Security in IEEE 802.15.4/zigbee Kiana soleimany Kiana_soleimany@yahoo.com Abstract 2. Zigbee (IEEE 802.15.4) In 2000 two standards groups, ZigBee alliance, a HomeRF spinoff, and IEEE 802 Working Group 15, combined efforts to address the need for low-power low-cost wireless networking in the residential and industrial environments[5], they named it Zigbee. ZigBee is a developing low-power wireless technology being utilized for applications which require a simple protocol stack, low data rate and long battery life. ZigBee has ZigBee is a low-rate wireless personal area network (LR-WPAN) standard, which is developing low-power wireless technology being utilized for applications which require a simple protocol stack, low data rate and long battery life[6]. ZigBee is based on the IEEE 802.15.4 specification. This standard is suitable for communication between electrical appliances, security systems, lighting controls and Heating, Ventilating, and Air Conditioning (HVAC) systems and one of the largest application is home automation and networking. In this article, we consider the networks compliant with the recent IEEE 802.15.4 standard and describe a number of possible attacks . already been deployed for a variety of applications from smart thermostat communication to hospital patient monitoring systems. ZigBee is based on the IEEE 802.15.4 specification [1] and supports data rates up to 250 Kbps. This is considerably lower than Bluetooth which supports data rates of 3 Mbps and Wi-Fi which is now capable of data rates in excess of 54 Mbps. However, ZigBee can be implemented in only 120 KB of memory and is capable of operating on embedded, battery-powered devices for years as opposed to days or hours as can typically be expected from Bluetooth or Wi-Fi enabled portable devices. These attributes make ZigBee appealing for applications which do not require high data rates. Keywords: IEEE 802.15.4 , Security 1. Wireless Personal Area Network : The wireless technology is an important element to provide low-cost networks for information transmission. Recent developments is made possible by technology and new patterns of networks, such as Wireless LANs (WLAN) and wireless personal area networks(WPAN). The scope of WPAN is to define PHY and MAC specifications for wireless connectivity with fixed, portable and moving devices within or entering a Personal Operating Space (POS) with one goal to achieve a level of inter-operability which could allow the transfer of data between a WPAN device and a WLAN device. The best example of WPAN, is the industrial standard Bluetooth and the other one is Zigbee protocol. 3. Network topologies that supported by the Zigbee protocol: are The network must be in one of two networking topologies specified in IEEE 802.15.4: star and peer-to-peer. 1 products developed by different vendors for a specific application. 3.1. peer-to-peer Topology: In a peer-to-peer topology each device can communicate directly with any other device if the devices are placed close enough together to establish a successful communication link. In this type of networking, routing operation is performed by Full Function Devices (FFD). Each FFD can communicate with other Reduced Function Devices (RFD). A peer-to-peer network can take different shapes by defining 4.2. Network layer: The network layer interfaces between the MAC and the APL and is responsible for managing the network formation and routing. the network layer is responsible for topology construction and maintenance, as well as naming and binding services, which incorporate the necessary tasks of addressing, routing, and security multi-hop transfer. restrictions on the devices that can communicate with each other. If there is no restriction, the peer-to-peer network is known as a mesh topology . Another form of peer-topeer network ZigBee supports is a tree topology. In this case, a ZigBee coordinator (PAN coordinator) establishes the initial network. ZigBee routers form the branches and relay the messages. ZigBee end devices act as leaves of the tree and do not participate in message routing. ZigBee routers can grow the network beyond the initial network established by the ZigBee coordinator[1] 4.3. Data link layer: The IEEE 802 project splits the DLL into two sublayers: 4.3.1. Medium Access Control (MAC): is closer to the hardware and may vary with the physical layer implementation. The MAC layer provides the interface between the PHY layer and the network layer. The MAC is responsible for generating beacons and synchronizing the device to the beacons (in a beacon-enabled network) [1]. Confirming successful reception of a received frame. association and disassociation, acknowledged frame delivery, channel access mechanism, frame validation, guaranteed time slot management. The IEEE 802.15.4 defines four MAC frame structures: 3.2. Star topology: In the star topology, the PAN coordinator acts as the initiation point for the network and other FFDs and RFDs connect to it. Communications are performed between RFDs/FFDs and the PAN coordinator, which is in charge of managing all the star functionality[4]. 4. Zigbee protocol layers: 4.1. Application layer: The application (APL) layer is the highest protocol layer in the ZigBee wireless network Application objects control and manage the protocol layers in a ZigBee device. 4.3.1.1. The Beacon Frame The beacon frame is not only used to synchronize the devices in a network but is also used by the coordinator to let a specific device in a network know there is data pending for that device in the coordinator. The device, at its discretion, will contact the coordinator and request that it transmit the data to the device. 4.1.1 Application profile: The ZigBee standard offers the option to use application profiles in developing an application. An application profile is a set of agreements on application-specific message formats and processing actions. The use of an application profile allows further interoperability between the 4.3.1.2.The Data Frame The MAC data frame is referred to as the MAC Protocol Data Unit (MPDU) and 2 becomes the PHY payload. It is composed of the MAC header (MHR), MAC service data unit (MSDU), and MAC footer (MFR). - Frame control field: The first field of the MAC header is the frame control field. It indicates the type of MAC frame being transmitted, specifies the format of the address field, and controls the acknowledgment. In short, the frame control field specifies how the rest of the frame looks and what it contains. - The payload field: It is variable in length; however, the complete MAC frame may not exceed 127 bytes in length. The data contained in the payload is dependent on the frame type. - Address field: Specifies the source and destination address. The size of the address field may vary between 0 and 20 bytes. - sequence number and frame check sequence(FCS): The sequence number in the MAC header matches the acknowledgment frame with the previous transmission. The transaction is considered successful only when the acknowledgment frame contains the same sequence number as the previously transmitted frame. The FCS helps verify the integrity of the MAC frame .The frame check sequence (FCS) helps verify the integrity of the MAC frame. The FCS in an IEEE 802.15.4 MAC frame is a 16-bit International Telecommunication Union Telecommunication Standardization Sector (ITU-T) cyclic redundancy check (CRC). 4.3.2. logical link control (LLC): Is an interface between upper layers and MAC layer. 4.4. PHY layer: The IEEE 802.15.4 specification supports two PHY options based on direct sequence spread spectrum (DSSS), which allows the use of low-cost digital IC realizations. The PHY adopts the same basic frame structure for low-duty-cycle low-power operation, except that the two PHYs adopt different frequency bands: low-band (868/915 MHz) and high band (2.4 GHz). Determining power consumption and bit rate in network Seeking and selecting an empty channel . Transforming packets on physical media. 5. Zigbee Applications: - PC peripherals: Human interface devices, wireless mice, keyboards, joysticks, low-end PDAs, and games. consumer electronics: Radios, televisions, VCRs, CDs, DVDs, remote controls, and so on, and a truly universal remote control to control them - Home automation: Heating, ventilation, and air conditioning (HVAC), security, lighting, and the control of objects such as curtains, windows, doors, and locks. - health monitoring: Fittness and patient monitoring. - Precision agriculture: Such as the sensing of soil moisture, pesticide, herbicide, and pH levels. - Industrial control: Asset management, Process control, Energy management. 4.3.1.3. The Acknowledgment Frame The acknowledgment frame is sent by one device to another to confirm successful reception of a packet. 6. Security In a wireless network, the transmitted messages can be received by any nearby device, including an intruder. There are two main security concerns in a wireless network. The first one is data confidentiality . The intruder device can gain sensitive information by simply listening to the transmitted messages. Encrypting the 4.3.1.4. The Command Frame The MAC commands such as requesting association or disassociation with a network are transmitted using the MAC command frame . 3 messages before transmission will solve the confidentiality problem. An encryption algorithm modifies a message using a string of bits known as the security key, and only the intended recipient will be able to recover the original message. The IEEE 802.15.4 standard supports the use of Advanced Encryption Standard (AES) [12] to encrypt their outgoing messages. The second concern is that the intruder device may modify and resend one of the previous messages even if the messages are encrypted. Including a message integrity code (MIC) with each outgoing frame will allow the recipient to know whether the message has been changed in transit. This process is known as data authentication . One of the main constraints in implementing security features in a ZigBee wireless network is limited resources. The nodes are mainly battery powered and have limited computational power and memory size. ZigBee is targeted for lowcost applications and the hardware in the nodes might not be tamper resistant. If an intruder acquires a node from an operating network that has no tamper resistance, the actual key could be obtained simply from the device memory. A tamper-resistant node can erase the sensitive information, including the security keys, if tampering is detected[1]. communicate to the network. 6.1.2. frame integrity: A secure network should provide message integrity protection if an adversary modifies a message from an authorized sender while the message is in transit, the receiver should be able to detect this tampering. Including a message authentication code (MAC) with each packet provides message authentication and integrity. This objective is to prevent changes to be made by an invalid intruder and to provide assurance that the messages from the source device have not been manipulated by the invalid intruder. 6.1.3 Confidentialit: Confidentiality means keeping information secret from unauthorized parties. It is typically achieved with encryption a common technique for achieving security is to use a unique nonce for each invocation of the encryption algorithm. Since the receiver must use the nonce to decrypt messages, the security of most encryption schemes do not rely on nonces being secret. Nonces are typically sent in the clear and are included in the same packet with the encrypted data[3]. 6.1.4. Replay Protection: An adversary that eavesdrops on a legitimate message sent between two authorized nodes and replays it at some later time engages in a replay attack. replay protection prevents these types of attacks. the sender typically assigns a monotonically increasing sequence number to each packet and the receiver rejects packets with smaller sequence numbers than it has already seen. 6.1. Zigbee protocol security services Zigbee security protocol provides four basic security services: access control, message integrity, message confidentiality, and replay protection. 6.1.1 Access control: Access control means the link layer protocol should prevent unauthorized parties from participating in the network. Legitimate nodes should be able to detect messages from unauthorized nodes and reject them. It provides a Access Control List (ACL) of valid devices from which the device can receive the frames. This mechanism prevents the unauthorized devices to 6.2. There are two important packet types that are relevant to the security of 802.15.4: data packets and acknowledgment packets. 6.2.1. Data packet: A data packet, has variable length and is used by a node to send a message to a single node or to broadcast a message to multiple nodes. Each data packet has a flags field that 4 MAC . The sender can compute either a 4, 8, or 16 byte MAC using the CBC-MAC algorithm, leading to three different AESCBC-MAC variants. The MAC can only be computed by parties with the symmetric key. The MAC protects packet headers as well as the data payload. The sender appends the plaintext data with the MAC.The recipient verifies the MAC by computing the MAC and comparing it with the value included in the packet. indicates the packet type, whether security is enabled or not, the addressing modes that are in use, and whether the sender requests an acknowledgment. A 1 byte sequence number serves to identify the packet number for acknowledgments. The packet optionally includes source and destination addresses. As noted above, each field is variably sized between 0 and 10 bytes. The data payload field comes after the addressing fields. It is less than 102 bytes. Finally, a 2 byte CRC checksum field protects the packet against transmission errors. 6.2.2. The acknowledgment packet: It is sent by the recipient only if the corresponding data packet was not sent to a broadcast address and the sender requested an acknowledgment. Its format is simple: a 2 byte flags field similar to the one in the data packet, the 1 byte sequence number from the packet that it is acknowledging, and a 2 byte CRC. There is no addressing information in the acknowledgment packet. 6.3.4. AES-CCM: This security suite uses CCM mode for encryption and authentication [13]. Broadly, it first applies integrity protection over the header and data payload using CBC-MAC and then encrypts the data payload and MAC using AES-CTR mode. 6.4. ACL security table: 802.15.4 radio chips have an access control list (ACL) Compliant devices may support up to 255 ACL entries. If no security is requested, the packet is sent out as is. If security is enabled, the media access control layer looks up the destination address in its ACL table. If there is a match ACL entry, the security suite, key, and nonce specified in that ACL entry are used to encrypt and/or authenticate the outgoing packet, and the ags field on outgoing packet is set accordingly. If the destination address is not listed in the ACL table, a default ACL entry is used instead; the default ACL entry is similar to the other ACL entries except that it matches all destination addresses. If the default ACL entry is empty and the application has requested security, the media access control layer returns an error code. On packet reception, the media access control layer consults the ags field in the packet to determine if any security suites have been applied to that packet. If no security was used, the packet is passed as is to the application. Otherwise, the media access control layer uses a similar process to find the appropriate ACL entry, this 6.3. security suites: security suites are using in packets: 6.3.1. Null: This is the simplest security suite. Its inclusion is mandatory in all radio chips. It does not have any security material and operates as the identity function. It does not provide any security guarantees. 6.3.2. AES-CTR: This suite provides confidentiality protection using the AES block cipher [14] with counter mode. To encrypt data under counter mode, the sender breaks the clear text packet into 16byte blocks ( p1,……, pn) and computes ci = pi Ek(xi). Each 16-byte block uses its own varying counter, which we call x1. The recipient recovers the original plaintext by computing pi = ci Ek(xi). Clearly, the recipient needs the counter value xi in order to reconstruct pi. The xi counter, known as a nonce or IV. 6.3.3. AES-CBC-MAC: This suite provides integrity protection using CBC5 time based on the sender's address. It then applies the appropriate security suite, key, and replay counter to the incoming packet, presenting the application with an error message if no appropriate ACL entry could be located. 6.5.4. Hybrid approaches: Some systems may use a combination of the above keying models simultaneously in the same application. For example, we might use pairwise keying for all links between a node and a base station and use a network shared key for all other links[3]. 6.5. Keying Models : Each node only needs to keep track of a single key, which eases the management problems. We present a few of the more common keying models that are appropriate for sensor networks: 7. Security problems: 7.1. Key Management Problems The first class of problems results from inadequate support in the ACL table for many keying models. 6.5.1. Network shared keying: With a single network wide shared key, each node in the system possesses the same key and uses it to communicate with all other nodes. However, the management simplicity comes at the cost of a vulnerability to insider attacks. It is more vulnerable than other keying models to a single key compromise, as happens when an adversary compromises a single node. An adversary can use the compromised node to undermine the security guarantees of the entire network. 7.1.1.No Support for Group Keying: Supporting group keying under 802.15.4 is unwieldy. For example, suppose that nodes (n1,……,n5) wish to communicate amongst themselves using key k1, while nodes (n6,…….,n9) use key k2. Because each ACL entry can only be associated to a single destination address (x7.5.8.1), there is no good way to support this desired model. One tempting approach is to create five ACL entries, one for each of nodes (n1,….,n5) all mentioning the same key k1. This requires that the 802.15.4 radio's ACL table be large enough to hold all these entries[3]. Pairwise Keying Inadequately Supported In a pairwise keying model, a radio chip with support for n ACL entries will limit us to networks containing at most about n nodes. This poses a significant limit to scalability, and it means that pairwise keying will only be feasible on radio chips with support for a large number of ACL entries. To support pairwise keying, we submit that it may make sense to revise the specification to mandate a reasonable minimum number of ACL entries. 6.5.2. Pairwise keying: Pairwise keying tolerates node compromise by limiting the scope of every key . With pairwise keying, each pair of nodes share a different key. This provides better security than network shared keying. On devices with minimal resources, the storage costs can be prohibitive. 6.5.3. Group keying: Group keys are a compromise between network shared keys and pairwise keys. A single key is shared among a set of nodes and is used on all links between any two nodes in that group. The partition into groups may be made based on location, network topology, or similarity of function. The advantage of group keying is that it provides an intermediate tradeoff between network shared keying and pairwise keying, with partial resistance to node compromise at a lower cost than pairwise keying. 7.1.2. Pairwise Keying Inadequetly Supported: The specification could include stronger support for pairwise communication. The specification allows a 802.15.4 radio to have up to 255 ACL entries but it does not specify a required 6 minimum number of ACL entries. An ACL entry cannot be safely shared among a group of multiple nodes. This means that in a pairwise keying model, a radio chip with support for n ACL entries will limit us to networks containing atmost about n nodes. This poses a significant limit to scalability , and it means that pairwise keying will only be feasible on radio chips with support for a large number of ACL entries. To support pairwise keying , we submit that it may make sense to revise the specification to mandate a reasonable minimum number of ACL entries. properly maintained even during power interruptions and low-power operation. 7.3.1. Power Failure: Consider what happens if the ACL state is lost when the node encounters a power failure. If no special precautions are taken, the node will emerge with a cleared ACL table when power is restored. Presumably, the node's software can then repopulate the ACL table with the appropriate keys. However, it is not clear what to do about the nonce states. If all nonces are reset to a known value, such as 0, nonces will be reused, Compromising security. Actually fails to secure communications against eavesdroppers. Application designers must take this into account in order to design nodes that are secure across power interruptions[3]. 7.1.3. Network Shared Keying Incompatible with Replay Protection : When using a single network-wide shared key, there is no way to protect against replay attacks. To use the network shared key model, an application must use the default ACL entry, the other ACL entries are not useful for group communication. Recall that the default ACL entry will be used when there is no matching ACL entry. This is not feasible when there are more than a handful of members in a group, precluding the use of replay protection with the shared network key. 8. ATTACKS AND VULNERABILITIES 8.1.Physical Attacks If a knowledgeable attacker can gain physical access to a device containing a ZigBee radio, chances are good that they can compromise it. What makes physical attacks so effective is being able to interact physically with the device to obtain an encryption key used by the target ZigBee network. Many ZigBee radios use a hardcoded encryption key that is loaded in RAM memory when the device is powered. Since these keys are typically written (flashed) on all the devices in a ZigBee network, it's highly unlikely that the keys will ever be changed. Knowing this, attackers can utilize special serial interfaces on the ZigBee device to attempt to capture the encryption keys as those keys are moved from flash to RAM during power up. There are numerous low-cost and opensource tools that make this form of attack within the grasps of any attacker. Two of the most popular are Bus Pirate and GoodFet. 7.2. Denial of service Attacks on AESCTR: The second class of problems results from Insufficient Integrity Protection . singlepacket denial-of-service attack is applicable when a 802.15.4 network uses the AES-CTR suite with replay protection enabled. This shows that an attacker can permanently disrupt a 802.15.4 link, if that link uses AES-CTR with replay protection enabled. The attack is easy to mount, because it only requires sending a single forged packet; the attacker needs no special access or equipment[3]. 7.3. Loss of ACL State Due to Power Interruptions: We expect that many 802.15.4 devices will be battery or solar powered. Radio chip designers must ensure that the ACL state is 7 programmed ZigBee radio, but don't let that fool you into thinking they are hard to obtain. While several low-cost ZigBee radios are supported, the recommended device of choice is the RZ Raven AVR, which can be obtained online for approximately $40. This puts the hardware and programs well within the reach of security researchers and malicious hackers alike. An attacker using a combination of hardware- and software-based tools to perform their illicit actions has the obvious advantage of not needing to physically connect to the device to perform an attack. This makes it extremely unlikely that the attack will be discovered and even less likely that the attacker will be caught. To make matters worse, an attacker could use specially crafted high-powered transmitters or special Yagi antennas so the attacker could potentially be a great distance away from the devices they attempting to compromise. 8.3.Replay and Injection Attacks This type of attack can utilize key-based attacks blended with packet replay and/or injection attacks to trick the ZigBee device into performing unauthorized actions. ZigBee radios are susceptible to these types of attacks because of the lightweight design of the protocol, which has very minimal replay protection. A simple The Bus Pirate and GoodFet interface boards provide support of numerous industry standard serial protocols, including 1-wire, JTAG, SPI, and asynchronous serial. Once physically connected to a ZigBee device through a simple serial interface such as a Bus Pirate, an attacker can unravel the security of an entire ZigBee network and potentially intercept and alter data. 8.2.Key Attacks Other forms of key attacks are possible by utilizing remote means to obtain encryption keys. ZigBee radios often use one of two encryption key methodologies to ensure that devices have the appropriate keys to talk to each other. These methodologies are known as pre-shared keying and Over the Air (OTA) key delivery. Larger, more sophisticated ZigBee networks will typically utilize OTA for security and ease of updating. Unfortunately, this methodology can be attacked by having a device that mimics a node on the ZigBee network and collects the network's wireless transmissions. The collected packets can be further analyzed or potentially decrypted using free and open-source equipment. Since there is minimal session checking built into the 802.15.4 protocol and currently no intrusion-detection capabilities, this type of attack is nearly impossible to detect. One toolset that is very effective for this type of key analysis is called the KillerBee framework, which was created by Joshua Wright, a noted wireless security expert, and has been made freely available to everyone. KillerBee is really a suite of hardware and software tools that allow sophisticated interception, analysis, and even transmission of 802.15.4 packets. The software included in KillerBee is a collection of Python scripts that are easily modified and can be built upon to create even more capabilities and interaction with ZigBee radios. The hardware portion of the framework requires a specially scenario will help drive the point home. Bob, our malicious user, uses a ZigBee radio that is collecting packets transmitted from a target ZigBee network. While Bob may not be able to decode the packets perse, he knows enough about the system to know that the target node controls the water flow for a cooling system. All Bob has to do in this case is to replay the captured packets back to other nodes on the ZigBee network mimicking the originating node. Since there is minimal session checking performed by the ZigBee radios, the network will think the traffic is legitimate and respond as if the commands came from a valid node. A spinoff of this 8 type of attack was used at the 7th annual Mid-Atlantic Collegiate Cyber Defense Challenge. 8.6. MAC protocol's Attack A simple but not very efficient attack against network availability is to flood the network by simply transmitting a large number of packets , and cause discharging the battery . In this manner, an adversary may degrade the network performance and drastically reduce throughput . If the goal of the attack is the depletion of the power source for a specific node (and the PAN coordinator), all injected packets may target that node. Since the downlink packets have to be explicitly requested from the PAN coordinator, this will keep the both the PAN coordinator and the chosen destination device busy and eventually exhaust their respective power sources. 8.4. Same-nonce attack Same-nonce attack [16] is defined as follows. There is a chance that in a sender's ACL entry table, there are entries with the same key and the same nonce. If such a thing happens, a security attack is possible. Note that the nonce is also used as the frame counter. Assume that there are two plaintexts (P1, P2) and two cipher texts (C1 and C2) using the same key (K) and the same nonce (N). Also assume that an adversary can obtain C1 and C2, but cannot obtain P1 or P2. Then the adversary can obtain P1 P2 = C1 C2 since the counters are the same and the keys are the same although the adversary does not know the key. The adversary may obtain much useful information from P1 P2. The same nonce occurs in many situations such as power failure, sleep mode, and so forth. Same keys happen in many situations too such as using broadcasting key, grouping key, and so forth[4]. 8.7. Sybil Attack The Sybil attack consists of a node assuming several node identities while using only one physical device. The additional identities can be obtained either by impersonating other nodes or by making use of false identities. These identities can all be used simultaneously or over a period of time. This attack can impact several services in ad hoc networks. For example it can impact multipath routing, where a set of supposedly disjoint paths can all be passing through the same malicious node which is using several Sybil identities. This attack can also impact data aggregation where the same node can contribute multiple readings each using a different identity. 8.5. ACK attack There is no integrity protection provided on ACK frames. When a sender sends a frame, it can request an ACK frame from the receiver by setting the bit flags in the outgoing data frame. The eavesdropper can forge the ACK frame by using the unencrypted sequence number from the data frame. If an adversary does not want a particular frame to be received by the receiver, it can send interference to the receiver at the same time when the sender is sending the data frame. This leads to the rejection of the frame. The adversary can then send a forged ACK frame fooling the sender that the receiver successfully received the frame. Therefore, a sender cannot be sure if the received frame is coming from the receiver or another node even if the receiver received the ACK frame. 8.7.1. Detection of Sybil Attacks: Employing cryptographic relatedmethods [17]–[18] are the traditional approaches to prevent Sybil attacks. To address the issues of computational constraints on wireless and sensor nodes, [2] proposed schemes based on symmetric key cryptography to satisfy the resource requirements, and [19] used unique random pairwise key establishment schemes based on t-degree polynomials. 9 In the IEEE 802.15.4 specification, the replayed message is prevented by the replay protection mechanism, that is, sequential freshness. This is achieved by which a receiver checks the recent counter and rejects the frame which has the counter value equal to or less than the previous obtained counter. However, this replay protection mechanism is subject to another attack, called replay-protection attack, which is one kind of denial-ofservice attacks. It is very easy to launch replay-protection attacks as follows. An adversary can send many frames containing different large frame counters to a receiver who performs replay protection and raises the replay counter up as the largest frame counter in the receiver so far. Then, when a normal station sends a frame with a reasonable size of frame counter that is smaller than the replay counter maintained at the receiver, the frame will be discarded for the replayprotection purpose. In other words, the service is denied. Furthermore, radio resource testing and registration approaches are two methods that deviate from the conventional security approaches. However, the radioresource testing [18] process may consume much battery power, whereas registration alone cannot prevent Sybil attacks, because a malicious attacker may get multiple identities by nontechnical means such as stealing. In addition, [9] employed received signal strength (RSS) to detect wireless Sybil attacks. However, it did not study how the Sybil nodes can be localized. 8.8. Eavesdropping attack The most widely known problem with an open, uncontrolled medium like wireless technology is that it is susceptible to anonymous attackers. The anonymous attacker can passively intercept radio signals and decode the data being transmitted. The primary goals of the attacker are to understand who uses the network, what is accessible, what the capabilities of the equipment on the network are, when it is used least and most, and what the coverage area is. This information is needed to launch an attack on the target network. 9. Possible Solutions 9.1. Solution for Network Discovery and Location Tracking Attack The hacking tool that is used to discover the ZigBee network uses the same mechanism that is used by ZigBee devices [7]. There is no solution for this attack since the network discovery process can’t be disabled by any means as it is part of the ZigBee mechanism[10]. However, it is helpful to understand the impact of this attack and evaluate the ZigBee network accordingly. 8.9. Denial of Service (DoS) Attack Jamming the entire network can cause a denial of service (DoS) attack. The entire area, including both base stations and clients, is flooded with interference so that no stations can communicate with each other. This attack shuts down all communications in a given area. DoS attacks on wireless networks may be difficult to prevent and stop. 9.2. Solution for Packet and Key Sniffing Packet sniffing or eavesdropping in general is one of the well known attacks. The only mechanism that is used to avoid such attack is the CCM* integrity algorithm that provides encryption for the data being transmitted [7]. So, in order to avoid this attack, the network administrator should ensure that a strong 8.10. Replay Attack Where an attacker retransmits captured data as if it is the original sender sending the data again. Depending on the application, a replay attack can have an insignificant effect or a severe one[6]. 8.11. Replay-protection attack 10 freshness, that is, the replayed message is prevented by the replay protection mechanism. Furthermore, the frame counter potentially causes problems when nodes are in sleep mode or the power of nodes is temporarily failed, and so forth. We propose to use timestamp as the sequential freshness. The sequential freshness is achieved by which a receiver checks the recent timestamp obtained from the sender and rejects the frame which has the timestamp equal to or less than the previous obtained timestamp. Furthermore, there is not relay key is selected to avoid data leakage. 9.3. Solution for Replay Attack In order to avoid the replay attack, the ZigBee stack should be able to identify the frames by a sequence number and make sure that the received number is greater than that previously received frame [7]. However, ZigBee stack has only 8 bits of network sequence numbers in which an attacker can take advantage of and retransmit the frame after waiting 255 frames [7]. 9.4. Solution for Packet and Key Sniffing Packet sniffing or eavesdropping in general is one of the well known attacks. The only mechanism that is used to avoid such attack is the CCM* integrity algorithm that provides encryption for the data being transmitted [7]. So, in order to avoid this attack, the network administrator should ensure that a strong key is selected to avoid data leakage[11]. counter to be raised up. The drawback of this approach is that the field length is larger. Whenever the sender receives a frame with a timestamp, it compares this timestamp with the current time. If the current time is much smaller than the timestamp, the sender believes that this is an attack, and rejects the frame. Therefore, the recorded timestamp has never been raised up to a value so that replay-protection attack or denial of service attack cannot be launched. Furthermore, when a sensor just wakes up or obtains power supply after a power failure, it contacts the coordinator, synchronizes the clock with beacon frames received, and raises all the time stamps up to the current time. 9.8. UsingMIC for ACK For ACK frame, we propose to append MIC at the end of ACK frame, where MIC is obtained by the authentication algorithm AES-CBC-MAC. The authenticated field is the whole ACK frame. Dynamically dividing nonce spaces For the broadcasting key and group keys, it may have multiple same key entries in the ACL table. In order to prevent the samenonce attack, nonce space is divided into multiple groups so that different entries with the same key will use different space of nonce values (also chosen randomly). This feature plus timestamp can prevent same-nonce attack and other attacks. 9.5. Separating nonce from frame counter We believe that the current approach that nonce serves as both IV and the frame counter is a bad design and causes some vulnerability. We propose to separate nonce from the frame counter so that two fields, nonce and frame counter, are both used. The drawback is that an additional field is added, but security is much enhanced. 9.6. Randomly generating nonces Since a nonce is separated from the frame counter, the nonce can be generated using a random generation algorithm instead of increasing the counter/nonce one by one each time. 9.7. Using time stamp as the frame counter We notice that same-nonce attack, replayprotection, and denial-of-service are all related to the frame counter. The frame counter is used for sequential 11 than that, the intrusion detection could be programmed to be adaptive, so it has the ability to automatically identify the attacks according to a specified learning mechanism of the implemented ZigBee network daily activities. Last but not least, the intrusion detection could be programmed in order to send fake beacon request to the attacker in order to lead the attacker to a channel in which the ZigBee network is not operating on. In this way, the attacker is confused between the actual traffic and the noise send over another channel. 9.9. Eliminating the key sequence counter In practice, the key sequence counter is always zero and of no use. It generates one byte overhead in each security-enabled frame. In order to increase the air efficiency, reduce the size of the ACL table, and simplify the processing in the CCM* mode, it is recommended to eliminate key sequence counter. Tracking frame counter for each device To present the replay-protection attack, each station keeps track of the frame counter for each device sending to it.However, this scheme may not be very robust when there is a failure such as a power failure or restart. Furthermore, it is a little awkward to maintain the consistency. 10.Conclusion: ZigBee is not exactly a new technology; in fact it was originally developed in 1998, but only recently has ZigBee become more commonplace in industrial and consumer products. ZigBee was designed to fulfill a niche and previously untapped market in which regular wireless devices were unsuitable. The unique characteristics of ZigBee embedded wireless devices have opened a floodgate of new products that require its low power simplicity and functionality. Lately, other wireless protocols have become the focus of security researchers and hackers alike. One protocol that can arguably be placed at the top of the list, and is an area of growing concern, is the 802.15.4 protocol that ZigBee wireless rides on. New tools and techniques are being developed by penetration testers to validate the security and configuration of ZigBee-enabled devices. This article takes a closer look at the ZigBee protocol, some of the attacks that have been leveraged against it. Since the network discovery can not be prohibited, malicious attempts that mimic the network discovery process are identified using the intrusion detection system designed. So Before the implementations become commonplace it is vital that the security of the protocol be thoroughly scrutinized and measures taken to repair or defend against the vulnerabilities. 9.10. CCM* mode In [15], the author introduces a CCM* mode, in which a counter determined from the frame counter of the source device is used to provide frame freshness and to prevent the replay-protection attack. For each node to which a device sends or receives secured frames, an ACL entry is created in the MAC PIB (PAN information base), containing the implicit or explicit address of the entity and the associated corresponding security material including an AES key, a frame counter for outgoing frames, and an external frame counter for incoming frames [10]. If it is explicit, it contains a key identifier. The AES symmetric key is 16 octets to secure incoming and outgoing frames; the frame counter for outgoing frames is used by a device when originating a frame; and the external frame counter for incoming frames is used by a device to verify freshness of incoming frames .This counter is increased each time when a secure frame is transmitted, but it will not roll over to ensure that the CCM∗ nonce is unique and to ensure freshness or to detect duplicates. 9.11. Other prevention techniques: One of the prevention techniques is sending a frame in which the node that is being targeted is being shut down .Other 12 the Sixth Usenix UNIX Security Symposium. [15] R. Struik, “Formal Specification of the CCM∗ Mode of Operation,” Doc. #: IEEE 1504-0537-00-004b. [16] N. Sastry and D. Wagner, (October 2004) “Security considerations for IEEE 802.15.4 networks,” in Proceedings of the ACM Workshop on Wireless Security (WiSe ’04), pp. 32–42, Philadelphia, Pa, USA. [17] L. Eschenauer and V. D. Gligor, (Nov. 2002) “A key-management scheme for distributed sensor networks,” in Proc. 9th ACM CCS, pp. 41–47. [18] J. Newsome, E. Shi, D. Song, and A. Perrig,(Apr. 2004), “The Sybil attack in sensor networks: Analysis and defenses,” in Proc. 3rd IPSN,pp. 259–268. [19] D. Liu and P. Ning,(Oct. 2003), “Establishing pairwise keys in distributed sensor networks,” in Proc. 10th ACM CCS, pp. 52– 61. [20] By Brad Bowers. (Jan 9, 2012)\ zibee wireless security:attacks against zibee. [21] Vojislav B. Mi·sic, Jun Fung, and Jelena Mi·sic, Department of Computer Science University of Manitoba Winnipeg, Manitoba, Canada R3T 2N2\ MAC Layer Attacks in 802.15.4 Sensor Networks [22] Dr.Jose.A Gutierezz ."IEEE Std.802.15.4 Enabling pervasive wireless sensor networks" References: [1] Shahin Farahani\ (2008). Zigbee wireless networks and trasceivers [2] Q. Zhang, P. Wang, D. Reeves, and P. Ning,(Jun. 2005)“Defending against Sybil attacks in sensor networks,” in Proc. 25th IEEE ICDCSW, pp. 185–191. [3] Naveen Sastry ,David Wagner. Security Considerations for IEEE 802.15.4 Networks. [4] Yang Xiao,Hsiao-Hwa Chen, Bo Sun, RuhaiWang, and Sakshi Sethi\(May 2006) MAC Security and Security Overhead Analysis in the IEEE 802.15.4Wireless Sensor Networks [5] Ed Callaway, Paul Gorday, and Lance Hester, Home Networking with IEEE 802.15.4:A Developing Standard for Low-Rate Wireless Personal Area Networks [6] Lawrence Crowther \( Spring 2011) \Exploiting ZigBee [7] J. Cache, J. Wright, V. Liu, E. Scott, B. Antoniewiecz, C. Wang and I(2010). Books24x7, Hacking Exposed Wireless. New York: McGraw-Hill Companies. [8] Gunhee Lee, Jaesung Lim (2009) An Approach Mitigating Sybil Attack in Wireless Networks using ZigBee. [9] M. Demirbas and Y. Song,(2006), “An RSSI-based scheme for Sybil attack detection in wireless sensor networks,” in Proc. Int. Workshop Adv. Experimental Activities Wireless Netw. Syst., pp. 564–570. [10] Tulin Mangir, Lelass Sarakbi, Harvy Younan Electrical Engineering Department California State University- Long Beach, CA. USA .November (2011)/ Detecting Malicious Activities in ZigBee Networks using Cognitive Radio, International Journal of Distributed and Parallel Systems (IJDPS) Vol.2, No.6, . [11] R. Struik, (2004) “Security Resolutions 802.15.4,” Doc. #: IEEE 802.15-04-0540-08. [12] Advanced Encryption Standard (AES) (Nov. 26, 2001), Federal Information Processing Standards Publication 197, U.S. Department of Commerce/N.I.S.T, Springfield, Virginia. Available at http://csrc.nist.gov/ [13] D. Whiting, R. Housley, and N. Ferguson (September 2003). Counter with cbc-mac (ccm). RFC 3610. [14] Steven M. Bellovin,(1996). Problem areas for the IP security protocols. In Proceedings of 13