Insecure trust center rejoin procedure - MAC address conflict
*Huang,Yang-Cheng , Wu,Jieh-Chian , *Lin,Hsuan-Yu ,
National Kaohsiung University of Science and Technology, *Telecom Technology Center
An issue was discovered on ASUS HG100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO.
Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks.
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Figure 1. Architecture of the attack demonstration
Attacker:
- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices. The users obtain the messages or control of the end devices by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use ASUS smart home devices. Their model:
- Gateway acts as ZigBee coordinator:HG100
- End device:WS-101
- End device:TS-101
- End device:AS-101
- End device:MS-101
- End device:DL-101
The attackers send the fake rejoin requests containing the different network address of the end device, but the same media access control address. After the end device sends messages during the attack, it will leave the network and rejoin. If the attackers continue to send fake packets, the end device will not be able to transmit the messages properly, as shown in Figure 2 and Figure 3.
Figure 2. Insecure Trust Center rejoin
Figure 3. Smart phone - Insecure Trust Center rejoin