Using KillerBee with ZigBee devices

Yesterday I received a few of the Raven ZigBee USB sticks with the KillerBee firmware loaded on it, thank you Joshua Wright I grabbed the latest version of Killerbee and started playing around with KillerBee and the ZigBee sticks. KillerBee is an 802.15.4 exploration and exploitation framework. It was extremely easy to get running, I was able to install it on BackTack4 and only needed python-usb package.

The KillerBee framework comes with a number of handy applications: zbassocflood, zbconvert, zbdsniff, zbdump, zbfind, zbgoodfind, zbid, zbreplay, zbstumbler. Most of these applications are similar to their network counterparts. zbdsniff attempts to grab keys while they are being provisioned. zbdump is similar to tcpdump and will store 802.15.4 packets to a pcap file or Daintree SNA file. zbfind is a gui application similar to airmagnet and can be used to track down ZigBee devices, it can use either active or passive scanning. zbreplay will take a pcap or Daintree SNA packet capture and replay the capture. zbstumbler is similar to netstumbler and uses active scanning to locate ZigBee devices. zbgoodfind uses a memory dump and an encrypted packet capture to find the key and decode the packet capture. The memory dump can be captured using a method similar to the one Travis Goodspeed described in his presentation at S4 2009. While the applications included in the KillerBee framework are an excellent starting point for monitoring and attacking ZigBee devices, the strength of the framework is its extensibility.

I took one of the ZigBee USB sticks and hooked it up to my netbook and walked around downtown. I live in an area that has a large Smart Meter install base. I wasn’t able to find any ZigBee devices while walking around, at some point the software crashed. I will be heading back downtown to perform a few more passive scans but next time it will be a bit more targeted, not just wondering around.