IoT Goes Nuclear: Creating a Zigbee Chain Reaction

Link to the Paper: https://eprint.iacr.org/2016/1047.pdf

Summary:

First thoughts on this paper was that this is really really cool - the paper's abstract kind of paints a picture of some type of dystopia in the near future where worms are infecting IOT devices left and right. The paper goes onto transition that idea into real life saying that they made a worm infection like that that could take down all the lights of a typical city like Paris (105 square kilometers). But while there is a lot of novel approaches to compromise IOT devices in this paper, a lot of the broad industry level information has already been touched on in past papers and this paper mainly focused on a single product and how to exploit that one product. That said I really enjoyed this paper - but I don't think that much can be taken away from it now that the manufacturers have patched what made the exploits very effective.

 

What I liked:

  1. The paper identifies the key design flaw in Phillips products - that an attacker will not get in close physical proximity to one of their products

  2. As I was reading how the smart lamps can be reset - it was a natural progression in my mind that these types of attacks can be carried out on some type of moving platform. I really loved how the paper addressed this and did its own tests

  3. The entire attack was done with off the shelf activity - there was some custom implementations that needed to be done but it isn't out of the extreme of a hobbyist.

  4. Very in depth explanations that don't go so deep into the weeds Ex: how they loaded the OTA image in to the chip by only setting a flag and knowing the offsets.

  5. Paints a picture of the future in an IOT world and shows how future threats of network jamming, data exfiltration and denial of service attacks might happen

 

 

 

What I didn't like:

  1. For the calculations on the attack on Paris - the paper makes the assumption that the smart lamps are randomly distributed around the city which I think isn't really likely. My assumption would be newer districts would have the smart lamps concentrated in their area while older ones would not have them at all - this prevents the worm from spreading and keeps the worm localized.

  2. The paper points to issues with Phillips implementation of security measures, but doesn’t really target what the industry could do better to prevent these types of attacks in the future

  3. It seems like the major possibility of a worm was brought up in O'Flynn's research. I think that this is a specific implementation of that worm - but I don't see how this paper is extremely unique from past papers.

  4. Since the exploits have been patched I'm not really sure how this paper benefits the community as a whole now

  5. They didn't actually build the worm and see how it would have worked even in an isolated setting

 

Points for discussion:

  1. What does it mean to really be "adjacent" in an interconnected world of IOT devices?

  2. How will the industry standard of IOT devices communication cryptography change in light of these exploits?

  3. How did O'Flynn propose that a worm attack IOT devices in his past papers - how does that differ from this paper?

  4. How did Phillips change the infection range to less than a meter to prevent these attacs from happening in the future?

  5. Is type of attack novel to devices all on one network - or is adaptable to many different networks?

New Ideas:

  1. Research what other IOT devices are similar to the lamps and can fall victim to similar types of attacks

  2. Is there a way to dynamically change the master key for the ZLL certified products so that if the key gets leaked - it doesn't open the products up to new exploits?

  3. The paper mentions that the Harvard architecture of the IOT devices in this case made it extremely hard to pass a software exploit through traditional means - what percentage of IOT devices have this? Are their alternatives that are more cost effective?

  4. It seems like the worm is only possible due to fake firmware updates - is there a way to create a secret key for each device that is with in the Zigbee protocol that can act as a backstop against leaked master keys?

  5. Is a common update framework helpful or hurtful in the spread of worms?