Thursday, February 23, 2012

Wardriving for Zigbee

by Travis Goodspeed <travis at radiantmachines.com>
with kind thanks to @fbz, @skytee, and their Hacker Hostel.

While I don't do much on-site work these days, it's always fun to pull out a packet sniffer for a weird protocol and show a client how much cleartext is bouncing around his facility. It's even more fun in the vendor room of a conference. Toward that end, I made a Microsoft Keyboard Sniffer in September that forwards keyboard traffic to my Nokia N900. (By the by, Microsoft still refuses to issue an advisory for that bug.)

A few months and a new phone later, I found myself doing the same thing for ZigBee/802.15.4. The result, presented in this article, is a complete wardriving solution for my Nokia N9, allowing for efficient mapping of ZigBee usage when walking or driving. This lets me to map networks similar to the irrigation and city bus networks that KF identified, but for any of the cities that I pass through.
Zigbee Wardriving

Hardware


Just as I last used the Next Hope Badge for its nRF24L01+ radio to sniff Microsoft's keyboard traffic, the new device uses a MoteIV TMote Sky, better known in some circles as a TelosB. These flooded every university campus four years ago, and you can probably pick a few up for a cup of coffee with a neighborly professor.
Pocket ZigBee Sniffer

The TelosB has a 10-pin expansion port exposing UART0's RX and TX pins, as well as AVCC and GND. Running these lines to the Roving Networks RN42 module provides an RFCOMM connection at 115,200 baud, coincidentally the same default rate used by the GoodFET firmware. Be sure to swap RX and TX for a proper connection.

Finally, a LiPO battery and charging circuit were soldered in to replace the AA batteries of the original TelosB. This allows for quick recharges and several days of battery life.

In use, I either leave the box in my jacket or put in on the dashboard of a car. The Lego Duplo case keeps all components together, and the SMA jack allows for an antenna external to the car. (Not that I ever stay in one city long enough to buy a car, but surely one of my neighbors has a convenient external 2.4GHz antenna for me to wire into.)
Zigbee Wardriving

Firmware


The GoodFET firmware natively supports the TelosB, as described here. Firmware is normally compiled by running "board=telosb make clean install", but a second board definition exists to use the external serial port instead of the internal one. So set board=telosb for local use and board=telosbbt for use over Bluetooth. Luckily both the TelosB and the RN42 module default to 115,200 baud.

This image exposes both the TelosB's CC2420 radio and its SPI Flash chip to the host. The host also has the authority to load and execute code in the device, so a standalone mode that writes recorded packets to the SPI Flash is a distinct possibility.

Standard Client


The standard GoodFET client works as expected, once py-bluez is manually installed and Nokia's DRM infrastructure, Aegis, has been disabled. To use a Bluetooth device instead of a serial port, just set the GOODFET environment variable to the appropriate MAC address.
GoodFET on the N9

Custom Client


The standard GoodFET client is written in Python, in a style where most of the guts are exposed for tinkering. This is great for doing original research on a workstation, but it's terrible when trying to show off a gizmo in a bar or at a client site. For this reason, I hacked together a quick client in QT Quick using my reverse engineered SPOT Connect client as a starting point.

The interface is composed of a Bluetooth selection dialog, a packet sniffer, and a packet beaconing script that repeatedly broadcasts a sample Packet-in-Packet Injection.
N9 ZigBee Sniffing (cropped)
GoodFET for Meego

A log is kept in the N9's internal storage, so that any captured packet can be fetched later. The log is append-only, with a record of every received packet and timestamps from each start of the application. Additionally, GPS positions are dumped for positioning.

Plotting


The position log is then translated by a script into the Keyhole Markup Language or any other GIS format for plotting.
Wardriving for Zigbee

KML is simple enough to compose, with the one oddity that longitude comes before latitude. Use the <Placemark> and <Point> tags to mark packets. For small data sets, I've had luck using <LineString> to mark my path, but after touring much of North America, I exceeded Google Maps hundred-thousand line limit.
KML Point

Post processing is frequently needed to smooth out a few erroneous GPS positions. I've collected GPS locks up to twenty kilometers from my real position when indoors and, in one instance, my phone believed itself to be in Singapore while I was actually in the USA. Be sure to check for these when making your own maps.

Conclusions


Now that I have a lightweight system for grabbing Zigbee packets in the wild, I'd like to expand my collection system to vendor proprietary protocols such as TI's SimpliciTI, the Turning Point Clicker, and other protocols that the GoodFET stack supports. I could also use it to map neighbors with the CCC's r0ket badge and similar OpenBeacon transmitters as they stray from the conference venue.

Other protocols, however, are a lot harder to wardrive. While my Microsoft keyboard sniffer can sniff traffic to the phone, it requires a learning phase that is too long to be performed while travelling in a car. This is because the keyboard protocol, unlike Zigbee and more like Bluetooth, has a Start of Frame Delimiter (SFD/Sync) that is unique to each keyboard/dongle pair, requiring special techniques for any promiscuous sniffing. The original Keykeriki exploit by Thorsten Schröder and Max Moser might identify keyboards quickly enough to be performed on the road, or there might be some new trick that will make it possible. For now, though, you'll need to know where the keyboard you'd like to attack is before you can start sniffing it.

While I'll stubbornly stick to Meego for the foreseeable future, an Android client should pop up sooner or later. Also, Mike Kershaw seems to be toying around with full-custom hardware for the job that'll be compatible with the GoodFET firmware. You can find the code for my client in /contrib/meegoodfet of the GoodFET repository.

As a final note, Zigbee traffic can be found just west of 40th Street in West Philadelphia, at Union Station in DC, in the Fort Sanders neighborhood of Knoxville, and at South Station's food court in Boston. In Louisville, Kentucky, search near the intersection of Lexington Road and Grinstead Drive. In Manhattan, try Seventh Avenue just south of Penn Station.

Have fun,
--Travis

219 comments:

«Oldest   ‹Older   201 – 219 of 219
Lite App said...

Thanks for sharing this blog keep it up.
usps employee portal

Robert Adler said...

Kudos to your blog for being a beacon of knowledge in the ever-evolving world of web and mobile app development! Your insights on top frameworks have proven invaluable for our team in San Diego , shaping our approach to crafting cutting-edge mobile applications. Your guidance has empowered us to explore new horizons about mobile app development company in san diego , delivering exceptional solutions to our clients. The wealth of information here is a game-changer, and we eagerly anticipate more pearls of wisdom in future posts. Cheers to elevating the standards of mobile app development!

Lite App said...

Thanks for sharing this blog, Keep it up.
nearpod join
join pear deck

basitsheikh said...

Unlock learning potential with joinpd : Elevate education effortlessly!

basitsheikh said...

United States Postal Service A self-directed government entity, weaving connections across the nation.

Jewel Galore said...

Explore Jewelgalore exquisite ladies ring design . Each piece reflects unique craftsmanship and elegance, perfect for adding a touch of sophistication to your style.

Paul said...

"Fantastic read! The content is clear, easy to grasp, and loaded with valuable information. for more i also recommend this to you First Aid Kit

Anne hathway said...

Fantastic article! Your insights were enlightening and thought-provoking. Thanks for sharing your knowledge! Also have a look at receptify.

rabecca said...


https://skyandtelescope.org/author/the-impact-of-clothing-donation/

doe said...


Explore the content at kochsahne aldi for a substantial boost to your knowledge and understanding.

doe said...

Check this website for additional insights

doe said...

Your blog post was exceptionally insightful! visit this site also SEO Company

Anne hathway said...

Fantastic article! Your insights were enlightening and thought-provoking. Thanks for sharing your knowledge!
Also have a look at donation bins near me.

mdynamics365 said...

DynaTech is your trustedMicrosoft Gold Partner in USA. We partner with you to provide a comprehensive suite of solutions that help drive digital transformation

Nandi IVF said...


The ivf clinic in Pitampura offers comprehensive fertility treatments, including in vitro fertilization (IVF), intracytoplasmic sperm injection (ICSI), and egg freezing. Equipped with state-of-the-art technology and a team of experienced specialists, the clinic provides personalized care and advanced reproductive solutions.

Patients benefit from a supportive environment, thorough diagnostic evaluations, and tailored treatment plans aimed at achieving successful pregnancies. With a strong focus on patient well-being and high success rates, the clinic stands out as a trusted destination for couples seeking fertility assistance in Pitampura.

Roony Ron said...
This comment has been removed by the author.
Basement Seller said...

beer mug

Maica Hion said...

Appreciation for sharing this surprising site! Savers360 offers a Safelite 100 Off. Visit now and participate in the best courses of action!

Anand said...

3pl company in birmingham Third-party logistics (3PL) providers streamline ecommerce operations by managing warehousing, fulfillment, and shipping. With integrated technology, real-time inventory tracking, and nationwide distribution networks, 3PLs help businesses scale efficiently. Services include pick-and-pack, custom packaging, returns management, and multi-channel fulfillment, allowing merchants to focus on growth while experts handle logistics.

«Oldest ‹Older   201 – 219 of 219   Newer› Newest»