Analyzing the attack landscape of Zigbee-enabled IoT systems and reinstating users' privacy

Weicheng Wang, Fabrizio Cicala, Syed Rafiul Hussain, Elisa Bertino, Ninghui Li

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations

Abstract

Zigbee network security relies on symmetric cryptography based on a pre-shared secret. In the current Zigbee protocol, the network coordinator creates a network key while establishing a network. The coordinator then shares the network key securely, encrypted under the pre-shared secret, with devices joining the network to ensure the security of future communications among devices through the network key. The pre-shared secret, therefore, needs to be installed in millions or more devices prior to deployment, and thus will be inevitably leaked, enabling attackers to compromise the confidentiality and integrity of the network. To improve the security of Zigbee networks, we propose a new certificate-less Zigbee joining protocol that leverages low-cost public-key primitives. The new protocol has two components. The first is to integrate Elliptic Curve Diffie-Hellman key exchange into the existing association request/response messages, and to use this key both for link-to-link communication and for encryption of the network key to enhance privacy of user devices. The second is to improve the security of the installation code, a new joining method introduced in Zigbee 3.0 for enhanced security, by using public key encryption. We analyze the security of our proposed protocol using the formal verification methods provided by ProVerif, and evaluate the efficiency and effectiveness of our solution with a prototype built with open source software and hardware stack. The new protocol does not introduce extra messages and the overhead is as lows as 3.8% on average for the join procedure.

Original languageEnglish (US)
Title of host publicationWiSec 2020 - Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks
PublisherAssociation for Computing Machinery
Pages133-143
Number of pages11
ISBN (Electronic)9781450380065
DOIs
StatePublished - Jul 8 2020
Event13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2020 - Linz, Virtual, Austria
Duration: Jul 8 2020Jul 10 2020

Publication series

NameWiSec 2020 - Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Conference

Conference13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2020
Country/TerritoryAustria
CityLinz, Virtual
Period7/8/207/10/20

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Analyzing the attack landscape of Zigbee-enabled IoT systems and reinstating users' privacy'. Together they form a unique fingerprint.

Cite this