What is ZigBee?
ZigBee is a standard for low-power Wireless Personal Area Networks (WPANs), which is to say wireless networks with a short range, typically 10-100 meters. ZigBee is commonly used for wireless control and monitoring applications such as wireless sensor networks (WSNs), industrial plant monitoring, building control, hospitals, smart metering and home automation. There are public profiles defined in the ZigBee specification for many of these use cases. ZigBee operates in the Industrial, Scientific, and Medical (ISM) radio bands and the exact frequency will depend on where you are in the world. It can use the 868 MHz band in much of Europe, 915 MHz in the USA and 2.4 GHz in many other locations. The 2.4 GHz band is very common as many of the available chipsets use it. The speeds available depend on which band you are using, but the maximum is 250 Kbps. This is slower than other popular wireless technologies such as WiFi but is also cheaper and lower cost.
There have been several updates to the original ZigBee 2004 specification, and it is common to see references to both “ZigBee 2006” and “ZigBee PRO”; ZigBee PRO is also sometimes referred to as ZigBee 2007. Among other things, ZigBee PRO allows for more complex routing and dynamic channel switching if interference is detected. While ZigBee PRO is backward compatible with ZigBee 2006 there are some limitations. Specifically, a ZigBee PRO device on a ZigBee 2006 network must operate as an End Device (more on device types later in this article), and similarly, a ZigBee 2006 device on a ZigBee PRO network must also be End Devices. Being the newer version, some of this article discusses ZigBee PRO concepts, although much of it will apply to both versions. Many people consider pre-ZigBee PRO to be “legacy” but it is important for those concerned with the security of ZigBee networks to understand older versions.
How Does ZigBee Operate?
More specifically, ZigBee is built on top of the 802.15.4 specification which defines the Physical (PHY) and Media Access Control (MAC) layers for low-rate WPANs (LR-WPANs). ZigBee adds layers on top of this to add more network and application intelligence. 802.15.4 is the basis for many other industrial wireless protocols as well so understanding it can be very useful to a security consultant. A ZigBee network allows a set of devices to communicate wirelessly via one of several possible topologies. Packets of data can be sent between nodes and may be routed by intermediary devices to more distant nodes that would otherwise be out of range. Each device has both a MAC address and a ZigBee network address, and the network has its own PAN ID shared by all devices. Packets can be protected by encryption but for this to work, all nodes will need a key and as we will see later there can be issues around how such keys are deployed to devices. The following sections provide more detail on how ZigBee operates.
The ZigBee Stack
A simplified view of the ZigBee stack looks like this:
ZigBee Node Types
There are three node types that a device can act as within a ZigBee network. Whatever node type a device is acting as it can also be doing some useful work such as acting as a sensor. Node types are only relevant to the topology of the ZigBee network and how devices help to route messages. The available node types are described below: Coordinator – Every ZigBee network must have a single Coordinator. This node is the first node to start up and initializes the rest of the network, selecting the frequency to use, the PAN ID of the network, and allowing other nodes to join the network. It acts as the parent to nodes that connect to the network through it (its children). The Coordinator also often runs other services such as routing and certain security services, although many of these services are options and some can be run on separately dedicated nodes. Router – Routers are not required in all ZigBee topologies but are still commonly found. They are responsible for relaying messages to other nodes. Nodes can also join the network via a Router, with the Router becoming their parent node; this can include one Router being the parent of another Router. End Device – An End Device is a simple node that sends and receives messages but performs no other special function in the network. Other nodes cannot join the network through them. End Devices are the only nodes that can sleep according to the ZigBee specification with the parent node (a Router or Coordinator) buffering messages until it wakes up again.
ZigBee Network Topology
ZigBee networks can have one of three different topologies which affect how messages are routed and which devices talk to which other devices. These topologies are summarized below:
Star topology is the simplest and most limited topology available to ZigBee. Devices all connect to a single Coordinator node and all communication goes via this Coordinator. It is interesting to note that this topology is defined by the underlying 802.15.4 specification which ZigBee builds on.
Child nodes can also be Routers, although in this topology they will not perform any routing functionality and essentially act like an End Device. With Star topology the throughput of the network is limited by the Coordinator and if the Coordinator fails the whole network fails. The range of the network is also limited to the rage of the Coordinator itself.
With Tree topology, the Coordinator forms the root node of a tree of child nodes. End Devices are leaf nodes (although a Router could also be a leaf if no children have joined it yet) and intermediate nodes are Routers. Direct communication can only occur between a child node and its parent, but all nodes can communicate together by messages traversing up the tree to a common ancestor and then down to the target node.
In this topology, Routers can extend the range of the network beyond that of any single device-to-device link. However, if a Router fails there is no alternative route and portions of the network can become disconnected.
Mesh topology is one of the most flexible offered by ZigBee. It is like Tree topology but without following the rigid tree structure and a Router can communicate directly with any other Router or the Coordinator if it is in range. This means there can be many different routes through the network to a given node, and ZigBee has a route discovery feature to find the best route to a given node and can, therefore, be “self-healing”.
When the security of MAC layer frames is desired, ZigBee uses MAC layer security to secure MAC command, beacon, and acknowledgment frames. ZigBee may secure messages transmitted over a single hop using secured MAC data frames, but for multi-hop messaging ZigBee relies upon upper layers (such as the NWK layer) for security. The MAC layer uses the Advanced Encryption Standard (AES) as its core cryptographic algorithm and describes a variety of security suites that use the AES algorithm. These suites can protect the confidentiality, integrity, and authenticity of MAC frames. The MAC layer does the security processing, but the upper layers, which set up the keys and determine the security levels to use, control this processing. When the MAC layer transmits (receives) a frame with security enabled, it looks at the destination (source) of the frame, retrieves the key associated with that destination (source), and then uses this key to process the frame according to the security suite designated for the key being used. Each key is associated with a single security suite and the MAC frame header has a bit that specifies whether security for a frame is enabled or disabled.
|The ZigBee Network Coordinator
||The ZigBee Network Node
ZigBee networks can be configured and operate in many different and often subtle ways. Sometimes the exact way a given aspect of the network will operate is based on the manufacturer of the ZigBee chipset. What’s more, by nature ZigBee networks can be highly flexible with devices sleeping and waking up, connecting and disconnecting, altering the layout of the mesh network, switching the channel or PAN ID and so on. To deploy these networks securely, or to analyze such a network as a security tester or researcher it is important to understand all these core concepts.