IoT Goes Nuclear: Creating a ZigBee Chain Reaction

Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will rapidly spread over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes. It enables the attacker to turn all the city lights on or off, to permanently brick them, or to exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lamps in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already). To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key (for each device type) that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.

[1]  Russ Housley Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[2]  Tobias Zillner,et al.  ZigBee Exploited The good , the bad and the ugly , 2015 .

[3]  Zhizhang Chen,et al.  ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research , 2014, COSADE.

[4]  William P. Marnane,et al.  Unknown Plaintext Template Attacks , 2009, WISA.

[5]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[6]  Ilya Kizhvatov,et al.  Side channel analysis of AVR XMEGA crypto engine , 2009, WESS '09.

[7]  Zinaida Benenson,et al.  All Your Bulbs Are Belong to Us: Investigating the Current State of Security in Connected Lighting Systems , 2016, ArXiv.

[8]  Christof Paar,et al.  Efficient Hash-Based Signatures on Embedded Devices , 2008 .

[9]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[10]  Stefano Zanero,et al.  Studying Bluetooth Malware Propagation: The BlueBag Project , 2007, IEEE Security & Privacy.

[11]  Colin O'Flynn,et al.  Message Denial and Alteration on IEEE 802.15.4 Low-Power Radio Networks , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[12]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[13]  Brad Lehman,et al.  LED lighting flicker and potential health concerns: IEEE standard PAR1789 update , 2010, 2010 IEEE Energy Conversion Congress and Exposition.

[14]  Frederik Armknecht,et al.  On the security of the ZigBee Light Link touchlink commissioning procedure , 2016, Sicherheit.

[15]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[16]  Sergey Bratus,et al.  Api-do: Tools for Exploring the Wireless Attack Surface in Smart Meters , 2012, 2012 45th Hawaii International Conference on System Sciences.

[17]  Joshua Jaffe,et al.  A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007, CHES.

[18]  David A. McGrew,et al.  AES-CCM Cipher Suites for Transport Layer Security (TLS) , 2012, RFC.

[19]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[20]  Zhizhang Chen,et al.  Power Analysis Attacks Against IEEE 802.15.4 Nodes , 2016, COSADE.