Telecom Signaling Industry News

TMCNet:  The Great ZigBee Caper [Security Dealer]

[September 26, 2012]

The Great ZigBee Caper [Security Dealer]

(Security Dealer Via Acquire Media NewsEdge) Escapades in wireless security After several false starts over the past three decades, building automation system (BAS) technology is accelerating again. It finally seems to be ready for prime time. It is showing up in office buildings, in factories in industrial automation, and in our homes - usually upscale homes. The potential of BAS is revolutionary. Many building automation systems are beginning to interconnect devices with short-range, low-power, digital radio links to significantly minimize wire and conduit costs and reduce installation time. That part of the system architecture is generically called ZigBee mesh networks or ZigBee chips, or more specifically, wireless personal area networks (WPANs). What most people don't know and very few insiders are willing to talk about is that this technology has an Achilles Heel. Some ZigBee networks can be hacked - often easily. In as much as there is a mounting trend toward incorporating security systems into these networks, it is essential for security dealers and integrators to fully understand this emerging vulnerability.

ZigBee technology emerged in the late 1990s. The term "ZigBee" is reputed to be based on the zigzag dance of honey bees reporting the location of flowers. As is the case for most of the older technologies, it was developed at a time when cyber-security wasn't perceived as being especially important. The term "ZigBee" refers to a specific set of communications protocols based on Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standards. Although these protocols have similarities with Bluetooth and Wi-Fi, they are not the same. The ZigBee specifications are maintained by the ZigBee Alliance which is composed of a number of companies. ZigBee is a registered trademark maintained by the Alliance. In the U.S., the chips operate at 915 MHz with data transmission rates ranging from 20 to 900 kilobits per second, but more often 250 kbps. The devices typically have from 60 to 256 KB of flash memory.

Watch out for sniffers The vulnerability is that it is a radio signal emanating device. Hackers can drive around and "sniff" unprotected wireless systems and devices using modified smartphones, PDAs or other receivers. The range can be up to 100 meters. They call this "wardriving" - albeit the terms initially applied to searching for Wi-Fi signals (the term "wardriving" is said to be derived from "wardialing," a term popularized by the 1983 motion picture, WarGames). A number of "White Hat" hackers, such as Travis Goodspeed, Joshua Wright and a few others demonstrated at various hacker conferences (viz. Blackhat) that once a ZigBee network is detected, certain technical vulnerabilities in the protocol and/or the specific device can often be exploited to gain control of the WPAN. If security systems are a part of the network, they could be turned off or settings changed.

ZigBee-based technology is continually expanding into new applications. When President Obama promised to reduce the cost of medical services by automating healthcare records, the ZigBee Alliance developed an application for healthcare automation. Other new applications for ZigBee devices include industrial controls, smart electrical meters, embedded sensors, the Smart Grid, HVAC, lighting, electronic locks - and now, security systems. Yes... it is possible to remotely unlock some electronic locks. ZigBee is especially prevalent in many home automation and home entertainment systems. In that these are usually "upscale" homes, they frequently include security systems, which often don't have the security network safeguards found in some industrial applications.

The discovery of vulnerabilities in industrial control devices is a relatively recent development, but it is hardly surprising. That technology was developed up to 40 years ago at a time when virus only meant catching a cold. For example, in August 2011, a research team composed of myself, Tiffany Rad and Teague Newman demonstrated at a DefCon Conference in Las Vegas that they could surreptitiously take control of programmable logic controllers (PLCs) in a correctional facility to open or close any door, while blocking the annunciation of any status changes at central control. This research was validated by Idaho National Laboratories. The detection of weaknesses in some ZigBee devices is one link in this long chain integrators should be aware of.

"In the U.S., the technology's chips operate at 915 MHz with data transmission rates ranging from 20 to 900 kilobits per second, but often 250 kbps. The devices typically have from 60 to 256 KB of flash memory." "The vulnerability is that it is a radio signal emanating device. Hackers can drive around and sniff unprotected wireless systems and devices using modified smartphones or other receivers." By John J. Straucs, MA, CPP John], Strauchs, MA, CPP, is Senior Principal of StrauchsLLCinAshburn, Va., ana formerly CEO of Sy stech Group Inc., a professional security and fire protection engineeringfirm. Earlier in his career, he was an operations officer with the U.S. Central Intelligence Agency (CIA).

(c) 2012 Cygnus Business Media

[ Back To Telecom Signaling's Homepage ]

Featured Events

5G NA Signaling Day

November 14-16, 2016
Sheraton Dallas, Dallas, TX

Featured Webcasts

Securing The Signaling Interconnect: Oracle's Perspective On Recent Security Events

Today's telecommunications landscape is changing rapidly, and the "institution" of trust between networks that has been assumed over the decades is no longer relevant. We are now hearing of vulnerabilities in CSP interconnection points that have been known ...

Applications of Wi-Fi Calling

With all of the discussion about faster data access and richer content, it could be assumed that voice services no longer play an important role in the business model of the communications service provider. Join ReThink Technologies Research and Oracle Communications as we explore ...

Featured Whitepapers

Oracle Communications Diameter Signaling Router Main Differentiators

Diameter is the protocol used by network elements in LTE and 3G networks to enable and monetize services, such as voice, video and data. Diameter enables revenue-generating data services; including tiered data plans, loyalty programs, application specific QoS, content provider and Internet of Things (IoT) solutions ...

Multi-Layer Security Protection for Signaling Networks

The sanctity of mobile operators' networks and brands will depend greatly on their ability to deliver QoS guarantees to roaming and interconnect partners, while simultaneously protecting increasingly multimedia-savvy and socially connected ...

Featured Datasheets

Oracle Communications Diameter Signaling Router

Centralizing Diameter routing with cloud deployable Oracle Communications Diameter Signaling Router creates a secure signaling architecture that reduces the cost and complexity of the core network and enables elastic growth, interoperability and rapid introduction ...

Oracle Communications Mobile Security Gateway

The Oracle Communications Mobile Security Gateway is a high performance gateway that allows the Communications Service Provider (CSP) to cost effectively expand network coverage and increase capacity by incorporating Heterogeneous ...

Oracle Communications Evolved Communications Application Server

As service providers drive their networks toward an all-IP and virtualized state, they require the means to design and deliver compelling high definition voice, video and multimedia offers via Voice over LTE (VoLTE) and Voice over WiFi (VoWiFi) ...

Featured Infographic