ZigBee Security: Basics (Part 2)

Device security Leave a comment

Introduction

ZigBee is considered to be a secure communication protocol. Its security architecture complements the security services provided by IEEE 802.15.4 standard. Security services provided by ZigBee range from – secure key establishment, secure key transportation, frame protection via symmetric cryptography, to secure device management.

However, its security features are based on certain inherent assumptions:

  • ZigBee assumes an “open trust” model; i.e, the protocol stack layers trust each other and that the layer that originates a frame is responsible for initially securing it.
  • The security services cryptographically protect the interfaces between different devices only.
  • Interfaces between different stack layers on the same devices is arranged non-cryptographically.
  • The secret keys are not inadvertently revealed during key-transport. (An exception to this is during pre-configuration of a new device, in which a single key may be sent unprotected.)
  • Availability of almost perfect random number generators.
  • Availability of tamper-resistant hardware.

Keeping the assumptions in mind, this article explores the security models provided by the ZigBee standard, the various keys used for secure communication, key management methodologies suggested by ZigBee, and other inherent security mechanisms such as authentication, replay protection, etcetera.

ZigBee Security Models

ZigBee standard supports two types of security models as shown in Figure 1 below that mainly differ in how they admit new devices into the network and how they protect the messages on the network:

Figure 1: ZigBee Security Models

Centralized Security model: is complex but, the most secure model and involves a third logical device; the Trust center (network coordinator). The Trust center is responsible for:

  • Configuring and authenticating routers and end devices that join the network,
  • Generating network key to be used for encrypted communication across the network,
  • Periodically or as required switching to a new network key. Thus, if an attacker acquires a network key, it will have a limited lifetime before expiring,
  • Establishing a unique Trust Center link key for each device as they join the network to securely communicate with the Trust Center, and
  • Maintaining the overall security of the network.

Distributed security model: is simple, but less secure. This model supports only routers and end devices. Routers form the distributed network and are responsible for enrolling other routers and end devices. Routers issue network keys (used to encrypt messages) to newly joined routers and end-devices. All the nodes in the network use the same network key for encrypting messages. Also, all nodes are pre-configured with a link key (used to encrypt the network key) prior to being enrolled in the network.

ZigBee Security Keys

There are three types of symmetric keys (each of length 128-bit) used in the ZigBee standard.

Network key: is used in broadcast communication and applied by NWK and APL of ZigBee. Each node requires the network key in order to communicate securely with other devices on the network. The trust center generates the network key and distributes it to all the devices on the network. A device on the network acquires a network key via key-transport (used to protect transported network keys) or pre-installation. There are two different types of network keys: standard (sending network key in the open), and high-security (network key is encrypted). The type of network key controls how a network key is distributed; and may control how network frame counters are initialized. But, the type does not affect how messages are secured.

Link key: is used in unicast communication and applied by the APS of the ZigBee stack. A device acquires link keys either via key-transport (key-load key is used to protect transported link keys), key-establishment (based on the “master” key and other network parameters), or pre-installation (for example, during factory installation). Usually, link keys related to the Trust Center are pre-configured using an out-of-band method, for instance, QR code in the packaging, whereas the link keys between nodes are generated by the Trust Center and encrypted with the network key before sending it to the node.

ZigBee defines two types of link keys; global and unique (can in-turn be of two types-the first is the trust center link key; where the key is established between the trust center and the device, and the second, is the application link key that is established between two devices in the network other than the trust center). The type of link key determines how the device handles various trust center messages (APS commands), including whether to apply APS encryption or not.

Furthermore, each node may also have the following pre-configured link keys which would be used to derive a Trust Center link key (derivation is done by means of Certificate-Based Key Establishment protocol (if SE security is enabled), APS request key method, Touchlink commissioning, or by using Matyas-Meyer-Oseas hash function):

  • A default global trust center link key defined by the ZigBee Alliance. It has a default value of 5A 69 67 42 65 65 41 6C 6C 69 61 6E 63 65 30 39 (ZigBeeAlliance09) and is used or supported by the device if no other link key is specified by the application at the time of joining.
  • A distributed security global link key, a manufacturer specific key used for interaction between devices from the same manufacturer.
  • Install code is a preconfigured link key. All ZigBee devices can contain a unique install code, a random 128-bit number protected by a 16-bit cyclic redundancy check (CRC). The Trust Center may require that each new device use a unique install code to join a centralized security network and the install code must match a code previously entered into the Trust Center out-of-band (i.e., QR code). Once the install code is verified, the joining device and the Trust Center derive a unique 128-bit Trust Center Link Key from the install code using the Matyas-Meyer-Oseas (MMO) hash function
  • Touchlink preconfigured link ley.

Master key: forms the basis for long-term security between two devices and is used only by the APS. Its function is to keep the link key exchange between two nodes in the Symmetric-Key Key Establishment protocol (SKKE) confidential. A device acquires a master key via key-transport (key-load key is used to protect transported master keys), pre-installation or user-entered data such as PIN or password.

Key management

One characteristic aspect of ZigBee is that, as mentioned above, it has a variety of key management mechanisms:

Pre-installation:  The manufacturer installs the key into the device itself. The user can select one of the installed keys by using a series of jumpers in the device (in devices where more than one key is preinstalled).

Key establishment: This is a local method of generating link keys based on the master key. Different security services of the ZigBee Network use a key derived from a one-way function (with link key as the input) to avoid security leaks due to unwanted interactions between the services. The use of uncorrelated keys ensures logical separation of the execution of different security protocols. This key-establishment is based on the SKKE (Symmetric-Key Key Establishment) protocol. The devices involved in communication must be in possession of the master key, which may have been obtained through pre-installation or key transport or user-input.

Key transport: The network device makes a request to the Trust Centre for a key to be sent to it. This method is valid for requesting any of the three types of key in commercial mode, whereas, in residential mode, the Trust Centre holds only the network key. The key-load key is used by the Trust Center to protect the transport of the master key.

Additionally, in the centralized model, keys can be distributed using Certificate-Based Key Establishment protocol (CBKE). CBKE provides a mechanism to negotiate symmetric keys with the Trust Center based on a certificate stored in both devices at manufacturing time and signed by a Certificate Authority (CA).

ZigBee Stack Security Measures

IEEE 802.15.4 provides robustness against interference from other networks and uses AES (Advanced Encryption Standard) with a 128-bit key length (16 Bytes) for:

  • Data security – performed by encrypting the data payload and
  • Data Integrity – achieved using a Message Integrity Code (MIC)or Message Authentication Code (MAC) which is appended to the message to be sent. This code ensures integrity of the MAC header and payload data attached. It is created by encrypting parts of the IEEE MAC frame using the 128-bit key)

In IEEE 802.15.4 MAC frame, the Auxiliary Security Header is only enabled if the Security Enabled subfield of the Frame Control Field is turned on. This special header has 3 fields:

  • Security Controlspecifies the type of protection provided by the network. It is the place where global Security Policy is set. The choice of security level determines the length of the key and what is to be encrypted. i.e, each security level provides a certain degree of frame encryption and integrity checks. ZigBee defines 8 different security levels available to the NWK and APS Layer as summarized in Figure-2 below.
Security Level Identifier Security Attributes Data Encryption Frame Integrity (length of MIC)
0x00 None OFF NO (M = 0)
0x01 MIC-32 OFF YES (M=4)
0x02 MIC-64 OFF YES (M=8)
0x03 MIC-128 OFF YES (M=16)
0x04 ENC ON NO (M = 0)
0x05 ENC-MIC-32 ON YES (M=4)
0x06 ENC-MIC-64 ON YES (M=8)
0x07 ENC-MIC-128 ON YES (M=16)

Figure-2: ZigBee Security Levels

  • Frame Counteris a counter given by the source of the current frame in order to protect the message from replaying protection.
  • Key Identifier specifies the information needed to know the type of key used by the node for communication.

IEEE 802.15.4 security materials such as keys, frame counts, and security level are stored in an access control list (ACL). The ACL is used to prevent unauthorized devices from participating in the network. The ACL is stored in MAC PAN Information Base (PIB) and is accessed and modified similar to other MAC attributes. Each Access Control List (ACL) stores the address of the node to communicate with, Security Suite (AEC-CTR, AES-CCM-64, AES-CCM-128, etc), Key: the 128b key used in the AES algorithm, Last Initial Vector (IV) and Replay Counter (The Last IV is used by the source and the Replay Counter by the destination as a message ID to avoid reply attacks). Albeit the security measures provided by IEEE 802.15.4, it does not however, specify how the keys have to be managed or the type of authentication policies to be applied. These issues are managed by ZigBee. The ZigBee standard supports the following optional security services:

Encryption/decryption-ZigBee frames can be optionally protected with the security suite AES-CCM* to provide data confidentiality, data authentication and data integrity. AES-CCM* is a minor variation of AES (Advanced Encryption Standard) with a modified CCM mode (Counter with CBC-MAC).

Figure-3 below shows the role of AES-CCM* in data authentication and confidentiality. On the transmitter side, the plaintext in the form of 128-bit blocks of data enters the AES-CCM*. The responsibility of the AES-CCM* is to encrypt the data and generate an associated MIC, which is sent to the receiver along with the frame. The receiver uses the AES-CCM* to decrypt the data and generate its own MIC from the received frame to be compared with the received MIC (data integrity). A MIC provides stronger assurance of authenticity compared to the CRC. The MIC generated by the CCM* detects intentional and unauthorized modifications of the data as well as accidental errors.

The CCM* is referred to as a generic mode of operation that combines the data encryption, data authentication and, data integrity. The CCM* offers encryption-only and integrity-only capabilities as shown in Figure-2 above. The nonce used in the process is a 13-octet string constructed using the security control, the frame counter, and the source address fields of auxiliary header. The size of the MIC can be 32 bits, 64 bits, or 128 bits.

Figure-3: Role of AES-CCM* in data authentication and confidentiality

Replay Protection: Each node in the ZigBee network contains a 32-bit frame counter that is incremented at every packet transmission. Each node also tracks the previous 32-bit frame counter of each of device (node) that it is connected to. If a node receives a packet from a neighboring node with the same or lesser frame counter value than it had previously received, the packet is dropped. This mechanism enables replay protection by tracking packets and dropping them if they were already received by the node. The maximum value that a frame counter can be 0XFFFFFFFF, but if the maximum value is reached, no transmission can be made. The only time the frame counter is reset to 0 is when the network key is updated.

Device Authentication: The ZigBee standard supports both device authentication and data authentication. Device authentication is the act of confirming a new device that joins the network as authentic. The new device must be able to receive a network key and set proper attributes within a given time to be considered authenticated. Device authentication is performed by the trust center. The authentication procedure is different in residential and commercial modes.

In residential mode, if the new device that joins the network does not have a network key, the trust center sends the network key over an unprotected link, which causes a moment of vulnerability. If the new device already has the network key, it must wait to receive a dummy (all-zero) network key from the trust center as part of authentication procedure. The new device does not know the address of the trust center and uses the source address of this received message to set the trust center address. The joining device is then considered authenticated for residential mode.

In commercial mode, in contrast, the trust center never sends the network key to the new device over an unprotected link. But the master key may be sent unsecured
in commercial mode if the new device does not have a shared master key with the
trust center. After the new device receives the master key, the trust center and the new device start the key establishment protocol (SKKE). The new device has a limited time to establish a link key with the trust center. If the new device cannot complete the key establishment before the end of the timeout period, the new device must leave the network and retry the association and authentication procedure again. When the new link key is confirmed, the trust center will send the network key to the new device over a secured connection. The joining device is now considered authenticated for commercial mode.

Furthermore, ZigBee also supports device-unique authentication at joining such as Touchlink commissioning-which is an easy-to-use proximity mechanism for commissioning a device into a network. This method works by the Touchlink ‘initiator’ determining the proximity of the target device (to be commissioned) and negotiating/transferring network parameters.

Secure over-the-air (OTA) firmware upgrades: OTA updates allow a manufacturer to add new features, fix defects in its product, and apply security patches as new threats are identified. However, OTA updates also represent a potential security vulnerability if the protocol does not provide ample protections, or the device manufacturer does not use all available safeguards. ZigBee devices and associated silicon platforms provide multi-layered security to update devices in the field and assure that updated code images have not been modified maliciously:

  • First, the ZigBee standard provides a method to encrypt all image transfers over the air with a unique key.
  • Second, the standard provides a method to sign the OTA image with another unique key.
  • Third, the image may be encrypted during manufacturing so that only the end product contains the key to decrypt it.
  • Finally, the image may be stored in on-chip memory that is configured with the debug read-back feature disabled, preventing reverse engineering with standard debug tools, which is a common vulnerability of other solutions.

During an OTA upgrade, once a device receives an encrypted image, its secure bootloader decrypts the image, validates the signature, and then updates the device. Furthermore, the bootloader checks the validity of the active image each time the device boots. If the image is invalid, the bootloader prevents it from updating and returns to using the previous known good image. Thus, image corruption will be quickly detected and the system operator can take action.

Logical link-based encryption: Another key security tool is the ability to create an application-level secured link between a pair of devices in the network. This is managed by establishing a unique set of AES-128 encryption keys between a pair of devices. This allows logical, secured links between any two devices in the network, thus supporting “virtual private links” between a pair of devices in a network with many others. This measure limits the ability of an attacker that acquires the network key from intercepting or injecting messages that other devices would act upon.

Runtime key updates: periodically or as when required, the trust center takes the initiative to change the network key. The Trust center generates a new network key and distributes it throughout the network by encrypting it with the old network key. All devices continue to retain the old network key for a short period of time after the update until every device on the network has switched to the new network key. Also, the devices, on receiving the new network key initialize their frame counter to zero.

Network interference protection: in low-cost ZigBee nodes, using a band-select filter might not be even an option due to cost or node size limitations to protect the network from interference. However, basic properties of IEEE 802.15.4 and ZigBee network such as low RF transmission power, low duty cycle, and the CSMA/CA channel access mechanism help reduce the effect of the presence of a ZigBee wireless network on other nearby systems and vice-versa. There are two approaches to improving the coexistence performance of ZigBee networks: collaborative and non-collaborative.

In collaborative methods, certain operations of the ZigBee network and the other network (e.g., an IEEE 802.11b/g network) are managed together. Every time one network is active, the other network stays inactive to avoid packet collisions. In this method, there must be a communication link between the ZigBee network and the other network to implement and manage the collaboration.

The non-collaborative methods are the procedures any ZigBee network can follow to improve its coexistence performance without any knowledge regarding the operating mechanism of the nearby interfering wireless devices. This method is based on detecting and estimating interferences and avoiding them whenever possible. Some of the non-collaborative methods that can be used in ZigBee wireless networking include:

  • Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
  • Signal spreading-spreading method such as DSSS allows the desired signal to have the advantage of processing gain over any interferer that resides in the same frequency band. Therefore, the signal spreading generally improves the robustness of a network against interferers
  • Dynamic RF output power control-adjust the RF output power of the transmitter based on the channel condition and the distance between the nodes. Reducing the transmitter output power decreases the interference with other nearby wireless devices, but the recipient of the signal becomes more susceptible to interference.
  • Mesh networking and location-aware routing-If a certain router node in the network is constantly in the presence of strong interferers that cause frequent failure in packet delivery to the next hop, a mesh network may have the option of selecting an alternative path to carry the message to the final destination and avoid the router located close to a major source of interference. This is sometimes referred to as path diversity. In location-aware routing, the information regarding the areas of possible high interference, if known, can be taken into account in calculating link-cost functions. In this way, the packet traffic flow is directed away from the high-interference areas whenever possible. But the interferers still affect the transmissions initiated by, or intended for, the nodes within the high-interference areas
  • Frequency Channel Selection-Changing the frequency channel when the energy of the interferer signal in the desired channel is unacceptable can be a simple way of addressing the interference problem. ZigBee provides frequency agility capability that allows the entire network to change channels in the face of interference. If the frequencies of operations and bandwidths of the interfering signals in the nearby networks are known, the frequency channel of the ZigBee network can be selected accordingly to minimize the effect of interfering signals. This is referred to as channel alignment
  • Adaptive Packet Length Selection-is based on channel condition. Reducing the size of the packet is normally considered a way of improving the PER in presence of interferers. Generally speaking, a smaller packet has a better chance of receiving the destination before an interferer appears in the same frequency channel. However, some experiments have shown that reducing the packet length does not always result in better PER performance.

Conclusion

Even though ZigBee was designed with security in mind, there have been trade-offs made to keep the devices low-cost, low-energy and highly compatible. It allows re-use of the same keying material among different layers on the same device and it allows end-to-end security to be realized on a device-to-device basis rather than between pairs of particular layers (or even pairs of applications) on two communicating devices. Also, for interoperability of devices, ZigBee uses the same security level for all devices on a given network and all layers of a device.  Nonetheless, these measures inevitably lead to security risks. Hence, the burden lies with the developer to address these issues and include policies to detect and handle errors, loss of key synchronization, periodically update keys, etc.

While this article explored the basic security features provided by ZigBee, next article ZigBee Security: Pen-testing (Part 1) explores the various attacks that could be performed on a ZigBee enabled device and the tools that could be used to perform the assessment.

References

[1] ZigBee Specification Document 053474r20. Provided by ZigBee Alliance.

[2] http://www.libelium.com/security-802-15-4-zigbee/

[3] http://www.embedded-computing.com/embedded-computing-design/zigbee-evolution-continues-with-wireless-iot-security-updates

[4] ZigBee wireless networks and Transceivers – Shahin Farahani

[5] Maximizing Security in ZigBee networks – NXP

 

Leave a Reply