I'm working on a pair of hands-on Zigbee hacking workshops. The first, which I've submitted with Aurélien Francillon to ToorCamp involves the writing of advanced stack overflow attacks for the MSP430 and AVR microcontrollers. The second, which I've submitted to Defcon 17, involves a number of hands-on hardware attacks against Zigbee nodes. Both include the sniffing of AES128 keys from a CC2420 Zigbee radio, a procedure that I demonstrated informally at Source Boston and describe below.
The CC2420 is a popular Zigbee/802.15.4 radio, and it is found in many wireless sensor development kits. We'll be attacking its hardware-accelerated AES128 implementation, by taking advantage of the fact that keys must be loaded over the SPI bus.
In the photograph above, I've tapped one of three SPI pins of the CC2420 radio chip on a Telos B using a hypodermic syringe. SPI consists of four pins: SCL, MOSI, MISO, and !SS. SCL, the Serial Clock, is output from the master to synchronize communication with the slave. MOSI and MISO are data lins, Master Out Slave In and Master In Slave Out. !SS or Slave Select is an inverted line that indicates the selection of a particular slave chip. Here, we'll only be tapping SCLK and one of the data lines, as two syringes are much easier to hold that four. Ground is shared by USB, so it isn't critical that we tap it.
As seen on my portable scope below, the tapped pin is the SCL, the data clock. The clock stands out because it idles low, and because all pulses in a batch are of regular width. Unlike a system clock, the clock only cycles when data is being transported.
The remaining two pins, in the group of three, are data. As shown on the scope image below, SPI data lines idle high, and bits are measures on edges of the clock.
Now that the clock and data lines have been found, it is necessary to sniff the traffic using a bus adapter. Until SPI-sniffing firmware for the Hackaday Bus Pirate becomes available, I will continue to use the Total Phase Beagle I2C/SPI Protocol Analyzer. A screenshot of the Total Phase client follows.
All that remains to identify the key in use, or anything else sent over the bus, is to read the log. I will likely release scripts for doing so at Defcon.
61 comments:
This is a side channel attack and thus doesn't constitute 'breaking 802.15.4 AES128' per se as it is relevant to a specific device
Agreed; interesting, but it's simply about sniffing SPI lines; not 802.15.4. Requires physical access to the device(s).
Yes, I've used a Beagle a few times at work, I really like it. How are sure that you are synchronizing correctly every time without using a slave select (CSn)? I know it can be hard to hold that many probes, but why not just solder a wire down?
I don't think that scope grab is what you are looking for. The AES transactions should have 16 SCK pulses in a row, not 2 bursted 8 SCK ticks. Look at fig 9 of cc2420.pdf, you are going to need the CSn signal to properly frame the transactions.
"All security related data is stored little-endian, i.e. the least significant byte is transferred first over the SPI interface during RAM read or write operations."
Are you setup to have pre-knowledge of the key? How are you going the identify it in the SPI log? The only RAM signal brought out is DVDD_RAM pin. I guess you could current sense and trigger on the RD/WR assuming there is a descernable current spike.
@frankincense
Depending on the firmware running on the MSP430, it may take awhile for the second byte to be transferred to the CC2420. The delay isn't unusual. Also, unless the TelosB external ST dataflash chip is being used (unlikely in many applications, at least during runtime), checking for chip select isn't needed.
Also, identifying the key is trivial - just search for the right ram-write command and the relevant address.
This is of course a problem with any pre-shared key system.
@Yann Ramin,
Ahh, you got me, shouldn't have posted without doing the rest of my homework.
What type of portable scope do you use ?
The ZigBee Smart Energy Profile (SEP) uses certificates for secure communication. Simply knowing the link or network keys is pretty much useless unless you also have a certificate from the licensing body (Good luck, they are a royal pain in the a$$ even to those who are paying their exorbitant fees).
At this point, the vast majority of pilots and products out there that support SEP are based on the EM250, and not the TI CC2420. Utilities are requiring the security and standardization that the SEP provides.
I consider this blog to be cute. However, it has shown that politicians with mediocre minds will over react to anything that serves their purpose.
Hey Travis, whilst I think your efforts to uncover vulnerabilities in systems are applaudable, are you going to quit spreading FUD about how by reading an AES-128 key in a CC2420 "you could control not just that meter you stuck the needle into, but any meter in the system" (http://www.forbes.com/2009/04/29/smart-grid-legislation-technology-security-smart-grid.html?feed=rss_technology_security)?
If not, maybe you could explain how you could do this?
Bruce,
See my paper entitled Extracting Keys from Second Generation Zigbee Chips for details of how to extract data memory from all presently available Ember and Chipcon radios, including the EM250. All of data memory is exposed, making certificates just as easy to extract as keys.
--Travis
free minecraft codes for you my friends.minecraft gift code generator
The Jagannath Rath Yatra is the largest and most visited Rath Yatra in the world. The English word juggernaut was originated from Jagannath which means massive and unstoppable “ratha” carrying Lord Jagannath. Another important feature is, the icon of Lord Jagannath is a carved out of wood and not stone or mud as done in case of usual Hindu deity. Amazing Facts About Hinduism
Not only in Solidworks, but also in other software related assignments, our experts can be extremely helpful. Our experts specialize in 3D mechanical design applications of Solidworks . When it comes to doing an assignment and you get stuck, don’t hesitate to get in touch with Online Assignment Expert for accounting assignment help. If you are a university student and looking for assignment writing help then Online Assignment Expert is one stop solution. Our MATLAB assignment writing experts in Australia serve the best MATLAB assignment help to students in order to solve their queries.
After completing all ordered buy nursing papers assignments, our best nursing paper writing service team is keen on uploading them to a platform where clients can access them with ease.
This guide https://essaydragon.com/blog/why-michigan-essay-guide will help you to write a decent application letter to University of Michigan!
Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agian
court marriage in delhi ncr
court marriage in delhi
court marriage in noida
court marriage in ghaziabad
court marriage in gurgaon
court marriage in faridabad
court marriage in greater noida
name change online
court marriage in chandigarh
court marriage in bangalore
Telecom Project manager in the telecom space are the people in charge of a specific project or projects within a telecom business. As a project manager, their responsibilities are to plan, budget, manage and document all stages of a certain project. Telecom Project Managers are accountable for coordinating telecommunication systems installation projects for multiple businesses across the various platforms.
It is really impressive, thank you so much for sharing this valuable information with us
https://bohemianland.com/
Way cool! Some very valid points! I appreciate you
https://autoxtools.com/
Inspired by grey rain-bearing clouds and a beautiful overcast sky, this bluetooth tracker in Cool Grey auto x tools is made for uber-cool personality
valid
The bohemian style is made from head to toe
point
www.hotmail.com
You can reinstall or install Microsoft Office Setup at office.com/setup www.office.com/setup
There are numerous approaches to watch Netflix on your TV – all you require is a gadget with the Netflix application! The Netflix application is accessible on many Smart TVs, game consoles, streaming media players, set-top boxes, and Blu-beam players. You can discover more data about viable gadgets and brands at netflix.com/activate, and to enroll visit www.netflix.com/activate or read on to check whether your TV is now Netflix-prepared.
www.netflix.com register
www.netflix.com/redeem
netflix activation code
netflix.com.au/redeem
netflix.com/tv8
Through www.amazon.com/mytv - how you can connect your mobile phone to Amazon Prime. Through amazon.com/mytv, you can watch your favorite TV shows, series movies. You can watch prime videos anywhere on your device. Users need to create an Amazon account if they don’t have an Amazon account and enter the Amazon my TV activation code to watch Amazon prime videos on your device.
amazon.com/mytv | www.amazon.com/mytv
Я благодарен владельцу этого сайта за то, что поделился этой замечательной работой. Когда у вас есть подключение к Интернету, все, что вам нужно, это браузер, чтобы проверить веб-камеру. Если вы хотите узнать больше о веб-камерах, посетите эту статью тест веб-камеры онлайн .
Garmin Express is a software to manage your Garmin devices from your computer. Ideal for registering your products, but also for synchronizing their data, Garmin Express also allows you to update them.
Webroot Secureanywhere is world’s leading antivirus software which leads to your system’s sensitive data safety from uncountable cyber threats.
tubi.tv/activate is an online platform that is a creation of Fox Corporation and stream the latest content and videos of your interest.
For More Information Visit Our Site:
tubi tv
Roadrunner email login
Wondering “ why is my computer so slow?” Running too many programs altogether can be one of the causes of this issue, making your life troublesome and too slow.
Yahoo will send you a reset link in your phone number or email address. In case if you are not accessing to the phone number anymore, click on I don’t have access to this phone option. It will then send you the link to your alternative mail address. Check your mail and do the procedure as suggested.
Such a great post many students need this kind of post please keep writing webroot.com/safe is best Installation Guide.The security package offered by this brand is incredibly easy to setup and install. You can easily install and upgrade any of the Webroot Secure Anywhere Antivirus products that help you handle cyber security in the best possible manner.
Download and install or reinstall office setup on a PC or Mac
garmin.com/express is gps tool
which enable you to manage your Garmin GPS device from your computer.
very good post keep writing this kind of postij.start.canon/setup is the easiest way to setup Canon printer to your system. Steps to connect wired or wireless printer on windows as mac devices are discussed below in this article
How to download and install hp drivers from 123.hp.com/setup? You can download hp assistance to auto update drivers without any hadic
If you cannot download or install Norton on your device, read following steps for installing Norton in your PC. Go to the Norton Web link that is norton.com/setup/productkey and then click install button.
pest control service near me professional not just has the most up to date as well as most effective items,however additionally the education and understanding to finish the job right.
"Please Keep in Touch," is kit full form To continue conversing or discussing an issue with the person to whom the letter or written communication is addressed, this term is most typically used in written communications or letters (both personal and business).
Go to office setup for office.com/setup. Sign In or Create a new Microsoft Account. Or go to
www.office.com/setup to download
Officecom which is best for online work. webroot.com/safe is best Installation Guide.The security package offered by this brand is incredibly easy to setup and install.
123.hp.com/setup ePrint setup · Open any email application, and enter your printer's email address. ·
Attach the document or photo you want to print and send it. ij.start.canon
You can download printer drivers from ij.start.canon/setup and sit at home with free mind.
Use garmin.com/express to update maps and software, sync with Garmin Connect and register your device. This desktop software notifies you when updates. Best
pest control near me but we are professional in this field
The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface.Virus Disinfecting Services Pageland
The [pii_email_11fe1b3b7ddac37a081f] error is typically created when SSL encryption fails to establish a secure connection to the server. However, there are a variety of other factors that could contribute to the issue. You won't be able to authenticate if your username or password are incorrect, for example, and the app will instead display the [pii_email_11fe1b3b7ddac37a081f]] problem.
I just wanted to provide you with a quick heads up! and would like share more important articles here;
SEO Tvorba
poslouchej forum
Zip.dk blog
Activeboard
saphiraengine
quanticode
Echo
Thank You for sharing your blog. It is very informative and nice to read such high-quality content. There is useful information on your blog, thank you for sharing with us. The misalignment of abdominal muscles and Navel is a cause of Navel Displacement. It happens in the centre of the navel, usually upward or downward and caused by a variety of circumstances.
Launch a web browser. Enter the Belkin router website link or the router's default IP address, 192.168.2.1, in the Address bar and press [Enter]. If it doesn't work, check your router's IP address. You will be asked to log in using the router's admin password. If you have not set a custom password, just leave the Password field blank then click Submit.
Enjoyed reading your post keep sharing such amazing post will come back to read more.
Regards
microsoft 365/setup
microsoft365.com/setup
microsoft 365 setup download
micrsoft365.com setup
www.primevideo.com/mytv
primevideo.com/mytv
La Société Epitex propose aujourd’hui, avec tous les services associés, une gamme très large de matériels dans des domaines variés comme matériels d’aspiration, de stockage, de décontamination mais également des décapants chimiques, des équipements de protection individuelle et consommables.
Aujourd’hui, le professionnalisme et la performance de la Société Epitex s’appuient sur les compétences de 20 collaborateurs formés pour aider au choix du matériel et des consommables adaptés aux résultats recherchés. Conscient de sa responsabilité en tant que majeur au marché du désamiantage et du descellement. Epitex France
VideoGallery
ImageGallery
HotProfilePicture
LadiesandYoungGirls
MatureFemale
LadyinSwimwear
CollegeGoingGirl
HotVideos
VideoGallery
ImageGallery
This is informative blog i got a valuable information on the post
Torrentz2 Proxy Unblock Torrentz2.eu {Working100%} Latest Sites List
ETTV Proxy Unblockit ETTV & latest Sites {Working 100%}
MagnetDL Proxy Unblock MagnetDL Latest sites List {Working 100%}
isoHunt Proxy Unblock isoHunt Updated Sites list {Working 100%}
Demonoid Proxy Unblock Demoind.pw Proxy {Working 100%} Site List
Health Write For UsSubmit Guest Post on Lifestyle, Beauty, Travel, Health, Fitness
iDope Proxy Unblock idope.se Latest 2022 iDope Proxy List {100% Working}
It's very nice article. I like the post so much. Thank you!
download igoal
This is valuable information on the post informative blog i got
ExtraTorrent Proxy List of Unblock all Extratorrent Proxy Sites latest
Tamilyogi Proxy Unblock Tamilyogi cc proxy List 2022 Movie Download
List of Unblock Limetorrents Proxy Mirrors sites Limetorrents Proxy
list Unblock Extratorrents Proxy {100% Working Sites} Extratorrent proxy
Unblock Skytorrents.net {100% Working Sites} SkyTorrents Proxy
Activation Free Updated 2022 Microsoft Office 365 Product Key list
Write for us Technology – Submit Guest Post on Business, Mobile, Education Topics
PGsharp Key list Generator PGsharp Free Activation Key 2022
123movies online is a free online movie and television series streaming service that allows users to watch movies, TV episodes, and series without having to register or deal with advertisements. Our 123Movies website contains movies, series, and shows from almost every genre, so no matter what kind of content you want to watch, you can find it on our 123Movies website.
13377x proxy is a website that provides a directory to download torrent files online through the internet. It was founded in 2007 by an unknown author but at that time it didn’t have any popularity. After 2016 the popularity of 13377x movie download sites got more popular.
This is very interesting content! I have thoroughly enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great. best cbd shop near me
Great block structure! How long
Have you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
EZTV Proxy Unblock EZTV Proxy List Torrent {100% Working} Sites
kickass Proxy Unblock kickass Proxy sites List Torrents
1337x Proxy List Unblock 1337x Proxy sites
Technology Write For Us Business, AI, Tech Reviews, IoT
How To Remove Outbyte PC Repair Outbyte PC Repair Files
Filmora Wondershare Crack Key Full Version Registration Key With Email
How to Fix [pii_email_7e710fffb86b8d1d9420]Error Code
How to Fix [pii_email_4bd3f6cbbb12ef19daea]Error Code
How to Fix [pii_email_cbd448bbd34c985e423c]Error Code
How to Fix [pii_email_1bc24f13e6217fe6e335]Error Code
How to Fix [pii_email_6b2e4eaa10dcedf5bd9f]Error Code
How to Fix [pii_email_4bd3f6cbbb12ef19daea-error-code]Error Code
The purpose of this article is to demonstrate how you can activate HBO Max on any device and start streaming and broadcasting on it using hbomax com tvsignin.This streaming service bundles all of HBO plus even more TV shows, blockbusters, and new Max Originals in one place for everyone to enjoy.Apple TV users know that HBO Max’s streaming app is subject to frequent crashing and glitches and is often overloaded during important premiere dates. In an overhaul that will continue through next week, the company billed the new app as completely redesigned with some useful new features (although Variety, which earlier reported the news, said the two apps were not too visually dissimilar).On your phone or computer, go to
hbomax/tvsignin.
Overtræk med overdækkede sømme
Beskyttelsesovertræk i ikke-vævet SMS med ankler, ansigt, håndled og elastik i taljen for at justere størrelsen. Også med selvklæbende klap for bedre lukning forfra.
Type 5 & 6 med fuld overensstemmelse med klassificering i henhold til EN 14325
Materiale: SMS 100% polypropylen 50 g / m2
Størrelse: L-XL-XXL-XXXL
Farve: Blå, Rød, Hvid Sæt undertøj Bomuld sommerasbest
Disposable Coveralls PolyGuard SMS W/Hood, Elastic Boot & Wrist.
COVERALLS For Asbestos and Lead Abatement, Remediation Activities
Coveralls Cat 3 TYPE 5-6 with hood and booties made of non-woven SMS Fabric with elastic polypropylene at the ankles, face, and waist and with Elastic wrist, as well as a self-adhesive flap for a better closing / sealing at the neck. Painters Rags
Technically there is no solution to lose weight in just one part of your body. When a person loses weight it occurs simultaneously in all parts of the body, in some it is accentuated more than in others. Fortunately, there are ways to make your face look slimmer nedik tells you how.
how to lose facial fat
We exclusively offer bespoke and top Australia Assignment Help to overburdened understudies struggling to make scholastic ends meet and help them score top grades consistently.
Our best MATLAB assignment help specialists guide you and help you with your homework and different assignments. They additionally mentor you with respect to how to finish them to score better. Our services are always very reasonably priced.
If you have had a PC for more than a year or two, you should have noticed that its basic functions are slowing down. Including some bugs, software crashes, system lags & etc. There are few important changes you can make to encourage your PC to run faster. I have written a blog regarding this.. Check out how to speed up computer | how to make computer faster
Great Assignment Helper furnishes excellent quality Web Designing and web Development Assignment Help totally free of plagiarism and technical errors; at the most reasonable rates and well before the stipulated deadline.
There are multiple Best Places to Visit in Gurgaon; thanks to the number of party places where you can hang out with your friends at the weekend, visit with your kids as an educational tour, and spend a relaxing vacay with your family.
Follow the instructions from our website to successfully download and install Brother Printer Drivers to enhance the current features of the printer.
Post a Comment