Insecue key transport
Huang,Yang-Cheng, Lin,Hsuan-Yu , Telecom Technology Center
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages.
The security of ZigBee transmission data is mostly based on network key for data encryption, and the network key of the devices we tested that use the default trust center link key to encrypt the transmission of the network key. The default trust center link key is disclosed for years ago. We can gain sensitive information, tamper with messages, take over the smart home devices, denial of service attack when got the network key.
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Attacker:
- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the end devices or router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use Xiaomi smart home devices. Their model:
- Gateway acts as ZigBee coordinator:DGNWG03LM
- Router:ZNCZ03LM
- End device:MCCGQ01LM
- End device:WSDCGQ01LM
- End device:RTCGQ01LM
After the attackers sniff the messages paired with the end devices or router, they can use the default trust center link key to decrypt key transport message to obtain the network key, as shown in Figure 2.
Attackers utilize the trust center rejoin procedure lead to ZNCZ03LM rejoin the ZigBee network. Attackers can use the default trust center link key decrypt message to acquire network key after they interception ZNCZ03LM rejoin network information. as shown in Figure 3.
The attackers check the security level in current ZigBee network. The message integrity code is four bytes and the data is encrypted, as shown in Figure 4, so the security level identifier is 0x05, as shown in Figure 5. After determining the security level, the attackers can make the fake messages by modifying the value of the frame counter to be greater than the current frame counter value and adding security level information to perform AES CCM* encryption. After the encryption is completed, the security level of the fake messages is changed to 0 and transmitted to the ZigBee network, which can be successfully affected, as shown in Figure 6.
The attackers send the fake encrypted packet to the coordinator. The frame counter value of the fake packet is close to the maximum value of 0xFFFFFFAA, as shown in Figure 7. Although the coordinator will still respond to the packet, the value of the frame counter transmitted by the end device or router is less than the value currently recorded by the coordinator, the packet will not be received, as shown in figure 8. The state displayed by the user's smart device on its end device or router will also not be updated.
The attackers pretend to be an end device or router to send a fake encrypted leave packet. Then the end device or router updated messages will be not to see on the user's smart device, as shown in Figure 9 and Figure 10.









