802.15.4

ZigBee & Z-Wave Security Brief: Part 2

June 4, 2018

This is the second of two blog posts where we will share a summary of the differences. We encourage you to read the first post for background on the purpose of this post and discussion of security levels and keying techniques. The ZigBee and ZWave protocols have both undergone numerous revisions and support many different security modes and edge cases. In this discussion, we will try to focus on core design decisions and features, and leave out discussion or investigation of edge cases for brevity.

Continue reading

ZigBee & Z-Wave Security Brief

May 21, 2018

We have performed in-depth evaluations of many products built on ZigBee and Z-Wave for clients, and we are often helping clients understand vulnerabilities in IoT products built on standard protocols such as these. We believe that it will benefit the overall community to share a brief summary of our comparisons between these two popular protocols based on the recent ZigBee 3.0 and Z-Wave S2 specifications which both aimed in-part to update the protocols to an increased level of security.

Continue reading

Hardware Security Training Talks: IEEE 802.15.4 Overview and TumbleRF Fuzzing

April 23, 2018

In this talk, we shared with the assembled group of hardware security professionals and students an introduction to IEEE 802.15.4 security and showed a few basic attacks, an intermediate attack, and then two examples of advanced techniques and research.

Continue reading

Troopers 18: Unifying RF Fuzzing Techniques under a Common API: TumbleRF

March 10, 2018

While fuzzing is known to be a powerful mechanism for fingerprinting and enumerating bugs within hardware and software systems, the application of this technique to wireless systems remains nontrivial due to fragmented and siloed tools. In this talk, we covered wireless fuzzing fundamentals and introduce a new tool to unify the approach across protocols, radios, and drivers and released a new open-source tool to assist.

Continue reading

KillerBee Support for Sewino Open-Sniffer Platform

January 1, 2015

As part of our continued commitment to supporting open-source tools, we have added support to KillerBee for the Sewino Open-Sniffer 802.15.4 capture interface. This is the first supported device capable of 900 MHz sniffing. The KillerBee code is available to use it, although we are not actively maintaining and testing this integration. We welcome improvements to the integration or collaborations to expand the supported interfaces further. You can also read about the integration on their site.

Continue reading

ApiMote v4beta Released: A IEEE 802.15.4 Sniffing/Injection Interface

September 1, 2014

We have announced the ApiMote v4beta design and released it as open-source hardware at the TROOPERS14 security conference. This hardware was designed specifically with security researchers and assessors in mind, and is supported by the KillerBee software toolkit and GoodFET. We believe it offers unique capabilities unfulfilled by other interfaces currently available. If you want to use this board, you can build it based on the open-source design files or obtain a pre-built, tested, and programmed one from us.

Continue reading

IEEE 802.15.4/ZigBee Wireless IDS Beta Released

September 1, 2014

We have released BeeKeeper Wireless Intrusion Detection System (WIDS), an open-source IEEE 802.15.4 Wireless IDS at the TROOPERS14 security conference. This beta version demonstrates a strong framework for multiple sensors and a centralized analytic engine. A few simple detection scripts are included to demonstrate detecting common attacks. You can read about it on our projects page or review our presentation. The source code is available and we encourage anyone interested to submit updates to it.

Continue reading

Troopers 14: Making (and Breaking) an IEEE 802.15.4 WIDS

March 10, 2014

Presented the ApiMote v4beta hardware for sniffing and injection on IEEE 802.15.4 networks and released as open source. Demonstrated the beta BeeKeeper WIDS framework for wireless intrusion detection on 802.15.4. Showed a technique for injecting packets which are seen at the PHY layer by some radio-chips but not by other chips, even when both chips are IEEE 802.15.4 compliant. You can download a copy of the presentation here.

Continue reading

DefCon 20

August 1, 2011

Presented our project to create the ApiMote hardware at the Wireless Village. The ApiMote platform is designed specifically to fulfill the needs of security assessors, based on experience from both lab-research and field assessments. It is inexpensive, easy to program, supports expansion and battery power, uses an internal or external antenna, and has low-level support for cutting-edge RF research (low-level registers exposed, in support of PIP, POOP, etc).

Continue reading

ToorCon Seattle '11: Tools for Practical Exploration of the 802.15.4 Attack Surface

June 13, 2011

Presented toolkit for interacting with IEEE 802.15.4/Zigbee. Our tools build on top of the KillerBee framework developed by Josh Wright, and add support for additional hardware, code stability, as well as additional functionality such as reflexive jamming. In addition to a brief introduction to the issues of 802.15.4 security, demonstrated attendees how to get involved in attacking the surface themselves – the hardware and software they need – and showed how this enables them to not only perform their own assessments, but how it can provide attackers a way to interfere with the operation of networks as well.

Continue reading