Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-15914

Insecure trust center rejoin procedure - Network address conflict

Discoverer

Huang,Yang-Cheng, Lin,Hsuan-Yu , Telecom Technology Center

Description

An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Attackers can use the ZigBee trust center rejoin procedure to perform mutiple denial of service attacks.

Xiaomi smart home devices attack demonstration

1. System architecture

The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.

Figure 1. Architecture of the attack demonstration

Attacker:

  1. Laptop(Ubuntu 16.04.3 LTS)
  2. Atmel RZ Raven USB sticks(2.4 GHz dongle)
  3. KillerBee (Research mainly modifies the KillerBee API)
  4. Zigdiggity
  5. Wireshark

Victim:

The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the router. And the router is connected with end devices. The users obtain the messages or control of the end devices or router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use Xiaomi smart home devices. Their model:

  1. Gateway acts as ZigBee coordinator:DGNWG03LM
  2. Router:ZNCZ03LM
  3. End device:MCCGQ01LM
  4. End device:WSDCGQ01LM
  5. End device:RTCGQ01LM  

2 Denial of Service Attack - Insecure Trust Center rejoin procedure_Network address conflict

The attackers send the fake rejoin requests containing the same network address of the ZNCZ03LM, but the different media access control address. If the attackers continue to send fake packets, the ZNCZ03LM will detect the network address conflict. And connected ZNCZ03LM's smart home devices don't know the network address changed, they will send the packets to the old network address, as shown in Figure 2 and Figure 3.

Figure 2. Insecure Trust Center rejoin

Figure 3. Insecure Trust Center rejoin 2