1 00:00:06,450 --> 00:00:08,310 - Z-Wave is a little bit different 2 00:00:08,310 --> 00:00:11,040 than other IOT communication protocols. 3 00:00:11,040 --> 00:00:14,720 This is because Z-Wave is a connection oriented protocol. 4 00:00:14,720 --> 00:00:16,240 Basically the notes on the network 5 00:00:16,240 --> 00:00:18,880 acknowledged the receipt of messages 6 00:00:18,880 --> 00:00:20,393 from a network controller. 7 00:00:21,530 --> 00:00:25,465 Z-Wave uses the concept of mesh networking. 8 00:00:25,465 --> 00:00:28,720 A Z-Wave mesh network node can forward commands 9 00:00:28,720 --> 00:00:31,703 and receive responses from neighboring nodes. 10 00:00:32,550 --> 00:00:36,040 Now the Z-Wave network is also capable of high availability 11 00:00:36,040 --> 00:00:37,070 and this is actually done 12 00:00:37,070 --> 00:00:39,460 by routing around the failed point. 13 00:00:39,460 --> 00:00:44,280 And this is also because of overlapping radio zones. 14 00:00:44,280 --> 00:00:48,330 Each node can route to a maximum of four devices. 15 00:00:48,330 --> 00:00:50,030 Now this gives a Z-Wave network 16 00:00:50,030 --> 00:00:52,573 a maximum range of 400 feet. 17 00:00:53,410 --> 00:00:57,000 The Z-Wave controller maintains a routing table 18 00:00:57,000 --> 00:01:00,460 of each node and the respective neighbors 19 00:01:00,460 --> 00:01:03,240 the routing table is created when a device 20 00:01:03,240 --> 00:01:05,980 is actually added to the Z-Wave network 21 00:01:05,980 --> 00:01:09,930 and people call this the inclusion process. 22 00:01:09,930 --> 00:01:12,900 When notes are included or removed from the network 23 00:01:12,900 --> 00:01:16,110 the network administrator can actually trigger a request 24 00:01:16,110 --> 00:01:19,410 for device identification to construct 25 00:01:19,410 --> 00:01:21,403 an updated routing table. 26 00:01:22,580 --> 00:01:27,580 Z-Wave devices operate at the 908.42 megahertz frequency 27 00:01:28,260 --> 00:01:33,260 in the Us and 868.42 megahertz in Europe. 28 00:01:34,610 --> 00:01:37,630 The US frequency falls within the FCC designated 29 00:01:37,630 --> 00:01:41,590 industrial scientific medical ism band. 30 00:01:41,590 --> 00:01:45,350 Z-Wave uses either frequency shift keying, FSK, 31 00:01:45,350 --> 00:01:49,413 or the Gaussian frequency shift keying, or GSFK. 32 00:01:50,790 --> 00:01:52,750 Data transmission is actually fairly slow. 33 00:01:52,750 --> 00:01:56,220 The transmission rates are 9.6 kilos per second, 34 00:01:56,220 --> 00:02:00,290 and 40 kilo per second for FSK, 35 00:02:00,290 --> 00:02:03,603 and a hundred kilowats per second for GFSK. 36 00:02:04,620 --> 00:02:08,320 Now to encode data within the modulated RF signal, 37 00:02:08,320 --> 00:02:13,320 Z-Wave uses Manchester or non-return to zero encoding, 38 00:02:13,930 --> 00:02:16,453 or NRZ encoding. 39 00:02:17,930 --> 00:02:22,930 Now Z-Wave uses the AES-OFB or output feedback mode protocol 40 00:02:24,100 --> 00:02:26,940 to provide data confidentiality on the network 41 00:02:26,940 --> 00:02:31,600 while using the AES CBC-MAC protocol, 42 00:02:31,600 --> 00:02:33,530 so the encryption protocol, 43 00:02:33,530 --> 00:02:36,490 to provide data integrity protection. 44 00:02:36,490 --> 00:02:38,720 These protocols are definitely well established 45 00:02:38,720 --> 00:02:41,850 and you learned about these protocols actually 46 00:02:41,850 --> 00:02:44,870 in the first course part of this series. 47 00:02:44,870 --> 00:02:48,280 And you know that with the CBC-Mac protocol 48 00:02:48,280 --> 00:02:49,140 it is actually used 49 00:02:49,140 --> 00:02:52,120 in many other critical site for suite implementations 50 00:02:52,120 --> 00:02:53,280 as well. 51 00:02:53,280 --> 00:02:54,670 Now, the Z-Wave protocol 52 00:02:54,670 --> 00:02:57,900 implements a class security command, 53 00:02:57,900 --> 00:02:58,900 and to be specific, 54 00:02:58,900 --> 00:03:01,070 a class underscore security command, 55 00:03:01,070 --> 00:03:03,590 that is used to exchange security information 56 00:03:03,590 --> 00:03:05,170 between devices. 57 00:03:05,170 --> 00:03:08,650 Whenever a c-wave device joins the network 58 00:03:08,650 --> 00:03:11,160 and supports the security class, 59 00:03:11,160 --> 00:03:14,299 it completes a key exchange process 60 00:03:14,299 --> 00:03:19,299 to derive keys for subsequent use in encryption 61 00:03:19,570 --> 00:03:22,220 and data integrity protection. 62 00:03:22,220 --> 00:03:26,870 These are the steps for the key exchange process. 63 00:03:26,870 --> 00:03:30,872 The first two steps, so in steps one and two, 64 00:03:30,872 --> 00:03:33,610 the controller and the secure device 65 00:03:33,610 --> 00:03:36,480 prepare for the key exchange. 66 00:03:36,480 --> 00:03:39,010 This is where the controller notices 67 00:03:39,010 --> 00:03:43,270 if the device supports the class security command class, 68 00:03:43,270 --> 00:03:47,440 then the controller request and the security device 69 00:03:47,440 --> 00:03:50,555 return a nonce value. 70 00:03:50,555 --> 00:03:52,260 Now with the nonce value 71 00:03:52,260 --> 00:03:54,840 the controller encrypts the network key, 72 00:03:54,840 --> 00:03:59,810 or what we refer to as KN, using the temporary key, 73 00:03:59,810 --> 00:04:02,063 which we also refer to as KO. 74 00:04:03,180 --> 00:04:05,250 The network key is actually randomly selected 75 00:04:05,250 --> 00:04:08,920 by the controller when the network is actually established 76 00:04:08,920 --> 00:04:13,020 and is therefore unique for each Z-Wave network. 77 00:04:13,020 --> 00:04:17,750 The temporary keys is an array of 16 bytes of minus zeros. 78 00:04:17,750 --> 00:04:20,680 When the secure device receives the encrypted network key, 79 00:04:20,680 --> 00:04:24,690 or KN, and the Mac from the controller, 80 00:04:24,690 --> 00:04:25,870 it validates the Mac, 81 00:04:25,870 --> 00:04:29,610 and decrypts the message with the temporary key, or the KO. 82 00:04:29,610 --> 00:04:32,836 So the security device then registers 83 00:04:32,836 --> 00:04:37,836 the decrypted network key as the current key, right? 84 00:04:38,110 --> 00:04:42,160 And then the secure device requests a nonce 85 00:04:42,160 --> 00:04:45,160 from the controller and then using the nonce value 86 00:04:45,160 --> 00:04:47,390 the secure device actually encrypts 87 00:04:47,390 --> 00:04:49,810 a key set okay message 88 00:04:49,810 --> 00:04:53,543 which is actually the hexidecimal value of zero seven. 89 00:04:54,440 --> 00:04:57,160 Now then the controller validates that the packet 90 00:04:57,160 --> 00:05:00,560 was encrypted by using the KN, 91 00:05:00,560 --> 00:05:03,010 by validating the Mac. 92 00:05:03,010 --> 00:05:05,750 Now, the problem is that the key exchange process 93 00:05:05,750 --> 00:05:09,580 has been historically vulnerable to several attacks. 94 00:05:09,580 --> 00:05:12,220 It has been vulnerable to man in the middle attacks 95 00:05:12,220 --> 00:05:16,940 because the secure devices do not validate the identity 96 00:05:16,940 --> 00:05:20,140 of the controller other than validating the Mac 97 00:05:20,140 --> 00:05:24,680 of the encrypted network key using the temporary key. 98 00:05:24,680 --> 00:05:28,330 This is also vulnerable to key recovery attacks 99 00:05:28,330 --> 00:05:31,100 because there's no confidentiality protection 100 00:05:31,100 --> 00:05:33,520 in the delivery of the network key, 101 00:05:33,520 --> 00:05:35,400 over the, of course the network, 102 00:05:35,400 --> 00:05:38,500 since the temporary key is actually well known. 103 00:05:38,500 --> 00:05:40,940 Basically if you passively capture the inclusion 104 00:05:40,940 --> 00:05:43,890 process using class security, 105 00:05:43,890 --> 00:05:46,620 you can potentially recover the network key 106 00:05:46,620 --> 00:05:50,420 and then use it to decrypt and forge Z-Wave packets 107 00:05:50,420 --> 00:05:51,920 on the network. 108 00:05:51,920 --> 00:05:54,370 The Z-Wave Alliance is the organization in charge 109 00:05:54,370 --> 00:05:57,460 of the ENO probability and the compatibility 110 00:05:57,460 --> 00:05:59,791 of Z-Wave devices. 111 00:05:59,791 --> 00:06:01,466 So to address the vulnerabilities 112 00:06:01,466 --> 00:06:03,060 that I actually just discussed, 113 00:06:03,060 --> 00:06:06,840 and to also to minimize the cost of the overall system, 114 00:06:06,840 --> 00:06:07,673 especially, you know, 115 00:06:07,673 --> 00:06:10,840 these systems are low cost. 116 00:06:10,840 --> 00:06:13,070 And I'm not saying that they are actually low budget 117 00:06:13,070 --> 00:06:13,960 but in a lot of cases 118 00:06:13,960 --> 00:06:16,480 actually they have to do minimize the cost 119 00:06:16,480 --> 00:06:19,530 of addressing some of these vulnerabilities. 120 00:06:19,530 --> 00:06:20,363 They actually, 121 00:06:20,363 --> 00:06:23,721 the Z-Wave Alliance added a new feature 122 00:06:23,721 --> 00:06:28,023 to the process called the low power inclusion mode. 123 00:06:28,980 --> 00:06:32,060 Of course, eavesdropping attacks are also possible 124 00:06:32,060 --> 00:06:34,270 since they are a common attack technique 125 00:06:34,270 --> 00:06:37,060 against any wireless network. 126 00:06:37,060 --> 00:06:39,630 Now Z-Force is a tool 127 00:06:39,630 --> 00:06:42,390 that it was actually designed for Windows. 128 00:06:42,390 --> 00:06:45,673 And it was also created by two security researchers 129 00:06:45,673 --> 00:06:48,100 called Bernard (indistinct) and (indistinct). 130 00:06:51,130 --> 00:06:54,076 And they actually had pretty good research 131 00:06:54,076 --> 00:06:56,810 into different Z-Wave vulnerabilities actually. 132 00:06:56,810 --> 00:07:01,170 They presented all the way back in 2013 or so. 133 00:07:01,170 --> 00:07:02,830 Now you can actually use that tool 134 00:07:02,830 --> 00:07:04,970 to eavesdrop Z-Wave networks 135 00:07:04,970 --> 00:07:09,360 and also intercept and inject Z-Wave frames. 136 00:07:09,360 --> 00:07:10,940 However, most of the vulnerabilities 137 00:07:10,940 --> 00:07:13,820 they actually leverage have already been fixed 138 00:07:13,820 --> 00:07:15,113 by many vendors. 139 00:07:16,030 --> 00:07:18,960 Now, as you probably remember, in lesson three 140 00:07:18,960 --> 00:07:21,780 I cover the different wireless antennas and adapters. 141 00:07:21,780 --> 00:07:24,400 You learn about the yard stick one 142 00:07:24,400 --> 00:07:27,330 which is an antenna that allows you to monitor 143 00:07:27,330 --> 00:07:31,950 and inject frames to RF signals lower than one gigahertz. 144 00:07:31,950 --> 00:07:34,190 You can use it in conjunctions with many tools 145 00:07:34,190 --> 00:07:38,370 like RFcat to monitor not only Z-Wave signals, 146 00:07:38,370 --> 00:07:42,143 but again anything that transmits under one gigahertz. 147 00:07:43,560 --> 00:07:46,100 In this example, I'm actually showing RFcat 148 00:07:46,100 --> 00:07:49,060 and I'm using the RF receive function. 149 00:07:49,060 --> 00:07:52,910 And you can see that all the functions starts with a D 150 00:07:52,910 --> 00:07:56,490 in here, and this actually function 151 00:07:56,490 --> 00:08:01,490 I'm actually specifying the Z-Wave frequency of 908.4. 152 00:08:02,280 --> 00:08:05,230 I have actually Z-Wave door lock 153 00:08:05,230 --> 00:08:06,750 that is actually transmitting 154 00:08:06,750 --> 00:08:08,930 so once I actually a press enter, 155 00:08:08,930 --> 00:08:11,479 you see a series of hexidecimal values. 156 00:08:11,479 --> 00:08:13,970 These are just a quick example of a transmission 157 00:08:13,970 --> 00:08:17,960 from the door lock looking for a Z-Wave controller. 158 00:08:17,960 --> 00:08:18,880 Now, as I mentioned, 159 00:08:18,880 --> 00:08:21,800 I'm actually using RFcat with a yardstick one. 160 00:08:21,800 --> 00:08:23,600 And here I'm actually printing 161 00:08:23,600 --> 00:08:25,570 the radio configuration using 162 00:08:25,570 --> 00:08:30,570 the d rep r radio config function. 163 00:08:30,850 --> 00:08:33,850 And as you can see, I'm actually using the yardstick one, 164 00:08:33,850 --> 00:08:36,660 as I mentioned before, and it gives you information 165 00:08:36,660 --> 00:08:38,184 about the current configuration 166 00:08:38,184 --> 00:08:43,130 including things like the frequency, modem packet, 167 00:08:43,130 --> 00:08:45,683 crypto and radio test signal configuration. 168 00:08:45,683 --> 00:08:49,270 And it also shows you the radio state 169 00:08:49,270 --> 00:08:51,723 and the client state information. 170 00:08:52,920 --> 00:08:54,920 Now, there are many features within Rfcat. 171 00:08:54,920 --> 00:08:57,410 It even comes with a spectrum analyzer. 172 00:08:57,410 --> 00:09:02,410 In this example, I'm actually using the 908.4 frequency. 173 00:09:02,630 --> 00:09:05,550 And here we actually see a couple of spikes 174 00:09:05,550 --> 00:09:07,410 in very adjacent frequencies, right? 175 00:09:07,410 --> 00:09:10,240 So again, you can actually use the built-in 176 00:09:10,240 --> 00:09:14,000 spectrum analyzer that actually comes with RFcat 177 00:09:14,000 --> 00:09:15,280 and not only for Z-Wave, 178 00:09:15,280 --> 00:09:19,050 but for any type of frequency under one gigahertz. 179 00:09:19,050 --> 00:09:21,910 Now let's exit this and show you a few other 180 00:09:21,910 --> 00:09:24,094 built in-functions and capabilities 181 00:09:24,094 --> 00:09:27,890 in RFcat like the RF transmit, right? 182 00:09:27,890 --> 00:09:31,010 So you can use this to transmit specific data 183 00:09:31,010 --> 00:09:34,460 into there at a specific frequency. 184 00:09:34,460 --> 00:09:37,080 Now you can use this in replay attacks. 185 00:09:37,080 --> 00:09:40,090 And of course here, I'm actually just showing you a simple 186 00:09:40,090 --> 00:09:41,490 you know, hello, 187 00:09:41,490 --> 00:09:44,890 but it can be anything that you actually want to replay. 188 00:09:44,890 --> 00:09:46,980 And later in this lesson, 189 00:09:46,980 --> 00:09:49,300 I'll show you a couple of other tools 190 00:09:49,300 --> 00:09:53,150 that actually makes your life easier with replay attacks. 191 00:09:53,150 --> 00:09:55,940 Now you can have many other options and functions 192 00:09:55,940 --> 00:09:58,240 that allow you to do things 193 00:09:58,240 --> 00:10:02,440 like adjusting frequency offsets, change a channel, 194 00:10:02,440 --> 00:10:05,670 perform low level debugging, and much more. 195 00:10:05,670 --> 00:10:08,760 Now the discover function can be used to listen 196 00:10:08,760 --> 00:10:11,150 for specific sync words. 197 00:10:11,150 --> 00:10:15,150 The RF capture function dumps data into the screen 198 00:10:15,150 --> 00:10:17,180 returning a list of packets. 199 00:10:17,180 --> 00:10:20,070 And you have many, many, many other options 200 00:10:20,070 --> 00:10:20,903 in here as well. 201 00:10:20,903 --> 00:10:22,820 So for year reference, 202 00:10:22,820 --> 00:10:24,570 I actually have documented several 203 00:10:24,570 --> 00:10:27,380 of the RFcat useful commands 204 00:10:27,380 --> 00:10:31,750 and other references for you at our GitHub repository. 205 00:10:31,750 --> 00:10:33,300 Now there's another tool 206 00:10:33,300 --> 00:10:35,630 that you can actually use for packet interception 207 00:10:35,630 --> 00:10:38,130 and injection called the Z-Attack. 208 00:10:38,130 --> 00:10:42,080 And I also had added a few references 209 00:10:42,080 --> 00:10:45,350 about this tool in the GitHub repository. 210 00:10:45,350 --> 00:10:47,820 Now a very handy tool that can be used 211 00:10:47,820 --> 00:10:51,140 in combination with the yardstick one and Rfcat 212 00:10:51,140 --> 00:10:52,363 is called RFcrack. 213 00:10:53,530 --> 00:10:56,830 And this is a tool created by the console Cowboys folks 214 00:10:57,980 --> 00:11:00,900 that actually allows you to perform replay attacks 215 00:11:00,900 --> 00:11:03,830 to any frequency below one gigahertz. 216 00:11:03,830 --> 00:11:05,870 And again, this is not only for Z-Wave, 217 00:11:05,870 --> 00:11:08,435 but anything that operates at those frequencies. 218 00:11:08,435 --> 00:11:11,390 You can also send safe payloads, 219 00:11:11,390 --> 00:11:15,060 perform jamming attacks, scan incrementally 220 00:11:15,060 --> 00:11:18,710 through a specific frequencies, and much more. 221 00:11:18,710 --> 00:11:21,610 Now here I'm showing the scanning capabilities, 222 00:11:21,610 --> 00:11:23,110 and you can see the different frequencies 223 00:11:23,110 --> 00:11:24,620 that is actually scanning. 224 00:11:24,620 --> 00:11:27,850 And then, of course, it frames 225 00:11:27,850 --> 00:11:30,410 from adjacent devices that is actually picking up. 226 00:11:30,410 --> 00:11:34,300 Now, you can also perform live replay attacks 227 00:11:34,300 --> 00:11:36,175 and it's actually pretty powerful. 228 00:11:36,175 --> 00:11:39,480 And you do this by using the minus eye option, 229 00:11:39,480 --> 00:11:41,370 as I'm actually showing in this screen. 230 00:11:41,370 --> 00:11:44,020 You can even save the packet 231 00:11:44,020 --> 00:11:47,800 to a file for future replace. 232 00:11:47,800 --> 00:11:51,680 Now, in this lesson, I cover zero security 233 00:11:51,680 --> 00:11:54,320 but I also gave you a few pointers on tools 234 00:11:54,320 --> 00:11:58,240 and devices that you can play with to perform research 235 00:11:58,240 --> 00:12:02,463 on this evolving world of RF and IOT devices.