What is Zigbee and Why is it Used Extensively in SCADA and IoT?

IoT Hacking SCADA Hacking

Welcome back, my aspiring cyberwarriors!

As our digital world expands to greater and greater physical space, the need for a simple, energy efficient wireless protocol becomes increasingly necessary. SCADA/ICS facilities sometimes span miles or even tens of miles and the ability to span these miles with cable simply is not practical. These types of facilities require a wireless network that can connect PLC’s to sensors or actuators, sometimes at great distance. In addition, the growth of IoT in smart home and other applications such as building security also require a wireless technology that is low cost and energy efficient.

Enter Zigbee.

Zigbee is a wireless communication protocol designed for low-power, low-data-rate applications, particularly in the Internet of Things (IoT) environment.

Zigbee is optimized for low power usage, making it suitable for battery-operated devices that need to operate for long periods without frequent recharging. It typically operates within a range of 10 to 100 meters, depending on the environment and device configurations. Zigbee supports data rates of up to 250 kbps, which is adequate for applications that do not require high-speed data transmission such as commands (start/stop, on/off, temperature, pressure, etc.)

Let’s take a deep dive into Zigbee to understand how it works and how it breaks!

Network Topologies

Zigbee supports various network topologies that define how devices connect and communicate:

  1. Star Topology:
    • In this configuration, all devices communicate directly with a central coordinator node.

    • End devices can only send and receive data through the coordinator, which manages the network.

  1. Tree Topology:

    • This topology includes a coordinator at the root and multiple routers and end devices structured in a hierarchical manner.

    • Routers can communicate with both the coordinator and their child nodes, allowing for extended coverage but limiting communication paths.

    • Zigbee’s most flexible topology allows devices to communicate directly with each other without needing a central hub.

    • This self-healing capability ensures that if one device fails, data can be rerouted through alternative paths, enhancing reliability and coverage.

      Mesh Topology:

       
  2. Mesh topologies are becoming increasingly common in newer technologies such as IoT and satellite networks. For more on mesh topologies, check out my article here.

Device Roles

Zigbee networks consist of three main types of devices:

Coordinator: The central node responsible for network management, including device registration and routing information.

Router: Extends network coverage by forwarding data between devices. Routers can connect to multiple end devices and other routers.

End Device: Typically battery-operated devices that communicate with routers or the coordinator but do not relay messages

Communication Process

  1. Devices scan available channels in the designated frequency bands (868 MHz, 915 MHz, or 2.4 GHz) to find a suitable Zigbee network.

  2. A new device sends an association request to the coordinator to join the network, providing its unique address and capabilities.

  3. Once connected, devices can send and receive data packets through the established routes defined by the network topology

Reliability and Security

Zigbee incorporates mechanisms for ensuring reliable communication even in adverse conditions:

  • Link Management: Each device maintains quality metrics for its connections, allowing it to choose optimal paths for data transmission.

  • Security Features: Zigbee includes security protocols such as encryption and authentication to protect data integrity and prevent unauthorized access.

Vulnerabilities and Security Risks

Although Zigbee is excellent at wide area, energy-efficient mesh networks of IoT devices, it has a number of key vulnerabilities and security risks.

  • First, older versions of Zigbee (like 1.2) utilized static symmetric keys, which are easier to exploit compared to more dynamic key management systems introduced in later versions.

  • Zigbee allows for link keys to be reused for device rejoining. This practice can enable attackers to clone devices and spoof legitimate ones by capturing and reusing previously used link keys.

  • Zigbee devices are often low-cost and may lack tamper-resistant features, making them vulnerable to physical theft. Once stolen, these devices can be easily reconfigured to join a different network.

    See our upcoming Physical Security training.

  • Attackers can capture legitimate commands sent over the air and replay them at a later time to gain unauthorized control over devices within the network. While frame counters are implemented to mitigate this risk, they are not foolproof.

Summary

The Zigbee communication protocol is ideal for low-cost, energy efficient networks such as SCADA/ICS and IoT. Where devices span a wide area and are battery powered, Zigbee in the protocol of choice. Unfortunately, it was some glaring security vulnerabilities that make it rather easy to hack and compromise.

For more on Zigbee, check out our upcoming Bluetooth Hacking training.