Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-15913

Insecue key transport

Discoverer

Huang,Yang-Cheng, Lin,Hsuan-Yu , Telecom Technology Center

Description

An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages.

The security of ZigBee transmission data is mostly based on network key for data encryption, and the network key of the devices we tested that use the default trust center link key to encrypt the transmission of the network key. The default trust center link key is disclosed for years ago. We can gain sensitive information, tamper with messages, take over the smart home devices, denial of service attack when got the network key.

Xiaomi smart home devices attack demonstration

1. System architecture

The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.

Figure 1. Architecture of the attack demonstration

Attacker:

  1. Laptop(Ubuntu 16.04.3 LTS)
  2. Atmel RZ Raven USB sticks(2.4 GHz dongle)
  3. KillerBee (Research mainly modifies the KillerBee API)
  4. Zigdiggity
  5. Wireshark  

Victim:

The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the end devices or router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use Xiaomi smart home devices. Their model:

  1. Gateway acts as ZigBee coordinator:DGNWG03LM
  2. Router:ZNCZ03LM
  3. End device:MCCGQ01LM
  4. End device:WSDCGQ01LM
  5. End device:RTCGQ01LM

2. Key sniffing

2.1 Passive key sniffing

After the attackers sniff the messages paired with the end devices or router, they can use the default trust center link key to decrypt key transport message to obtain the network key, as shown in Figure 2.

Figure 2. Passive key sniffing

2.2 Active key sniffing

Attackers utilize the trust center rejoin procedure lead to ZNCZ03LM rejoin the ZigBee network. Attackers can use the default trust center link key decrypt message to acquire network key after they interception ZNCZ03LM rejoin network information. as shown in Figure 3.

Figure 3. Active key sniffing

3. Tamper with messages

The attackers check the security level in current ZigBee network. The message integrity code is four bytes and the data is encrypted, as shown in Figure 4, so the security level identifier is 0x05, as shown in Figure 5. After determining the security level, the attackers can make the fake messages by modifying the value of the frame counter to be greater than the current frame counter value and adding security level information to perform AES CCM* encryption. After the encryption is completed, the security level of the fake messages is changed to 0 and transmitted to the ZigBee network, which can be successfully affected, as shown in Figure 6.

Figure 4. Security level check

Figure 5. Security level

Figure 6. WSDCGQ01LM was tampered with messages

4. Denial of Service Attack

4.1 Maximum frame counter

The attackers send the fake encrypted packet to the coordinator. The frame counter value of the fake packet is close to the maximum value of 0xFFFFFFAA, as shown in Figure 7. Although the coordinator will still respond to the packet, the value of the frame counter transmitted by the end device or router is less than the value currently recorded by the coordinator, the packet will not be received, as shown in figure 8. The state displayed by the user's smart device on its end device or router will also not be updated.

Figure 7. Maximum frame counter - 1

Figure 8. Maximum frame counter - 2

4.2 Insecure leave network procedure

The attackers pretend to be an end device or router to send a fake encrypted leave packet. Then the end device or router updated messages will be not to see on the user's smart device, as shown in Figure 9 and Figure 10.

Figure 9. Smart phone - Insecure leave network procedure

Figure 10. Smart phone - Insecure leave network procedure