack
There is no integrity protection provided
on ACK frames.
When a sender sends a frame, it can
request an ACK frame from the receiver
by setting the bit flags in the outgoing data
frame.
The eavesdropper can forge the ACK
frame by using the unencrypted sequence
number from the data frame. If an
adversary does not want a particular frame
to be received by the receiver, it can send
interference to the receiver at the same
time when the sender is sending the data
frame. This leads to the rejection of the
frame. The adversary can then send a
forged ACK frame fooling the sender that
the receiver successfully received the
frame. Therefore, a sender cannot be
sure if the received frame is coming from
the receiver or another node even if the
receiver received the ACK frame.
8.7.1. Detection of Sybil Attacks:
Employing cryptographic relatedmethods
[17]–[18] are the traditional approaches to
prevent Sybil attacks. To address the
issues of computational
constraints on wireless and sensor nodes,
[2] proposed schemes based on symmetric
key cryptography to satisfy the resource
requirements, and [19] used unique
random pairwise key establishment
schemes based on t-degree polynomials.
9
In the IEEE 802.15.4 specification, the
replayed message is prevented by the
replay protection mechanism, that is,
sequential freshness. This is achieved by
which a receiver checks the recent counter
and rejects the frame which has the
counter value equal to or less than the
previous obtained counter. However, this
replay protection mechanism is subject
to another attack, called replay-protection
attack, which is one kind of denial-ofservice attacks. It is very easy to
launch replay-protection attacks as
follows. An adversary can send many
frames containing different large frame
counters to a receiver who performs replay
protection and raises the replay counter up
as the largest frame counter in the receiver
so far. Then, when a normal station sends
a frame with a reasonable size of frame
counter that is smaller than the replay
counter maintained at the receiver, the
frame will be discarded for the replayprotection purpose. In other words, the
service is denied.
Furthermore, radio resource testing and
registration approaches are two methods
that deviate from the conventional
security approaches. However, the radioresource testing [18] process may consume
much battery power, whereas registration
alone cannot prevent Sybil attacks,
because a malicious attacker may get
multiple identities by nontechnical means
such as stealing. In addition, [9] employed
received signal strength (RSS) to detect
wireless Sybil attacks. However, it did not
study how the Sybil nodes can be
localized.
8.8. Eavesdropping attack
The most widely known problem with an
open, uncontrolled medium like wireless
technology is that it is susceptible to
anonymous attackers. The anonymous
attacker can passively intercept radio
signals and decode the data being
transmitted. The primary goals of the
attacker are to understand who uses the
network, what is accessible, what the
capabilities of the equipment on the
network are, when it is used least and
most, and what the coverage area is. This
information is needed to launch an attack
on the target network.
9. Possible Solutions
9.1. Solution for Network Discovery and
Location Tracking Attack
The hacking tool that is used to discover
the ZigBee network uses the same
mechanism that is used by ZigBee devices
[7]. There is no solution for this attack
since the network discovery process can’t
be disabled by any means as it is part of
the ZigBee mechanism[10].
However, it is helpful to understand the
impact of this attack and evaluate the
ZigBee network accordingly.
8.9. Denial of Service (DoS) Attack
Jamming the entire network can cause a
denial of service (DoS) attack.
The entire area, including both base
stations and clients, is flooded with
interference so that no stations can
communicate with each other. This attack
shuts down all communications in a given
area. DoS attacks on wireless networks
may be difficult to prevent and stop.
9.2. Solution for Packet and Key Sniffing
Packet sniffing or eavesdropping in
general is one of the well known attacks.
The only mechanism that is used to avoid
such attack is the CCM* integrity
algorithm that provides encryption for the
data being transmitted [7]. So, in order to
avoid
this
attack,
the
network
administrator should ensure that a strong
8.10. Replay Attack
Where an attacker retransmits captured
data as if it is the original sender sending
the data again. Depending on the
application, a replay attack can have an
insignificant effect or a severe one[6].
8.11. Replay-protection attack
10
freshness, that is, the replayed message is
prevented by the replay protection
mechanism. Furthermore, the frame
counter potentially causes problems when
nodes are in sleep mode or the power
of nodes is temporarily failed, and so forth.
We propose to use timestamp as the
sequential freshness.
The sequential freshness is achieved by
which a receiver checks the recent
timestamp obtained from the sender and
rejects the frame which has the timestamp
equal to or less than the previous obtained
timestamp. Furthermore, there is not relay
key is selected to avoid data leakage.
9.3. Solution for Replay Attack
In order to avoid the replay attack, the
ZigBee stack should be able to identify the
frames by a sequence number and make
sure that the received number is greater
than that previously received frame [7].
However, ZigBee stack has only 8 bits of
network sequence numbers in which an
attacker can take advantage of and
retransmit the frame after waiting 255
frames [7].
9.4. Solution for Packet and Key Sniffing
Packet sniffing or eavesdropping in
general is one of the well known attacks.
The only mechanism that is used to avoid
such attack is the CCM* integrity
algorithm that provides encryption for the
data being transmitted [7]. So, in order to
avoid
this
attack,
the
network
administrator should ensure that a strong
key is selected to avoid data leakage[11].
counter to be raised up. The drawback
of this approach is that the field length is
larger. Whenever the sender receives
a frame with a timestamp, it compares this
timestamp with the current time. If the
current time is much smaller than the
timestamp, the sender believes that this is
an attack, and rejects the frame.
Therefore, the recorded timestamp has
never been raised up to a value so that
replay-protection attack or denial of
service attack cannot be launched.
Furthermore, when a sensor just wakes up
or obtains power supply after a power
failure, it contacts the coordinator,
synchronizes the clock with beacon frames
received, and raises all the time stamps up
to the current time.
9.8. UsingMIC for ACK
For ACK frame, we propose to append
MIC at the end of ACK frame, where MIC
is obtained by the authentication algorithm
AES-CBC-MAC. The authenticated field
is the whole ACK frame.
Dynamically dividing nonce spaces For
the broadcasting key and group keys, it
may have multiple same key entries in the
ACL table. In order to prevent the samenonce attack, nonce space is divided into
multiple groups so that different entries
with the same key will use different space
of nonce values (also chosen randomly).
This feature plus timestamp can prevent
same-nonce attack and other attacks.
9.5. Separating nonce from frame
counter
We believe that the current approach that
nonce serves as both IV and the frame
counter is a bad design and causes some
vulnerability.
We propose to separate nonce from the
frame counter so that two fields, nonce and
frame counter, are both used. The
drawback is that an additional field is
added, but security is much enhanced.
9.6. Randomly generating nonces
Since a nonce is separated from the frame
counter, the nonce can be generated using
a random generation algorithm instead
of increasing the counter/nonce one by one
each time.
9.7. Using time stamp as the frame
counter
We notice that same-nonce attack, replayprotection, and denial-of-service are all
related to the frame counter.
The frame counter is used for sequential
11
than that, the intrusion detection could be
programmed to be adaptive, so it has the
ability to automatically identify the attacks
according to a specified learning
mechanism of the implemented ZigBee
network daily activities. Last but not least,
the intrusion detection could be
programmed in order to send fake beacon
request to the attacker in order to lead the
attacker to a channel in which the ZigBee
network is not operating on. In this way,
the attacker is confused between the actual
traffic and the noise send over another
channel.
9.9. Eliminating the key sequence counter
In practice, the key sequence counter is
always zero and of no use. It generates one
byte overhead in each security-enabled
frame. In order to increase the air
efficiency, reduce the size of the ACL
table, and simplify the processing in the
CCM* mode, it is recommended to
eliminate key sequence counter.
Tracking frame counter for each device
To present the replay-protection attack,
each station keeps track of the frame
counter for each device sending to
it.However, this scheme may not be very
robust when there is a failure such as a
power failure or restart. Furthermore, it is
a little awkward to maintain the
consistency.
10.Conclusion:
ZigBee is not exactly a new technology; in
fact it was originally developed in 1998,
but only recently has ZigBee become more
commonplace in industrial and consumer
products. ZigBee was designed to fulfill a
niche and previously untapped market in
which regular wireless devices were
unsuitable. The unique characteristics of
ZigBee embedded wireless devices have
opened a floodgate of new products that
require its low power simplicity and
functionality.
Lately, other wireless protocols have
become the focus of security researchers
and hackers alike. One protocol that can
arguably be placed at the top of the list,
and is an area of growing concern, is the
802.15.4 protocol that ZigBee wireless
rides on. New tools and techniques are
being developed by penetration testers to
validate the security and configuration of
ZigBee-enabled devices.
This article takes a closer look at the
ZigBee protocol, some of the attacks that
have been leveraged against it.
Since the network discovery can not be
prohibited, malicious attempts that mimic
the network discovery process are
identified using the intrusion detection
system designed. So Before the
implementations become commonplace it
is vital that the security of the protocol be
thoroughly scrutinized and measures taken
to repair or defend against the
vulnerabilities.
9.10. CCM* mode
In [15], the author introduces a CCM*
mode, in which a counter determined
from the frame counter of the source
device is used to provide frame freshness
and to prevent the replay-protection attack.
For each node to which a device sends or
receives secured frames, an ACL entry is
created in the MAC PIB (PAN information
base), containing the implicit or explicit
address of the entity and the associated
corresponding security material including
an AES key, a frame counter for outgoing
frames, and an external frame counter for
incoming frames [10]. If it is explicit, it
contains a key identifier.
The AES symmetric key is 16 octets to
secure incoming and outgoing frames;
the frame counter for outgoing frames is
used by a device when originating a frame;
and the external frame counter for
incoming frames is used by a device to
verify freshness of incoming frames .This
counter is increased each time when a
secure frame is transmitted, but it will not
roll over to ensure that the CCM∗ nonce is
unique and to ensure freshness or to detect
duplicates.
9.11. Other prevention techniques:
One of the prevention techniques is
sending a frame in which the node that is
being targeted is being shut down .Other
12
the Sixth Usenix UNIX Security Symposium.
[15] R. Struik, “Formal Specification of the
CCM∗ Mode of Operation,” Doc. #: IEEE 1504-0537-00-004b.
[16] N. Sastry and D. Wagner, (October 2004)
“Security considerations for IEEE 802.15.4
networks,” in Proceedings of the ACM
Workshop on
Wireless Security (WiSe ’04), pp. 32–42,
Philadelphia, Pa, USA.
[17] L. Eschenauer and V. D. Gligor, (Nov.
2002) “A key-management scheme for
distributed
sensor networks,” in Proc. 9th ACM CCS, pp.
41–47.
[18] J. Newsome, E. Shi, D. Song, and A.
Perrig,(Apr. 2004), “The Sybil attack in sensor
networks: Analysis and defenses,” in Proc. 3rd
IPSN,pp. 259–268.
[19] D. Liu and P. Ning,(Oct. 2003),
“Establishing pairwise keys in distributed
sensor
networks,” in Proc. 10th ACM CCS, pp. 52–
61.
[20] By Brad Bowers. (Jan 9, 2012)\ zibee
wireless security:attacks against zibee.
[21] Vojislav B. Mi·sic, Jun Fung, and Jelena
Mi·sic, Department of Computer Science
University of Manitoba Winnipeg, Manitoba,
Canada R3T 2N2\ MAC Layer Attacks in
802.15.4 Sensor Networks
[22] Dr.Jose.A Gutierezz ."IEEE Std.802.15.4
Enabling pervasive wireless sensor networks"
References:
[1] Shahin Farahani\ (2008). Zigbee wireless
networks and trasceivers
[2] Q. Zhang, P. Wang, D. Reeves, and P.
Ning,(Jun. 2005)“Defending against Sybil
attacks in sensor networks,” in Proc. 25th
IEEE ICDCSW, pp. 185–191.
[3] Naveen Sastry ,David Wagner. Security
Considerations for IEEE 802.15.4 Networks.
[4] Yang Xiao,Hsiao-Hwa Chen, Bo Sun,
RuhaiWang, and Sakshi Sethi\(May 2006)
MAC Security and Security Overhead
Analysis in the IEEE 802.15.4Wireless Sensor
Networks
[5] Ed Callaway, Paul Gorday, and Lance
Hester, Home Networking with IEEE
802.15.4:A Developing Standard for Low-Rate
Wireless Personal Area Networks
[6] Lawrence Crowther \( Spring 2011)
\Exploiting ZigBee
[7] J. Cache, J. Wright, V. Liu, E. Scott, B.
Antoniewiecz, C. Wang and I(2010).
Books24x7, Hacking Exposed Wireless. New
York: McGraw-Hill Companies.
[8]
Gunhee Lee, Jaesung Lim (2009) An
Approach Mitigating Sybil Attack in Wireless
Networks using ZigBee.
[9] M. Demirbas and Y. Song,(2006), “An
RSSI-based scheme for Sybil attack detection
in wireless sensor networks,” in Proc. Int.
Workshop Adv. Experimental Activities
Wireless Netw. Syst., pp. 564–570.
[10] Tulin Mangir, Lelass Sarakbi, Harvy
Younan Electrical Engineering Department
California State University- Long Beach, CA.
USA .November (2011)/ Detecting Malicious
Activities in ZigBee Networks using Cognitive
Radio, International Journal of Distributed and
Parallel Systems (IJDPS) Vol.2, No.6, .
[11] R. Struik, (2004) “Security Resolutions
802.15.4,” Doc. #: IEEE 802.15-04-0540-08.
[12] Advanced Encryption Standard (AES)
(Nov. 26, 2001), Federal Information
Processing Standards Publication 197, U.S.
Department
of
Commerce/N.I.S.T,
Springfield, Virginia. Available at
http://csrc.nist.gov/
[13] D. Whiting, R. Housley, and N. Ferguson
(September 2003). Counter with cbc-mac
(ccm). RFC 3610.
[14] Steven M. Bellovin,(1996). Problem areas
for the IP security protocols. In Proceedings of
13