Presentation Material
Abstract
Internet of Things (IoT) products proliferate the market today. They manifest in different forms - right from a pacemaker inside a human body, to an oil and gas rig monitoring device in the remotest locations on the planet. The hardware form factors in many such IoT solutions use tiny micro-controllers with strict low power consumption requirements. Securing these platforms often pose several security challenges.
The IEEE 802.15.4 is a standard developed for low-rate wireless personal area networks (LR-WPANs). The base specification of the standard does not specify how to secure the traffic between the IoT devices and the backend infrastructure, so there are often vulnerabilities in the design and implementation.
Penetration testing of zigbee-class wireless sensor networks need specialized hardware and software stacks for packet sniffing and injection. In this presentation, we will talk about various market-available solutions that pentesters can use for debugging and attacking such networks using USB-based dongles. We will demonstrate two custom hardware boards equipped with programmable micro-controllers that work with open source software solutions for performing attacks on an IEEE 802.15.4 based wireless sensor network. After our demos, we will discuss various hardening methodologies to protect IoT systems against such attacks.
AI Generated Summary
The talk examined security vulnerabilities in Zigbee-class communication protocols within industrial IoT ecosystems. It outlined the typical IoT architecture, emphasizing the critical role of lightweight protocols like Zigbee for device-to-gateway communication in resource-constrained environments.
Key findings demonstrated that Zigbee implementations often lack comprehensive integrity protection. Using tools such as the Killer B framework, ZbReplay, and Scapy, the presenters captured and modified live Zigbee packets. They showed that an attacker on the same channel could inject malicious commands—such as altering a thermostat temperature—because devices failed to verify packet authenticity. While adding an HMAC to the payload provided some protection, manipulating the sequence number still enabled successful replay attacks. The core issue was that only the payload, not the full packet headers (source, destination, sequence number), was integrity-protected.
The proposed mitigation was full-packet integrity protection, where an HMAC covers all header fields and the payload. This prevents an attacker without the secret key from successfully modifying any part of a packet, even if they can sniff and replay it. The talk concluded by advocating for a dedicated Security Development Lifecycle (SDLC) for IoT products. This five-phase model (requirements, threat modeling, code review, penetration testing/fuzzing, fix verification) must be applied to each component (cloud, mobile, hardware, protocols) and during system integration, with a “shift-left” approach to embed security from the design phase to avoid costly post-deployment fixes. The primary takeaway is that protocol-level integrity, not just encryption, is essential for securing low-power IoT networks.