Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-15910

Insecure discover ZigBee network procedure

Discoverer

*Huang,Yang-Cheng , Wu,Jieh-Chian , *Lin,Hsuan-Yu ,

National Kaohsiung University of Science and Technology, *Telecom Technology Center

Description

An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Attackers can utilize the "discover ZigBee network procedure" to perform a denial of service attack.

ASUS smart home devices attack demonstration

1. System architecture

The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.

Figure 1. Architecture of the attack demonstration

Attacker:
  1. Laptop(Ubuntu 16.04.3 LTS)
  2. Atmel RZ Raven USB sticks(2.4 GHz dongle)
  3. KillerBee (Research mainly modifies the KillerBee API)
  4. Zigdiggity
  5. Wireshark

Victim:

The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the end devices or router by using smart devices(e.g. smart phone…). The victim devices of this attack demonstration use ASUS smart home devices. Their model:

  1. Gateway acts as ZigBee coordinator:HG100
  2. Router:MW100
  3. End device:WS-101
  4. End device:TS-101
  5. End device:AS-101
  6. End device:MS-101
  7. End device:DL-101

2. Denial of Service Attack - Insecure discover ZigBee network procedure


The attackers send the Beacon request packet, and wait for the victim coordinator to return the Beacon packet to obtain the current personal area network identifier of the ZigBee network is 0x0553 and extended personal area network identifier is 0c: ee: 70: c7: 5a: ee: f0: 07, as shown in Figure 2.

Figure 2. ZigBee network information

Attackers send the fake beacon packets, the format containing with the current ZigBee network's same personal area network identifier but the different extended personal area network identifier. The coordinator will detect personal area network identifier conflicts, which will change its personal area network identifier is 0x0204, as shown in Figure 3.

Figure 3. Personal area network identifier conflicts

The end devices or router don't know that the personal area network identifier is changed, they send the packets to the old personal area network identifier, as shown in Figure 4. If the attackers continue to send fake packets, the end devices or router will not be able to transmit the messages to the correct personal area network identifier. Users also can’t control the end devices or router. When the attackers stop the attack, the end devices or router can't obtain the current pan ID within the short time.

Figure 4. End devices send the packets to the old personal area network identifier