Reverse Engineering Asked by Cybergibbons on September 30, 2021
I am working with a Zigbee system and I have been trying to grab the network key as it is exchanged during pairing. I wasn’t having much luck with the combination of TI Packet Sniffer, Wireshark and Killerbee – it kept on failing. This combination has worked for me in the past.
I installed a trial version of Perytons-M4 and captured a pairing using my CC2531 USB stick. To my surprise, this recovered the key automatically and started decrypting the rest of the data.
However, in the APS_CMD_KEY_TRANSPORT message sent to exchange the key, Perytons is showing that the APS layer data is in fact encrypted already, using a key that I have not seen before (4BAB0F173E1434A2D572E1C1EF478782)
The key for many Zigbee devices is “ZigBeeAlliance09”, which is the case here for some communications, but this is not the key being used for key exchange.
Once the capture is complete, the Perytons “Keys Management” window shows the “ZigBeeAlliance09” key along with the one sent in the APS_CMD_KEY_TRANSPORT, but not the one used to decrypt the APS data.
The device is a Yale PIR camera (manufacturer’s product page). I have been unable to identify the physical Zigbee modules used, but they look like and . Unfortunately I can’t work out a way of getting Data out of Perytons in a way that is easy to read by others.
I’ve had a google, had a look in the Zigbee specs and had a look in the Perytons documentation, but can’t find anything. Any ideas?
The key used is simply a hash of ZigBeeAlliance09. You see it in your picture pretty clear.
ZigBee uses the the default key as basis for different hash permutation of "ZigBeeAlliance09". Look it up in the ZigBee specification.
Answered by TobiASZ on September 30, 2021
What is the profile being used?
Home Automation (which is the one used by most devices) uses 'ZigBeeAlliance09' trust center link key to encrypt a random network key in the APS_CMD_KEY_TRANSPORT message. Joining devices decrypt the random network key in the APS_CMD_KEY_TRANSPORT message and then use the network key to encrypt/decrypt further network layer payloads. Most commercial sniffers will see the APS_CMD_KEY_TRANSPORT message and decrypt the network key. There is typically no further encryption at the APS layer for Home Automation.
Light Link Profile (Such as Philips Hue) uses the same security mechanism as HA but does not use the publicly available 'ZigBeeAlliance09' trust center link key, but a secret key only given to manufactures that have devices which have passed the Light Link Profile certification process.
Smart Energy profile uses the same network layer security mechanism as HA, but has further APS layer security which uses a key transferred with certicom certificates which are very secure (as it is typically utility companies using this for metering and do not want the meter reading tampered with).
Regards, TC.
Answered by t.c. on September 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP