Honey, IHoney, IHoney, IHoney, IHoney, IHoney, IHoney, IHoney, I’’’’’’’’m Home!!m Home!!m Home!!m Home!!m Home!!m Home!!m Home!!m Home!!Hacking ZHacking Z--Wave Home Automation SystemsWave Home Automation Systems
Behrang Fouladi, SensePost UKSahand Ghanoun
HomeHome
AutomationAutomation
Central Control
EntryControl
SmartAppliances
HomeEntertainment
SystemLighting
HomeSecurity
CCTV
SensorsHVAC
Family Guy from Fox Broadcasting Company
Convenience
Accessibility
Security
Energy Management
Remote Monitoring & Control
Z-Wave devices to be shipped in 2013
5 million
How Does It Work?How Does It Work?
Wireless
AES-128 WPA/WPA2
E0
Power Line Dual Band
Proprietary
AES-128
Door Lock
Door/Window Sensor
Motion Sensor
Siren
Exploitation FrameworkJoshua Wright. 2009.
Zigbee Wardriving KitTravis GoodSpeed. 2012.
Pen Testing Over Power LinesDave Kennedy, Rob Simon. 2011.
Why ZWhy Z--Wave?Wave?
According to Z-Wave Alliance…
80% of US home security market is Z-Wave
2012 NAHB survey shows…
Wireless home security tops homeowners’ wishlist
Proprietary protocol
No public research so far...
ZZ--WaveWave
ProtocolProtocol
Physical
Transport
Network
Application
Security
Error Detection & RetransmissionAcknowledgment
32-bit Home ID8-bits Node ID
Mesh NetworkTopology DiscoveryAutomatic Healing
Encryption, Anti-replay and MAC
Device specific commands & parameters
Physical868.42 (EU) / 908.42 (US) MHz9.6/40/100 KbpsPhysical
ZZ--Wave Protocol StackWave Protocol Stack
RF ConfigurationsRF Configurations
FSK Modulation
9.6/40 kbps
868.42/40 MHz (EU)
±20 KHz
Manchester/NRZ
Texas Instruments CC1110Texas Instruments CC1110
SubSub--1 GHz RF 1 GHz RF transcievertransciever SoCSoC
Supports ZSupports Z--Wave configurationsWave configurations
Communication via serialCommunication via serial
SmartRFSmartRF Studio ToolStudio Tool
ITU-T Rec. G.9959
We identified inconsistencies with
the actual implementation!
ZZ--Wave Frame FormatWave Frame Format
PHY Frame
SinglecastMAC Frame
ApplicationFrame
ZZ--ForceForce
Packetneeded to do network discovery
I Like toI Like to
Move It!!Move It!!
Live DemoLive Demo
ZZ--WaveWave
SecuritySecurity
Encryption:AES-OFB
Message Freshness:64-bit Nonce
Data Authentication:AES-CBCMAC
128-bit Random Network Key: Kn
CustomKey Establishment Protocol
128-bit Cipher & MAC Keys: Derived From Kn
CustomKey Establishment Protocol
Get ready for key establishment
Ready
Nonce request
Nonce value
Encrypted network key – Kn
Nonce request
Nonce value
Encrypted message (new key is set)
Encrypt & MAC by K0
Encrypt & MAC by Kn
Get ready for key establishment
Ready
Nonce request
Nonce value
Encrypted network key – Kn
Nonce request
Nonce value
Encrypted message (new key is set)
Encrypt & MAC by K0
Encrypt & MAC by Kn
Protocol VulnerabilitiesProtocol Vulnerabilities
Passive attack:Passive attack:
Intercept and decrypt the Intercept and decrypt the ““set keyset key”” messagemessage
Happens at system installation time in Happens at system installation time in ““low power transmissionlow power transmission”” modemode
Passive attack:Passive attack:
Intercept and decrypt the Intercept and decrypt the ““set keyset key”” messagemessage
Happens at system installation time in Happens at system installation time in ““low power transmissionlow power transmission”” modemode
With With ““whomwhom”” key is being key is being
established?established?
With someone who knowsWith someone who knows……
temporary key valuetemporary key valueandand……
……key derivation functionskey derivation functions
)(
)(
mKm
cKc
PasswdECBAESK
PasswdECBAESK
n
n
��
��
}0]{16[0 byteK �
)||||||||
,(
),(
CLENDSTSRCSH
IVCBCMACAESMAC
PIVOFBAESC
m
c
K
K
�
��
��
Unauthorized Key Reset Unauthorized Key Reset Attack?Attack?
Honey,Honey,
II’’m Home!!m Home!!
Live DemoLive Demo
Image from boratmakeglorioustributeactto.com
Hmm... Now What?Hmm... Now What?
Critical vulnerability… needs an urgent fix!
Short-term fix (OTA)
Check current key state before it’s set
Actual fix (Next Gen)
Public key cryptography and authentication
More technical detail in our More technical detail in our
White PaperWhite Paper
Thank You!Thank You!
Behrang FouladiBehrang Fouladi
BehrangFouladi
Sahand GhanounSahand Ghanoun
Sahand__