CVE-2019-15911
Insecue key transport
Discoverer
*Huang,Yang-Cheng , Wu,Jieh-Chian , *Lin,Hsuan-Yu ,
National Kaohsiung University of Science and Technology, *Telecom Technology Center
Description
An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO.
Because of insecure key transport in ZigBee communication, attackers can obtain sensitive information, cause the multiple denial of service attacks, take over smart home devices, and tamper with messages.
The security of ZigBee transmission data is mostly based on network key for data encryption, and the network key of the devices we tested that use the default trust center link key to encrypt the transmission of the network key. The default trust center link key is disclosed for years ago. We can gain sensitive information, tamper with messages, take over the smart home devices, denial of service attack when got the network key.
ASUS smart home devices attack demonstration
1. System architecture
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Attacker:- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the end devices or router by using smart devices(e.g. smart phone…). The victim devices of this attack demonstration use ASUS smart home devices. Their model:
- Gateway acts as ZigBee coordinator:HG100
- Router:MW100
- End device:WS-101
- End device:TS-101
- End device:AS-101
- End device:MS-101
- End device:DL-101
2. Key sniffing
2.1 Passive key sniffing
After the attackers sniff the messages paired with the end devices or router, they can use the default trust center link key to decrypt key transport message to obtain the network key, as shown in Figure 2.
2.2 Active key sniffing
The attackers send the fake rejoin requests of the end device or router. After the end device or router sends messages during the attack, it will be to rejoin the network. After the attackers sniff the rejoin network messages with the end device or router, they can use the default trust center link key to decrypt key transport message to obtain the network key, as shown in Figure 3.
3. Tamper with messages
The attackers check the security level in current ZigBee network. The message integrity code is four bytes and the data is encrypted, as shown in Figure 4, so the security level identifier is 0x05, as shown in Figure 5. After determining the security level, the attackers can make the fake messages by modifying the value of the frame counter to be greater than the current frame counter value and adding security level information to perform AES CCM* encryption. After the encryption is completed, the security level of the fake messages is changed to 0 and transmitted to the ZigBee network, which can be successfully affected, as shown in Figure 6 and Figure 7.
All devices were be affected that we test, except the DL-101 (door lock) it’s not real-time reacted, but if we keep sending messages to the DL-101 that it’s still reacted within 1 minute. So we still can control the door lock open or close. Or just change the state of the app.
We test another architecture, as shown in Figure 8. We send the fake messages to router forward to the door lock, it can real-time reacted.
4. Denial of Service Attack
4.1 Maximum frame counter
The attackers send the fake encrypted packet to the coordinator. The frame counter value of the fake packet is close to the maximum value of 0xFFFFFFAA, as shown in Figure 9. Although the coordinator will still respond to the packet, the value of the frame counter transmitted by the end device or router is less than the value currently recorded by the coordinator, the packet will not be received, as shown in figure 10. The state displayed by the user's smart device on its end device or router will also not be updated. Users don't control DL-101 or MW100 open or close with the smart devices, but the smart device still changes his state when the coordinator is not received DL-101 or MW100 state.
4.2 Insecure leave network procedure
The attackers send the fake encrypted leave packet that requires the coordinator leaves the network. After the coordinator receives it, it will broadcast leave the current network. If the other end devices or router transmit messages to the coordinator, it will be no response, as shown in Figure 11. When the attackers success attack, the coordinator must be restart the recovery state.










