CVE-2019-15914
Insecure trust center rejoin procedure - MAC address conflict
Discoverer
Huang,Yang-Cheng, Lin,Hsuan-Yu , Telecom Technology Center
Description
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM devices. Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks.
Xiaomi smart home devices attack demonstration
1. System architecture
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Attacker:
- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use Xiaomi smart home devices. Their model:
- Gateway acts as ZigBee coordinator:DGNWG03LM
- Router:ZNCZ03LM
2 Denial of Service Attack - Insecure Trust Center rejoin procedure
The attackers send the fake rejoin requests containing the different network address of the ZNCZ03LM, but the same media access control address. If the attackers continue to send fake packets, the ZNCZ03LM will be have interfered. The user control ZNCZ03LM's response will be slow or unresponsive. If attackers use multiple attack devices, they maybe cause a denial of service attack, as shown in Figure 2 and Figure 3.


