Analyzing the attack landscape of Zigbee-enabled IoT systems and reinstating users' privacy

Weicheng Wang, Fabrizio Cicala, Syed Rafiul Hussain, Elisa Bertino, Ninghui Li

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    3 Scopus citations

    Abstract

    Zigbee network security relies on symmetric cryptography based on a pre-shared secret. In the current Zigbee protocol, the network coordinator creates a network key while establishing a network. The coordinator then shares the network key securely, encrypted under the pre-shared secret, with devices joining the network to ensure the security of future communications among devices through the network key. The pre-shared secret, therefore, needs to be installed in millions or more devices prior to deployment, and thus will be inevitably leaked, enabling attackers to compromise the confidentiality and integrity of the network. To improve the security of Zigbee networks, we propose a new certificate-less Zigbee joining protocol that leverages low-cost public-key primitives. The new protocol has two components. The first is to integrate Elliptic Curve Diffie-Hellman key exchange into the existing association request/response messages, and to use this key both for link-to-link communication and for encryption of the network key to enhance privacy of user devices. The second is to improve the security of the installation code, a new joining method introduced in Zigbee 3.0 for enhanced security, by using public key encryption. We analyze the security of our proposed protocol using the formal verification methods provided by ProVerif, and evaluate the efficiency and effectiveness of our solution with a prototype built with open source software and hardware stack. The new protocol does not introduce extra messages and the overhead is as lows as 3.8% on average for the join procedure.

    Original languageEnglish (US)
    Title of host publicationWiSec 2020 - Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks
    PublisherAssociation for Computing Machinery
    Pages133-143
    Number of pages11
    ISBN (Electronic)9781450380065
    DOIs
    StatePublished - Jul 8 2020
    Event13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2020 - Linz, Virtual, Austria
    Duration: Jul 8 2020Jul 10 2020

    Publication series

    NameWiSec 2020 - Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks

    Conference

    Conference13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2020
    Country/TerritoryAustria
    CityLinz, Virtual
    Period7/8/207/10/20

    All Science Journal Classification (ASJC) codes

    • Computer Networks and Communications
    • Safety, Risk, Reliability and Quality

    Fingerprint

    Dive into the research topics of 'Analyzing the attack landscape of Zigbee-enabled IoT systems and reinstating users' privacy'. Together they form a unique fingerprint.

    Cite this