Upload File

hacking z-wave home automation systems

53
Honey, I Honey, I Honey, I Honey, I Honey, I Honey, I Honey, I Honey, I m Home!! m Home!! m Home!! m Home!! m Home!! m Home!! m Home!! m Home!! Hacking Z Hacking Z - - Wave Home Automation Systems Wave Home Automation Systems Behrang Fouladi, SensePost UK Sahand Ghanoun

Upload: sensepost

Post on 13-Nov-2014

4.301 views

Category:

Technology


6 download

Report

DESCRIPTION

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016. Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration. The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices. Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

TRANSCRIPT

  • 1. Honey, IHoney, IHoney, IHoney, IHoney, IHoney, IHoney, IHoney, Im Home!!m Home!!m Home!!m Home!!m Home!!m Home!!m Home!!m Home!! Hacking ZHacking Z--Wave Home Automation SystemsWave Home Automation Systems Behrang Fouladi,SensePost UK Sahand Ghanoun
  • 2. HomeHome AutomationAutomation
  • 3. Central Control Entry Control Smart Appliances Home Entertainment System Lighting Home Security CCTV Sensors HVAC
  • 4. FamilyGuyfromFoxBroadcastingCompany
  • 5. Convenience Accessibility Security EnergyManagement RemoteMonitoring&Control
  • 6. Z-Wavedevicestobeshippedin2013 5 million
  • 7. How Does It Work?How Does It Work?
  • 8. Wireless AES-128 WPA/WPA2 E0
  • 9. Power Line Dual Band Proprietary AES-128
  • 10. DoorLock Door/WindowSensor MotionSensor Siren
  • 11. ExploitationFramework Joshua Wright. 2009. Zigbee Wardriving Kit Travis GoodSpeed. 2012. PenTestingOverPowerLines Dave Kennedy, Rob Simon. 2011.
  • 12. Why ZWhy Z--Wave?Wave?
  • 13. According to Z-Wave Alliance 80%ofUShomesecuritymarketisZ-Wave 2012 NAHB survey shows Wireless home security tops homeowners wishlist Proprietary protocol Nopublicresearchsofar...
  • 14. ZZ--WaveWave ProtocolProtocol
  • 15. Physical Transport Network Application Security ErrorDetection&Retransmission Acknowledgment 32-bitHomeID 8-bitsNodeID MeshNetwork TopologyDiscovery AutomaticHealing Encryption,Anti-replayandMAC Devicespecificcommands&parameters Physical 868.42(EU)/908.42(US)MHz 9.6/40/100KbpsPhysical ZZ--Wave Protocol StackWave Protocol Stack
  • 16. RF ConfigurationsRF Configurations FSK Modulation 9.6/40 kbps 868.42/40 MHz (EU) 20KHz Manchester/NRZ
  • 17. TexasInstrumentsCC1110TexasInstrumentsCC1110 SubSub--1GHzRF1GHzRFtranscievertransciever SoCSoC SupportsZSupportsZ--WaveconfigurationsWaveconfigurations CommunicationviaserialCommunicationviaserial SmartRFSmartRF StudioToolStudioTool
  • 18. ITU-TRec.G.9959 Weidentifiedinconsistencies with theactualimplementation!
  • 19. ZZ--Wave Frame FormatWave Frame Format PHYFrame Singlecast MACFrame Application Frame
  • 20. ZZ--ForceForce
  • 21. Packet needed to do network discovery
  • 22. I Like toI Like to Move It!!Move It!!
  • 23. Live DemoLive Demo
  • 24. ZZ--WaveWave SecuritySecurity
  • 25. Encryption: AES-OFB MessageFreshness: 64-bitNonce DataAuthentication: AES-CBCMAC 128-bitRandomNetworkKey:Kn Custom KeyEstablishmentProtocol 128-bitCipher&MAC Keys:DerivedFromKn
  • 26. Custom KeyEstablishmentProtocol
  • 27. Getreadyforkeyestablishment Ready Noncerequest Noncevalue Encryptednetworkkey Kn Noncerequest Noncevalue Encryptedmessage(newkeyisset) Encrypt& MACbyK0 Encrypt& MACbyKn
  • 28. Getreadyforkeyestablishment Ready Noncerequest Noncevalue Encryptednetworkkey Kn Noncerequest Noncevalue Encryptedmessage(newkeyisset) Encrypt& MACbyK0 Encrypt& MACbyKn
  • 29. Protocol VulnerabilitiesProtocol Vulnerabilities
  • 30. Passiveattack:Passiveattack: InterceptanddecrypttheInterceptanddecryptthesetkeysetkey messagemessage Happens at system installation time inHappens at system installation time in low power transmissionlow power transmission modemode
  • 31. Passiveattack:Passiveattack: InterceptanddecrypttheInterceptanddecryptthesetkeysetkey messagemessage Happens at system installation time inHappens at system installation time in low power transmissionlow power transmission modemode
  • 32. WithWithwhomwhom keyisbeingkeyisbeing established?established?
  • 33. WithsomeonewhoknowsWithsomeonewhoknows temporary key valuetemporary key value andand key derivation functionskey derivation functions
  • 34. )( )( mKm cKc PasswdECBAESK PasswdECBAESK n n }0]{16[0 byteK
  • 35. )|||||||| ,( ),( CLENDSTSRCSH IVCBCMACAESMAC PIVOFBAESC m c K K
  • 36. Unauthorized Key ResetUnauthorized Key Reset Attack?Attack?
  • 37. Honey,Honey, IIm Home!!m Home!!
  • 38. Live DemoLive Demo
  • 39. Imagefromboratmakeglorioustributeactto.com
  • 40. Hmm... Now What?Hmm... Now What?
  • 41. Criticalvulnerability needsanurgentfix! Short-termfix(OTA) Check current key state before its set Actualfix(NextGen) Public key cryptography and authentication
  • 42. MoretechnicaldetailinourMoretechnicaldetailinour WhitePaperWhitePaper
  • 43. Thank You!Thank You! BehrangFouladiBehrangFouladi BehrangFouladi SahandGhanounSahandGhanoun Sahand__

Z-Wave Home Automation Control Gateway...Z-Wave Home Automation Control Gateway HAC-1000 Important Alerts Alerts like use of electricity, home alarms and more can be brought to your

Attacking Automation: Hacking for the Next Fifty Years

The Forrester Wave™: Modern Application Functional Test ... · For APPLIcATIo DeVeLoPMeT & DeLIVer ProFeSSIoALS the Forrester Wave™: modern Application Functional test Automation

The Forrester Wave™: Sales Force Automation Solutions, Q2 2017 · 2017. 8. 23. · The Forrester Wave™: Sales Force Automation Solutions, Q2 2017 by John Bruno June 27, 2017 For

Hacking the AI - the Next Generation of Hijacked Systems · Hacking the AI - the Next Generation of Hijacked Systems Abstract: Within the next decade, the need for automation, intelligent

The Forrester New Wave™: Automation-Focused Machine ... · The forrester new Wave™: automation-focused Machine Learning solutions, Q2 2019 May 28, 2019 2019 Forrester research,

Hacking Medicine - Healthcare Automation & Supply Chain

The Forrester Wave™: Robotic Process Automation, Q2 2018 · FoR FoR INFRASTRUcTURe oPeRATIoNS PRoFeSSIoNALS The Forrester Wave™: Robotic Process Automation, Q2 2018 une 26, 2018

The Forrester Wave™: Robotic Process Automation, Q2 2018 · The Forrester Wave™: Robotic Process Automation, Q2 2018 une 26, 2018 2018 Forrester Research, Inc. Unauthorized copying

The Forrester Wave™: Infrastructure Automation Platforms ... · The Forrester Wave™: Infrastructure Automation Platforms, Q3 2019 ... acquired Ansible, an automation tool built

Hacking techniques automation

Hacking the Fast Lane: security issues in 802.11p, DSRC ... · Hacking the Fast Lane: security issues in 802.11p, DSRC and WAVE Bruno Gonçalves de Oliveira [email protected]

Ethical Hacking: Hacking GMail. Teaching Hacking

Automation Wave S7-1200 FC DEF

Instant Virtual Skills, Blog Monetization, Marketing Automation, Growth Hacking

Growth Hacking Belgium - How to implement marketing automation by yourself

FIBARO Z-Wave modules - · PDF fileFIBARO Z-Wave modules: • Compatible with any Z-Wave home automation system, • Fibaro electronic modules are smallest devices of the type in the

Fibaro Z-Wave modules · Fibaro Z-Wave modules: • Compatible with any Z-Wave home automation system, • Fibaro electronic modules are smallest devices of the type in the World

Power Wave S500 Product Literature - Askaynak Automation€¦ · [ 2 ] | Power Wave ® S500. KEY CONTROLS. To tap into the Power Wave ® S500 stick, TIG and CV MIG process capability

Building Automation and Control: Hacking Subsidized Energy

Automation of underwater operations on wave energy

Fibaro Z-Wave Home Automation Modules

Robotic Process Automation: Gearing up for greater · PDF fileRobotic Process Automation and Change Management Editor’s Note The current wave of computer automation in business is

Riding The Wave Aamga Automation Presentation

IR Remote Hacking and Home Automation · IR Remote Hacking and Home Automation SHAMSUDHEEN MARAKKAR M.Tech Robotics and Intelligent Systems ... •Basics of IR. •Decoding IR remote

VISTA Automation Module - Honeywell 5 – Introduction The VISTA Automation Module (herein after referred to as “VAM”) provides Z-Wave® automation features to your VISTA security

Marketing Automation and Multi-Wave Campaigns

POLICY AUTOMATION Net Benefits of Business Rules Automation Policy Automation - FS... · automation based on complex policy ... “The Forrester Wave™: Business R ules Platforms,

Sine Wave Filter - Rockwell Automation

The Forrester Wave™: Continuous Functional Test Automation

Udemy home automation vera with z wave

Fibaro Z-Wave modules - Karma DigitalFibaro Z-Wave modules: • Compatible with any Z-Wave home automation system, • Fibaro electronic modules are smallest devices of the type in

Growth hacking with content, marketing automation and your drupal website

Hacking & Ethical Hacking

Hacking techniques automation Yarochkin Fyodor. Guard-Info Meder Kydyraliev O0o.nu sec. Singapore