Sunday, March 15, 2009

Breaking 802.15.4 AES128 by Syringe

by Travis Goodspeed <travis at>

I'm working on a pair of hands-on Zigbee hacking workshops. The first, which I've submitted with Aurélien Francillon to ToorCamp involves the writing of advanced stack overflow attacks for the MSP430 and AVR microcontrollers. The second, which I've submitted to Defcon 17, involves a number of hands-on hardware attacks against Zigbee nodes. Both include the sniffing of AES128 keys from a CC2420 Zigbee radio, a procedure that I demonstrated informally at Source Boston and describe below.

The CC2420 is a popular Zigbee/802.15.4 radio, and it is found in many wireless sensor development kits. We'll be attacking its hardware-accelerated AES128 implementation, by taking advantage of the fact that keys must be loaded over the SPI bus.

Zigbee Sniffing

In the photograph above, I've tapped one of three SPI pins of the CC2420 radio chip on a Telos B using a hypodermic syringe. SPI consists of four pins: SCL, MOSI, MISO, and !SS. SCL, the Serial Clock, is output from the master to synchronize communication with the slave. MOSI and MISO are data lins, Master Out Slave In and Master In Slave Out. !SS or Slave Select is an inverted line that indicates the selection of a particular slave chip. Here, we'll only be tapping SCLK and one of the data lines, as two syringes are much easier to hold that four. Ground is shared by USB, so it isn't critical that we tap it.

As seen on my portable scope below, the tapped pin is the SCL, the data clock. The clock stands out because it idles low, and because all pulses in a batch are of regular width. Unlike a system clock, the clock only cycles when data is being transported.

Zigbee Sniffing

The remaining two pins, in the group of three, are data. As shown on the scope image below, SPI data lines idle high, and bits are measures on edges of the clock.

Zigbee Sniffing

Now that the clock and data lines have been found, it is necessary to sniff the traffic using a bus adapter. Until SPI-sniffing firmware for the Hackaday Bus Pirate becomes available, I will continue to use the Total Phase Beagle I2C/SPI Protocol Analyzer. A screenshot of the Total Phase client follows.

CC2420 Sniffing

All that remains to identify the key in use, or anything else sent over the bus, is to read the log. I will likely release scripts for doing so at Defcon.


Unknown said...

This is a side channel attack and thus doesn't constitute 'breaking 802.15.4 AES128' per se as it is relevant to a specific device

Unknown said...

Agreed; interesting, but it's simply about sniffing SPI lines; not 802.15.4. Requires physical access to the device(s).

asdf said...

Yes, I've used a Beagle a few times at work, I really like it. How are sure that you are synchronizing correctly every time without using a slave select (CSn)? I know it can be hard to hold that many probes, but why not just solder a wire down?

I don't think that scope grab is what you are looking for. The AES transactions should have 16 SCK pulses in a row, not 2 bursted 8 SCK ticks. Look at fig 9 of cc2420.pdf, you are going to need the CSn signal to properly frame the transactions.

"All security related data is stored little-endian, i.e. the least significant byte is transferred first over the SPI interface during RAM read or write operations."

Are you setup to have pre-knowledge of the key? How are you going the identify it in the SPI log? The only RAM signal brought out is DVDD_RAM pin. I guess you could current sense and trigger on the RD/WR assuming there is a descernable current spike.

theatrus said...


Depending on the firmware running on the MSP430, it may take awhile for the second byte to be transferred to the CC2420. The delay isn't unusual. Also, unless the TelosB external ST dataflash chip is being used (unlikely in many applications, at least during runtime), checking for chip select isn't needed.

Also, identifying the key is trivial - just search for the right ram-write command and the relevant address.

This is of course a problem with any pre-shared key system.

asdf said...

@Yann Ramin,

Ahh, you got me, shouldn't have posted without doing the rest of my homework.

Unknown said...

What type of portable scope do you use ?

Unknown said...

The ZigBee Smart Energy Profile (SEP) uses certificates for secure communication. Simply knowing the link or network keys is pretty much useless unless you also have a certificate from the licensing body (Good luck, they are a royal pain in the a$$ even to those who are paying their exorbitant fees).

At this point, the vast majority of pilots and products out there that support SEP are based on the EM250, and not the TI CC2420. Utilities are requiring the security and standardization that the SEP provides.

I consider this blog to be cute. However, it has shown that politicians with mediocre minds will over react to anything that serves their purpose.

Unknown said...

Hey Travis, whilst I think your efforts to uncover vulnerabilities in systems are applaudable, are you going to quit spreading FUD about how by reading an AES-128 key in a CC2420 "you could control not just that meter you stuck the needle into, but any meter in the system" (

If not, maybe you could explain how you could do this?

Travis Goodspeed said...


See my paper entitled Extracting Keys from Second Generation Zigbee Chips for details of how to extract data memory from all presently available Ember and Chipcon radios, including the EM250. All of data memory is exposed, making certificates just as easy to extract as keys.


Anonymous said...
This comment has been removed by a blog administrator.
Unknown said...

free minecraft codes for you my friends.minecraft gift code generator

Douglas Flink said...

The Jagannath Rath Yatra is the largest and most visited Rath Yatra in the world. The English word juggernaut was originated from Jagannath which means massive and unstoppable “ratha” carrying Lord Jagannath. Another important feature is, the icon of Lord Jagannath is a carved out of wood and not stone or mud as done in case of usual Hindu deity. Amazing Facts About Hinduism

Lara Gargett said...

Not only in Solidworks, but also in other software related assignments, our experts can be extremely helpful. Our experts specialize in 3D mechanical design applications of Solidworks . When it comes to doing an assignment and you get stuck, don’t hesitate to get in touch with Online Assignment Expert for accounting assignment help. If you are a university student and looking for assignment writing help then Online Assignment Expert is one stop solution. Our MATLAB assignment writing experts in Australia serve the best MATLAB assignment help to students in order to solve their queries.

meldaresearchusa said...

After completing all ordered buy nursing papers assignments, our best nursing paper writing service team is keen on uploading them to a platform where clients can access them with ease.

Taylor Bara said...

This guide will help you to write a decent application letter to University of Michigan!

Vipin Chauhan said...

Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agian

court marriage in delhi ncr
court marriage in delhi
court marriage in noida
court marriage in ghaziabad
court marriage in gurgaon
court marriage in faridabad
court marriage in greater noida
name change online
court marriage in chandigarh
court marriage in bangalore

Unknown said...

Telecom Project manager in the telecom space are the people in charge of a specific project or projects within a telecom business. As a project manager, their responsibilities are to plan, budget, manage and document all stages of a certain project. Telecom Project Managers are accountable for coordinating telecommunication systems installation projects for multiple businesses across the various platforms.

Olivia said...

It is really impressive, thank you so much for sharing this valuable information with us

Olivia said...

Way cool! Some very valid points! I appreciate you

Olivia said...

Inspired by grey rain-bearing clouds and a beautiful overcast sky, this bluetooth tracker in Cool Grey auto x tools is made for uber-cool personality

Olivia said...

The bohemian style is made from head to toe

IP CUBE said... said...

You can reinstall or install Microsoft Office Setup at

Herman Herrington said...

There are numerous approaches to watch Netflix on your TV – all you require is a gadget with the Netflix application! The Netflix application is accessible on many Smart TVs, game consoles, streaming media players, set-top boxes, and Blu-beam players. You can discover more data about viable gadgets and brands at, and to enroll visit or read on to check whether your TV is now Netflix-prepared. register
netflix activation code

Amazon my tv said...

Through - how you can connect your mobile phone to Amazon Prime. Through, you can watch your favorite TV shows, series movies. You can watch prime videos anywhere on your device. Users need to create an Amazon account if they don’t have an Amazon account and enter the Amazon my TV activation code to watch Amazon prime videos on your device. |

Esteban Ritchey said...

Я благодарен владельцу этого сайта за то, что поделился этой замечательной работой. Когда у вас есть подключение к Интернету, все, что вам нужно, это браузер, чтобы проверить веб-камеру. Если вы хотите узнать больше о веб-камерах, посетите эту статью тест веб-камеры онлайн .

Homer said...

Garmin Express is a software to manage your Garmin devices from your computer. Ideal for registering your products, but also for synchronizing their data, Garmin Express also allows you to update them.

Homer said...

Webroot Secureanywhere is world’s leading antivirus software which leads to your system’s sensitive data safety from uncountable cyber threats.

steeve00004 said... is an online platform that is a creation of Fox Corporation and stream the latest content and videos of your interest.
For More Information Visit Our Site:
tubi tv
Roadrunner email login

Harry Thomas said...

Wondering “ why is my computer so slow?” Running too many programs altogether can be one of the causes of this issue, making your life troublesome and too slow.

Harry Thomas said...

Yahoo will send you a reset link in your phone number or email address. In case if you are not accessing to the phone number anymore, click on I don’t have access to this phone option. It will then send you the link to your alternative mail address. Check your mail and do the procedure as suggested.

Tony said...

Such a great post many students need this kind of post please keep writing is best Installation Guide.The security package offered by this brand is incredibly easy to setup and install. You can easily install and upgrade any of the Webroot Secure Anywhere Antivirus products that help you handle cyber security in the best possible manner.

Download and install or reinstall office setup on a PC or Mac is gps tool
which enable you to manage your Garmin GPS device from your computer.

Tony said...

very good post keep writing this kind of is the easiest way to setup Canon printer to your system. Steps to connect wired or wireless printer on windows as mac devices are discussed below in this article

How to download and install hp drivers from You can download hp assistance to auto update drivers without any hadic

If you cannot download or install Norton on your device, read following steps for installing Norton in your PC. Go to the Norton Web link that is and then click install button.

pest control service near me professional not just has the most up to date as well as most effective items,however additionally the education and understanding to finish the job right.