Three practical attacks against ZigBee security: Attack scenario definitions, practical experiments, countermeasures, and lessons learned

In this paper, three practical attacks against ZigBee security are carried out in our laboratory environment. The attack scenarios are based on utilizing several vulnerabilities found from the main security components of ZigBee technology. The first attack is based on discovering all ZigBee-enabled networks within range as well as the configurations of the corresponding ZigBee-enabled devices: This vital and fundamental basic information can be used for performing further and more severe attacks against the discovered ZigBee-enabled devices/networks. The second attack can be seen as an extension to the first attack and thus the prerequisite for it is the successful completion of the first attack. In the second attack, an attacker eavesdrops on the unencrypted or encrypted traffic of a ZigBee-enabled network in order to obtain and utilize any sensitive/useful information. The third attack is based on replaying (re-transmitting) the captured data as if the original sender is sending the data again. To keep this attack extremely simple, straightforward, and practical, we decided to devise and implement it without having a Man-In-The-Middle (MITM) between the victim devices, since the presence of the MITM would have made the attack very difficult to implement in practice, thus giving it only a theoretical relevance. Indeed, we demonstrate with experimental figures that attacks against ZigBee-enabled devices become practical by using our three attack scenarios. In addition, countermeasures that render the attacks impractical, although not totally eliminating their potential danger, are devised. Moreover, some new ideas that will be used in our future research work are proposed.