Insecure trust center rejoin procedure - Network address Conflict
*Huang,Yang-Cheng , Wu,Jieh-Chian , *Lin,Hsuan-Yu ,
National Kaohsiung University of Science and Technology, *Telecom Technology Center
An issue was discovered on ASUS HG100, WS-101, MW100 devices using ZigBee PRO.
Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks.
Although we only tested WS101 for end devices, but we think that all end devices will be affected.
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Figure 1. Architecture of the attack demonstration
Attacker:
- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the router. And the router is connected with end devices. The users obtain the messages or control of the end devices or router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use ASUS smart home devices. Their model:
- Gateway acts as ZigBee coordinator:HG100
- Router:MW100
- End device:WS-101
The attackers send the fake rejoin requests containing the same network address of the MW100, but the different media access control address. If the attackers continue to send fake packets, the MW100 will detect the network address conflict. And connected MW100's smart home devices don't know the network address is changed, they will send the packets to the old network address, as shown in Figure 2 and Figure 3.
Figure 2. Insecure Trust Center rejoin
Figure 3. Insecure Trust Center rejoin 2