Fun with Zigbee Wireless - Part III (Software)

By Tony Lee

Introduction

In our previous zigbee articles, we covered ZigBee usage, history, and one hardware option:
History:  http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-i.html 
Hardware: http://securitysynapse.blogspot.com/2015/11/fun-with-zigbee-wireless-part-ii.html

This time, let's explore some software options.  There are both free and commercial options available.  For this series, we focused on free (although some require email registration).  the following options are explored in this article:

• Atmel AVR Tools - Free with email registration
• Luxoft BitCatcher ZigBee Network Analyzer Tool - Free with email registration
• Killerbee - Free on Github

Friendly reminder:  As always use this information responsibly.  Make sure you own the equipment prior to experimentation and learning.  We do not condone malicious intentions, are not held responsible for your actions, and will not bail you out of jail.

Atmel AVR Tools

This software is offered for free (http://www.atmel.com/tools/RZUSBSTICK.aspx) with email registration from the same maker as our RZUSBSTICK hardware.  It runs on Windows, including a Windows 7 virtual machine which is what our environment used.  Best of all, AVR tools works with the stock firmware so there is no need to flash the RZUSBSTICK.  Included in the download is the following:

• Windows drivers
• rfservicesserver.exe - Command line tool that creates a socket
• AVR Wireless Services - GUI that connects to the socket created by rfservicesserver

The component architecture is shown below:

RF Services Server creates the bridge between the RZUSBSTICK hardware and the software to which the user interacts.  AVR Wireless Services Suite provides the UI for human interaction.

The screenshot above shows the software download on the left, rfservicesserver running in the command prompt on the top right, and AVR Wireless Services GUI running in the bottom right.  AVR Wireless Services provides packet history, a graphical node display, and a packet drill down feature similar to Wireshark.  Of course Atmel offers more capable software at a price, but this is not too bad of a start for a free offering.

Luxoft BitCatcher ZigBee Network Analyzer Tool

Luxoft offers a tool called BitCatcher (http://www.luxoft.com/embedded-systems-development/bitcatcher/) which is also free with email registration.  This tool runs in Windows (binary) and Linux (Java app).  The biggest downside is that it requires custom firmware to be loaded onto the RZUSBSTICK via a flash upgrade (will discuss in a later article).  The flash upgrade changes the hardware ID which allows a custom driver to convert USB to COM which BitCatcher then uses to interact with the hardware.

Our setup process was the following:

• Flashed in Linux with avrdude (Will demo in a later article)
• Ran the BitCatcher Sniffer tool in a Windows 7 VM
• Loaded the "Sniffer" driver
• Added the device, connected the device, started the sniffing

The software download is shown on the left and the BitCatcher software is shown on the right.  There is a packet timeline and drilldown functionality similar to Wireshark, but with less detail.

Killerbee

The last software we will mention is the Killerbee framework from Josh Wright and River Loop security.  Killerbee is a free download from github found here:  https://github.com/riverloopsec/killerbee.  Some tools work with the default Atmel firmware while some require Killerbee firmware.

The tools that work with the default firmware:

• zbid – List available devices
• zbfind – GUI for Zigbee location tracking – Never got this working 
• zbopenear - ZigBee/802.15.4 many channel listener (need 1 RZUSB per channel)
• zbwireshark - Sends sniffed ZigBee packets to Wireshark via a named pipe
• zbdump – tcpdump clone (libpcap or commercial Daintree SNA format)
• zbconvert – Convert capture file formats (libpcap -> Daintree)
• zbdsniff – Scans capture files for Zigbee encryption keys (takes a capture file)
• zbgoodfind – Search a binary file to identify encryption key for encrypted packet

The tools that require the killerbee firmware:

• zbreplay – Replay network traffic from libpcap or Daintree files
• zbscapy – scapy for ZigBee
• zbkey – Attempts to retrieve a key by fake association and request/response
• zbassocflood – Transmit a flood of associate requests to a target network

Killerbee comes pre-installed with most Kali distributions, however your success will vary.  Here was our out-of-the-box experience:

Kali 1.1:

Exception: Unable to open device.  Ensure the device is free and plugged-in.

Kali 2.0:

usb.core.USBError: [Errno 110] Operation timed out

The moral of the story here is that just because the tools are pre-installed, does not mean they will work.

The github page recommends installing the latest version of the software anyway.  These are the steps we used in a Kali 2.0 installation:

Setup:

mkdir tools; cd tools git clone https://github.com/riverloopsec/killerbee.git apt-get install libgcrypt-dev cd killerbee python setup.py install sudo rm -rf /usr/lib/pymodules/python2.7/killerbee python setup.py install

Conclusion

This article outlined the software we will use to examine the 2.4 GHz ZigBee frequency range.  We are very appreciative for those who released free software--Atmel, Luxoft, Josh Wright and River Loop security.  Here are some general observations:

• Atmel - Worked well and with default firmware
• Luxoft - Worked well after the firmware upgrade and driver install
• Killerbee - Most capable and diverse tool set by far, but had the some minor issues:
• Some tools don't work well - but hey, they are free.
• Most tools don't terminate well
• Thus, after running a tool, it may be necessary to reseat the card
• Easiest reseat method is to virtually reseat the card via VMware/Virtual box
• If virtual reseat does not work, physical reseat will be necessary (hooray for USB stands)

The next article will cover some potential passive attacks.