IoT Goes Nuclear: Creating a ZigBee Chain Reaction

Eyal Ronen, A. Shamir, Achi-Or Weingarten, C. O'Flynn
{"title":"IoT Goes Nuclear: Creating a ZigBee Chain Reaction","authors":"Eyal Ronen, A. Shamir, Achi-Or Weingarten, C. O'Flynn","doi":"10.1109/MSP.2018.1331033","DOIUrl":null,"url":null,"abstract":"Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will rapidly spread over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes. It enables the attacker to turn all the city lights on or off, to permanently brick them, or to exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lamps in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already). To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key (for each device type) that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.","PeriodicalId":6502,"journal":{"name":"2017 IEEE Symposium on Security and Privacy (SP)","volume":"59 1","pages":"195-212"},"PeriodicalIF":0.0000,"publicationDate":"2017-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"425","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MSP.2018.1331033","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 425

Abstract

Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will rapidly spread over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes. It enables the attacker to turn all the city lights on or off, to permanently brick them, or to exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lamps in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already). To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key (for each device type) that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
物联网走向核:创建ZigBee连锁反应
在未来几年内,数十亿的物联网设备将密集地分布在我们的城市中。在本文中,我们描述了一种新型的威胁,在这种威胁中,只要兼容的物联网设备的密度超过一定的临界质量,相邻的物联网设备就会用蠕虫相互感染,这种蠕虫会迅速传播到大片地区。特别是,我们使用流行的飞利浦Hue智能灯作为平台开发并验证了这种感染。这种蠕虫只利用内置的ZigBee无线连接和它们的物理距离,直接从一盏灯跳到邻近的灯上传播。这种攻击可以通过在城市的任何地方插入一个受感染的灯泡开始,然后在几分钟内灾难性地蔓延到所有地方。它使攻击者能够打开或关闭所有的城市灯,永久地阻塞它们,或者在大规模的DDOS攻击中利用它们。为了证明所涉及的风险,我们使用渗透理论的结果来估计一个典型城市(如巴黎,其面积约为105平方公里)安装设备的临界质量:如果整个城市随机放置的智能灯少于约15,000个,连锁反应将失败,但当数量超过这个临界质量时,连锁反应将扩散到各处(几乎肯定已经超过了这个临界质量)。为了使这种攻击成为可能,我们必须找到一种方法,远程将已经安装的灯具从当前网络中拔出,并进行无线固件更新。我们通过发现和利用ZigBee Light Link协议的Touchlink部分实现中的一个主要错误来克服第一个问题,该协议应该通过近距离测试来阻止此类尝试。为了解决第二个问题,我们开发了一个新版本的侧信道攻击,以提取飞利浦用于加密和认证新固件的全局AES-CCM密钥(针对每种设备类型)。我们只使用了几百美元的现成设备,并在没有看到任何实际更新的情况下找到了这把钥匙。这再次表明,即使对于使用标准加密技术来保护主要产品的大公司来说,确保安全性是多么困难。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit An Experimental Security Analysis of an Industrial Robot Controller
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1