IoT Goes Nuclear: Creating a Zigbee Chain Reaction

In this article, we describe a new type of attack on IoT devices, which exploits their ad hoc networking capabilities via the Zigbee wireless protocol, and thus cannot be monitored or stopped by standard Internet-based protective mechanisms. We developed and verified the attack using the Philips Hue smart lamps as a platform, by exploiting a major bug in the implementation of the Zigbee Light Link protocol, and a weakness in the firmware update process. By plugging in a single infected lamp anywhere in the city, an attacker can create a chain reaction in which a worm can jump from any lamp to all its physical neighbors, and thus stealthily infect the whole city if the density of smart lamps in it is high enough. This makes it possible to turn all the city’s smart lights on or off, to brick them, or to use them to disrupt nearby Wi-Fi transmissions.

[1]  Zhizhang Chen,et al.  Power Analysis Attacks Against IEEE 802.15.4 Nodes , 2016, COSADE.

[2]  David A. McGrew,et al.  AES-CCM Cipher Suites for Transport Layer Security (TLS) , 2012, RFC.

[3]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Colin O'Flynn,et al.  Message Denial and Alteration on IEEE 802.15.4 Low-Power Radio Networks , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[5]  Sergey Bratus,et al.  Api-do: Tools for Exploring the Wireless Attack Surface in Smart Meters , 2012, 2012 45th Hawaii International Conference on System Sciences.

[6]  Janne Riihijärvi,et al.  Performance study of IEEE 802.15.4 using measurements and simulations , 2006, IEEE Wireless Communications and Networking Conference, 2006. WCNC 2006..

[7]  Zhizhang Chen,et al.  ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research , 2014, COSADE.

[8]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[9]  Christof Paar,et al.  Efficient Hash-Based Signatures on Embedded Devices , 2008 .

[10]  Stefano Zanero,et al.  Studying Bluetooth Malware Propagation: The BlueBag Project , 2007, IEEE Security & Privacy.

[11]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[12]  Russ Housley Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[13]  Frederik Armknecht,et al.  On the security of the ZigBee Light Link touchlink commissioning procedure , 2016, Sicherheit.

[14]  Ilya Kizhvatov,et al.  Side channel analysis of AVR XMEGA crypto engine , 2009, WESS '09.

[15]  Tobias Zillner,et al.  ZigBee Exploited The good , the bad and the ugly , 2015 .

[16]  Zinaida Benenson,et al.  All Your Bulbs Are Belong to Us: Investigating the Current State of Security in Connected Lighting Systems , 2016, ArXiv.

[17]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[18]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[19]  Josh Jae A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007 .

[20]  Brad Lehman,et al.  LED lighting flicker and potential health concerns: IEEE standard PAR1789 update , 2010, 2010 IEEE Energy Conversion Congress and Exposition.

[21]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.