Wednesday 13 April 2016

Z-wave protocol analysis using Ez-Wave

Background: Recently I was able to get my hands on a couple of IoT devices talking the propriety Z-wave protocol. Specifically I had 2 devices -

i) Z-Wave 3 in 1 PIR Motion sensor  which can detect movement, temperature and luminance.
ii) Z-Wave smart Energy Plug which can give information about the energy cosumption of the device connected to it. Also it can switch the device ON/OFF depending on the requests sent to it by a Z-Wave controller.

These devices are already deployed in many smart homes. Hence its important to analyze the security capabilities of these devices. This got me rolling and here is post about how to sniff Z-wave packets using SDR. It seems that the state of the art in pentesting any wireless comunnication protocol is by using these SDRs.

A detailed security assessment of Z-Wave protocol and Z-Wave enabled devices was presented at ShamooCon 2016 Breaking Bulbs Briskly by Bogus Broadcasts https://www.youtube.com/watch?v=IgquSEhAGvA by Joseph Hall and Ben Ramsey which details the how many Z-Wave device manufacturers disregard security and dont even encrypt the data exchanged between the Z-wave device and the Z-wave controller. This opens up possibilities of a range of attacks that can be launched on the Z-wave devices. They also release a open source tool to play around and sniff these packets called EZ-Wave . In this post i shall try to sniff some of the traffic generated by my Z-Wave devices.

EZ-wave Installation:

Install EZ-wave dependencies:

The instructions for installation are detailed on the github site @ https://github.com/AFITWiSec/EZ-Wave. However there are a number of software bundles that need to be installed especially the Gnu-radio which has a lot of dependencies. Hence instead of installing all these packages myself i used a linux distribution Pentoo Linux. (http://www.pentoo.ch/about). The advantage of using the Pentoo linux is that all the software requited for EZ-Wave installation such as GNU Radio, OsmocomSDR, HackRF host software, Wireshark etc  are all  pre-installed in the distro saving the time to install them manually.

The simplest way is to download the pentoo linux package from the downloads section of the site and then burn the image into a live USB stick. One important thing to note here is that Michael Ossmann (maker of HackRF) highly recommends in his "Introduction to SDR " tutorial (https://greatscottgadgets.com/sdr/) to not connect the HackRF to any virtual machine for performance reasons but to use it directly on the base OS.  Also on a side note if you are a newbie its highly recommended to go through at least his first tutorial where he introduces the SDR concepts  (https://greatscottgadgets.com/sdr/1/) and also the tutorial on HackRF usage. (https://greatscottgadgets.com/sdr/5/) .

We now boot from the live USB. (In case   you get an error like boot device not found press "Tab" on the keyboard and select pentoo5 OS or type it and press enter). The Pentoo linux should boot correctly. Launch an GUI using the "startx" command. In case there is no IP address allocated to the box just do a "dhcpcd eth0" to request an IP address.

Now to test that we have the HackRF software working correctly plugin the hackrf devices into the USB port and run the command "hackrf_info" . I use 2 Hackrfs since they are half-duplex and i wish to receive and transmit at the same time.


Install Scapy-Radio 

We can see that both our devices are correctly detected. Next we install the EZ-wave tool itself. We run the setup.sh script which clones the scapy framework
and then we install it.



I noticed that if you use pentoo linux then you dont need to worry about making changes to the gnu-radio config file.

Install Wireshark

We downloaded the source package for wireshark version 1.12.10 from https://www.wireshark.org/download/src/.  Copy the wireshark dissectors files to the wireshark-1.12.10/epan/dissectors. Wireshark by default tries to use Qt version5 for building the wireshark UI. This gave me errors so i choose to make my wireshark ui with gtk3. Hence its important to tell wireshark to use gtk3 library instead of qt5 libraries at the config stage. Hence our steps to build wireshark were



EZ-Wave Usage:

In order to sniff packets we start gnu-radio companion  and provide it as input the Zwave radio configuration file.

Select the Zwave.grc file to open in the gnuradio-companion

One important thing to take note of in the .grc file is the variable central frequency i.e center_freq . The European standard Z-wave devices ( which I have ) talk on 868.42 Mhz ( instead of the default central frequency hardcoded in the .grc file which is for the US Z-wave devices) and hence this variable needs to be changed to reflect the frequency of your device. To change the variable double click it and then key in the new value.

gnuradio-companion main window
After changing the .grc file we need to recompile the flow graph. Finally we can run it by pressing the play button on the top menu. (Also make sure that the python modules are in the python path environment variable else there may be some errors)

The HackRFs should now be able to pick up Z-wave packets in the vicinity. I forced the Z-wave device to send some packets by pressing the button on the device body. All the captured Z-wave packets are sent to localhost:52002 and can be seen using the wireshark and the new dissector. You can apply some filters like !icmp to remove the interrogation commands sent to the Z-wave devices.

Wireshark Z-wave packet capture

We can see the homid and nodeid of the captured Z-wave packet. The data exchanged between the Z-wave controller and the Z-wave device is also not encrypted.


12 comments:

  1. Hi, I have a question. Should I enable z-wave protocol from wireshark? I can't receive any z-wave packets and I don't found the z-wave protocol from wireshark.

    ReplyDelete
    Replies
    1. Hi Ren,
      You will need to rebuild Wireshark with the dissector files provided by the authors of the EzWave tool to see the protocol.

      Also the way to be sure if you are getting Z-wave packets is to ensure that you see the radio traffic from within the Gnuradio console. You will see some debug messages flying around. If you dont see anything here then unlikely you will see anything in the wireshark.

      Delete
  2. Hi,
    I am trying to use RTL2832U dongle to sniff Zwave packets. Per instructions given by oldsmokingjoe in his blog I did the following -

    Create bootable pentoo linux latest version - Pentoo 2015 RC5 (Pentoo_amd64_hardened). Burnt the ISO using rufus application.
    check for all dependencies for EZWave setup & update
    Login to pentoo as root(sudo -i) & download the EZwave from https://github.com/AFITWiSec/EZ-Wave & extract it to /root
    Run the setup.sh. Setup completed without issues
    Go to /root/scapy-radio and run install.sh
    Observed that install.sh grc is giving the following error:
    File "/usr/bin/grcc", line 32, in
    from gnuradio.grc.python.Platform import Platform
    ImportError: No module named python.Platform

    I was able to rectify this by updating the /usr/bin/grcc file as below:
    Original string: from gnuradio.grc.python.Platform import Platform
    Updated string: from gnuradio.grc.gui.Platform import Platform

    Now I'm getting the below error messages 6 times (there are 6 .grc files which grcc tries to process) on /root/scapy-radio ./install.sh grc
    init() takes at least 2 arguements (1 given)
    Error during file compilation.

    I tried different combination of arguments with grcc but still I was unable to get the grcc working.

    Please look into this and provide your inputs to rectify this & get the Zwave packet sniffing!
    Appreciate your help

    ReplyDelete
    Replies
    1. Hi Avi,

      You may check with the original writers of the EzWave tool. However as per my last understanding it was supposed to be used only with HackRf. I believe that the GnuRadio files work out of the box for HackRf radio but not sure for others kinds. You may need to understand and make suitable changes to the flowgraph to make it work for other radios.

      Delete
  3. Hi,
    First of all, nice tutorial!.

    I have followed all the steps, but in Wireshark, when I try to Make the package, I got this error:

    /bin/bash/: warning : shell level (1000) too high, resetting to 1.

    This error repeats itself a number of times, and then the process fails...

    Have this happened to someone before? I will appreciate some help!

    Thanks

    ReplyDelete
    Replies
    1. Hello Cartage,

      I did not face this problem before. It seems to be a case of too many nested shells. I found something that may help you : https://unix.stackexchange.com/questions/369932/bash-warning-shell-level-1000-too-high-resetting-to-1

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Hi, i have a question. Do you need 2 HackRFs for sniff packets?
    Thanks

    ReplyDelete
  6. Hi,

    Thanks for your nice tutorial!

    I am trying to run Zwave.grc on Pentoo. However, the program cannot import some Python modules (e.g., Zwave). Do your know where are the modules? Thanks very much!

    ReplyDelete
    Replies
    1. Did you solve the problem, because i've got the same issues.
      Thanks

      Delete
  7. Hello,

    I would like to ask you if you are able to receive frames at all Z-Wave data rates and coding. I'm stuck here, because I'm not able to receive frames for a inclusion process, for example.

    Thank you

    ReplyDelete
  8. Hello,
    I am getting underruns in GNU-Radio companion nothing more than that.Did anyone faced that problem?

    Thanks

    ReplyDelete